Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBC Bank Swift Copy.pdf.exe

Overview

General Information

Sample Name:HSBC Bank Swift Copy.pdf.exe
Analysis ID:562044
MD5:76b0f4441930d3f2f480830681c426e7
SHA1:0b28664196cd55adcc7b82647602db984dd49f61
SHA256:3cc59342fdbb5aa332f7d99216ac3f1ede121e0752e5aaff260e16432c23908d
Tags:exeFormbookHSBC
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBC Bank Swift Copy.pdf.exe (PID: 4712 cmdline: "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe" MD5: 76B0F4441930D3F2F480830681C426E7)
    • HSBC Bank Swift Copy.pdf.exe (PID: 4824 cmdline: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe MD5: 76B0F4441930D3F2F480830681C426E7)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 5976 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 4384 cmdline: /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 4524 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.loj-kits.xyz/rexd/"], "decoy": ["xn--2es77o3w1bruk.mobi", "cotesaintetienne.com", "newlifefoursquaremcpherson.com", "solutions-consulting.biz", "chsico.com", "demeet.xyz", "eiruhguijire.store", "realestatemoda.com", "amr-fire.net", "99v.one", "altdaita.com", "showerbeast.com", "nsfone.com", "doanhnhanvietnam.info", "xn--transfpanou-39a.com", "invitiz.com", "chifaebio.xyz", "footprint-farm.com", "onlinenurseprograms.com", "tigeratlspa.com", "troublewatermelon.space", "juvesti.com", "hunnii.one", "collective4choice.com", "casino-mate1.com", "hairandspa-aimer-kadsume.com", "pointconstructionservices.com", "savagereviews.xyz", "zhuangmengmeng.com", "gicaredocs.com", "victori-jaya.com", "purifilt.net", "live9words.com", "x-teknoloji.com", "thelocalworkers.com", "nalainteriores.com", "dream-mart.tech", "maretta.info", "empowermindbodystudios.com", "creativenft.xyz", "remembertheabbeygate.com", "whistlergardencenter.com", "jbmfg.net", "tangerinecave.com", "60thstreetdesserts.com", "mxcpgj.com", "nguoidantocvungcao.xyz", "snowjamproductiosmedia.com", "schencklab.com", "sousouhenansheng.com", "quirkysoul39.com", "digitaleclipsegames.com", "hayesvalleycondo409.com", "ceremonydesigncompany.com", "essaispsoriasisenfants-ca.com", "borhanmarket.com", "aerbounce.com", "primebradescocadastro.com", "bupis44.info", "optmsg.com", "khukhuanphongkham.com", "bunnymoorellc.com", "tminus-10.com", "mytechmadesimple.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 24 entries

          Sigma Overview

          System Summary

          barindex
          Sigma detected: Suspicious Double Extension
          Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe, CommandLine: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe, NewProcessName: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe, OriginalFileName: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe, ParentCommandLine: "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe" , ParentImage: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe, ParentProcessId: 4712, ProcessCommandLine: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe, ProcessId: 4824
          Sigma detected: Suspect Svchost Activity
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3292, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5976
          Sigma detected: Suspicious Svchost Process
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3292, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5976
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3292, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5976

