Loading ...

Play interactive tourEdit tour

Analysis Report Scan20200623153138 HSBC Bank swift ,pdf.exe

Overview

General Information

Sample Name:Scan20200623153138 HSBC Bank swift ,pdf.exe
MD5:31c8904ca6c1785bee7383340065297a
SHA1:b48911ebdb9eaf5037c03acf223be6c3d6b55dd9
SHA256:d3021d0d900bc1384f788e16f01e093775a5a3bf9a09e0c14dfe5c2512dde2d4

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Contains functionality to register a low level keyboard hook
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Scan20200623153138 HSBC Bank swift ,pdf.exe (PID: 5524 cmdline: 'C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe' MD5: 31C8904CA6C1785BEE7383340065297A)
    • schtasks.exe (PID: 5628 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "ZbnyGg4w", "URL: ": "https://p0GDh8EEsGdZWgZD.org", "To: ": "", "ByHost: ": "mail.macrosyselectronics.in:5878", "Password: ": "qnGJIABB", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1106948598.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.443473988.0000000003CA3000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.443913160.0000000003DC8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.Scan20200623153138 HSBC Bank swift ,pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview


              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe' , ParentImage: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe, ParentProcessId: 5524, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp', ProcessId: 5628

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe.5676.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "ZbnyGg4w", "URL: ": "https://p0GDh8EEsGdZWgZD.org", "To: ": "", "ByHost: ": "mail.macrosyselectronics.in:5878", "Password: ": "qnGJIABB", "From: ": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\NepvtZyh.exeVirustotal: Detection: 31%Perma Link
              Source: C:\Users\user\AppData\Roaming\NepvtZyh.exeReversingLabs: Detection: 70%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeVirustotal: Detection: 31%Perma Link
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeReversingLabs: Detection: 70%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\NepvtZyh.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeJoe Sandbox ML: detected
              Source: 4.2.Scan20200623153138 HSBC Bank swift ,pdf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

              Source: global trafficTCP traffic: 192.168.2.7:49717 -> 166.62.25.253:587
              Source: global trafficTCP traffic: 192.168.2.7:49717 -> 166.62.25.253:587
              Source: unknownDNS traffic detected: queries for: mail.macrosyselectronics.in
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmpString found in binary or memory: http://mail.macrosyselectronics.in
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.440085034.0000000002B10000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109825364.0000000002DC0000.00000004.00000001.sdmp, Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000003.581619663.0000000000F64000.00000004.00000001.sdmpString found in binary or memory: https://p0GDh8EEsGdZWgZD.org

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Contains functionality to register a low level keyboard hookShow sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E4E5C SetWindowsHookExW 0000000D,00000000,?,?4_2_063E4E5C
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              System Summary:

              barindex
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 0_2_0292C4D40_2_0292C4D4
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 0_2_0292EAD80_2_0292EAD8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 0_2_0292EAC80_2_0292EAC8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02CFFBA84_2_02CFFBA8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02CFFB934_2_02CFFB93
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9F2784_2_02D9F278
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D900404_2_02D90040
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D981204_2_02D98120
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9E6604_2_02D9E660
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9E9A84_2_02D9E9A8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D92F404_2_02D92F40
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D91D444_2_02D91D44
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D973404_2_02D97340
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D900074_2_02D90007
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D981114_2_02D98111
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D977994_2_02D97799
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D9771E4_2_02D9771E
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D92E514_2_02D92E51
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_02D93C114_2_02D93C11
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E12E04_2_062E12E0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EA6F04_2_062EA6F0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E2BF84_2_062E2BF8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB7F04_2_062EB7F0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED0204_2_062ED020
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB0504_2_062EB050
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E28A04_2_062E28A0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ECC884_2_062ECC88
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E44984_2_062E4498
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E20C84_2_062E20C8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E15084_2_062E1508
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E4E2D4_2_062E4E2D
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E0A184_2_062E0A18
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB2B84_2_062EB2B8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EA6834_2_062EA683
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EA6E04_2_062EA6E0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E12D24_2_062E12D2
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E1B204_2_062E1B20
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E1B304_2_062E1B30
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E57B74_2_062E57B7
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E5B844_2_062E5B84
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED3984_2_062ED398
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E2BEA4_2_062E2BEA
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EB7E04_2_062EB7E0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E08304_2_062E0830
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED0184_2_062ED018
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ECC784_2_062ECC78
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E28904_2_062E2890
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E58F24_2_062E58F2
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED0C44_2_062ED0C4
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED4DA4_2_062ED4DA
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E312A4_2_062E312A
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E31384_2_062E3138
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED11B4_2_062ED11B
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED1404_2_062ED140
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062ED1814_2_062ED181
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E45E54_2_062E45E5
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E32D04_2_063E32D0
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E18084_2_063E1808
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E08924_2_063E0892
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063E32A74_2_063E32A7
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_063ED0384_2_063ED038
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: NepvtZyh.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.443473988.0000000003CA3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepeview.exe> vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000000.417382688.0000000000632000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAndroidCar.dll6 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.440085034.0000000002B10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehQRlZqZubAOentauwsauZPuvEAzDYpjkv.exe4 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.447958073.0000000006500000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.447958073.0000000006500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.437966456.00000000006B5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameJvShSnAStfC.exe: vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000000.00000002.447487646.0000000006410000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107372516.0000000000AC5000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameJvShSnAStfC.exe: vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107118836.0000000000448000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamehQRlZqZubAOentauwsauZPuvEAzDYpjkv.exe4 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107666752.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1107188000.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAndroidCar.dll6 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113055287.0000000006300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113189532.0000000006340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113016508.00000000062F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeBinary or memory string: OriginalFilenameAndroidCar.dll6 vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeBinary or memory string: OriginalFilenameJvShSnAStfC.exe: vs Scan20200623153138 HSBC Bank swift ,pdf.exe
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: NepvtZyh.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: C:\Users\user\AppData\Roaming\NepvtZyh.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5636:120:WilError_01
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8F05.tmpJump to behavior
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeVirustotal: Detection: 31%
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeReversingLabs: Detection: 70%
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile read: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe 'C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe {path}
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe {path}Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062E6D6E push edx; retf 4_2_062E6D8B
              Source: initial sampleStatic PE information: section name: .text entropy: 7.68639163252
              Source: initial sampleStatic PE information: section name: .text entropy: 7.68639163252

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: \scan20200623153138 hsbc bank swift ,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: \scan20200623153138 hsbc bank swift ,pdf.exeJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeFile created: C:\Users\user\AppData\Roaming\NepvtZyh.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWindow / User API: threadDelayed 1197Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 5528Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 5584Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6040Thread sleep count: 155 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6040Thread sleep count: 1197 > 30Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -54906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -54686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -54094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -53094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52062s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -77109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -76500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -74391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48062s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -47874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -43874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -87188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -43156s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -62109s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -41186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37186s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36562s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -35656s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -51750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -51000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33780s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -67188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32468s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32280s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31874s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31686s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31374s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31156s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -30968s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44859s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -59000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42141s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -38250s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -77391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -46000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -43406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -42094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -62391s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -41000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -39500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -58500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36891s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -34641s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -58906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -58688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -87750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -78282s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -52000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -51782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -50688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49406s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48720s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -48000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -47594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -45094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -44688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -60750s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -60423s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -40094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -39906s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31188s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -30594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -59814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -59594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -57782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -57594s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56876s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -56688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55970s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -55782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -49094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -38000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -37814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -36500s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -35782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -33094s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -32688s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -31782s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe TID: 6036Thread sleep time: -30814s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeLast function: Thread delayed
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1113615002.00000000065B0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1112464588.0000000005F40000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess information queried: ProcessInformationJump to behavior

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeCode function: 4_2_062EEAD8 LdrInitializeThunk,4_2_062EEAD8
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeMemory allocated: page read and write | page guardJump to behavior

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NepvtZyh' /XML 'C:\Users\user\AppData\Local\Temp\tmp8F05.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeProcess created: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe {path}Jump to behavior
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: Scan20200623153138 HSBC Bank swift ,pdf.exe, 00000004.00000002.1109150850.00000000017E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exeQueries volume information: C:\Users\user\Desktop\Scan20200623153138 HSBC Bank swift ,pdf.exe VolumeInformation