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.loj-kits.xyz/rexd/"], "decoy": ["xn--2es77o3w1bruk.mobi", "cotesaintetienne.com", "newlifefoursquaremcpherson.com", "solutions-consulting.biz", "chsico.com", "demeet.xyz", "eiruhguijire.store", "realestatemoda.com", "amr-fire.net", "99v.one", "altdaita.com", "showerbeast.com", "nsfone.com", "doanhnhanvietnam.info", "xn--transfpanou-39a.com", "invitiz.com", "chifaebio.xyz", "footprint-farm.com", "onlinenurseprograms.com", "tigeratlspa.com", "troublewatermelon.space", "juvesti.com", "hunnii.one", "collective4choice.com", "casino-mate1.com", "hairandspa-aimer-kadsume.com", "pointconstructionservices.com", "savagereviews.xyz", "zhuangmengmeng.com", "gicaredocs.com", "victori-jaya.com", "purifilt.net", "live9words.com", "x-teknoloji.com", "thelocalworkers.com", "nalainteriores.com", "dream-mart.tech", "maretta.info", "empowermindbodystudios.com", "creativenft.xyz", "remembertheabbeygate.com", "whistlergardencenter.com", "jbmfg.net", "tangerinecave.com", "60thstreetdesserts.com", "mxcpgj.com", "nguoidantocvungcao.xyz", "snowjamproductiosmedia.com", "schencklab.com", "sousouhenansheng.com", "quirkysoul39.com", "digitaleclipsegames.com", "hayesvalleycondo409.com", "ceremonydesigncompany.com", "essaispsoriasisenfants-ca.com", "borhanmarket.com", "aerbounce.com", "primebradescocadastro.com", "bupis44.info", "optmsg.com", "khukhuanphongkham.com", "bunnymoorellc.com", "tminus-10.com", "mytechmadesimple.com"]}
          Multi AV Scanner detection for submitted file
          Source: HSBC Bank Swift Copy.pdf.exeVirustotal: Detection: 31%Perma Link
          Source: HSBC Bank Swift Copy.pdf.exeReversingLabs: Detection: 48%
          Yara detected FormBook
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.doanhnhanvietnam.info/rexd/Avira URL Cloud: Label: malware
          Source: http://www.hairandspa-aimer-kadsume.com/rexd/Avira URL Cloud: Label: malware
          Source: http://www.bupis44.info/rexd/www.solutions-consulting.bizAvira URL Cloud: Label: malware
          Source: www.loj-kits.xyz/rexd/Avira URL Cloud: Label: malware
          Source: http://www.collective4choice.com/rexd/www.bupis44.infoAvira URL Cloud: Label: malware
          Source: http://www.collective4choice.com/rexd/Avira URL Cloud: Label: malware
          Source: http://www.loj-kits.xyz/rexd/www.chifaebio.xyzAvira URL Cloud: Label: malware
          Source: http://www.doanhnhanvietnam.info/rexd/www.invitiz.comAvira URL Cloud: Label: malware
          Source: http://www.bupis44.info/rexd/Avira URL Cloud: Label: malware
          Source: http://www.loj-kits.xyz/rexd/Avira URL Cloud: Label: malware
          Source: http://www.hairandspa-aimer-kadsume.com/rexd/www.tminus-10.comAvira URL Cloud: Label: malware
          Source: http://www.bupis44.infoAvira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: HSBC Bank Swift Copy.pdf.exeJoe Sandbox ML: detected
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HSBC Bank Swift Copy.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HSBC Bank Swift Copy.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378603886.0000000001290000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.379797360.0000000003300000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.378166081.0000000001000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.534695085.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.533914214.0000000003500000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378603886.0000000001290000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000003.379797360.0000000003300000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.378166081.0000000001000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.534695085.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.533914214.0000000003500000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: svchost.pdb source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378549777.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378549777.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\SRnftbxSiX\src\obj\Debug\RuntimePropertyIn.pdb source: HSBC Bank Swift Copy.pdf.exe

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.loj-kits.xyz/rexd/
          Source: HSBC Bank Swift Copy.pdf.exeString found in binary or memory: http://blog.iandreev.com
          Source: HSBC Bank Swift Copy.pdf.exeString found in binary or memory: http://blog.iandreev.com/
          Source: HSBC Bank Swift Copy.pdf.exeString found in binary or memory: http://blog.iandreev.com/AClick
          Source: explorer.exe, 0000001D.00000002.545811581.00007FFF94839000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
          Source: explorer.exe, 0000001D.00000002.545811581.00007FFF94839000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
          Source: explorer.exe, 0000001D.00000002.537943170.0000000007442000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.503821116.00000000074A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502282504.00000000074A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.513074181.0000000009817000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.539699054.0000000009817000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.512012339.00000000074A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000001D.00000000.506321945.0000000009A2B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502118090.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502938145.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.500906015.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.505028040.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.504397605.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.503803391.0000000009A08000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.513670120.0000000009A2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.verisign.6
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.amr-fire.net
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.amr-fire.net/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.amr-fire.net/rexd/www.collective4choice.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.amr-fire.netReferer:
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000E.00000000.351270316.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.335111009.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.418985985.0000000006870000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.314141640.0000000006840000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bupis44.info
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bupis44.info/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bupis44.info/rexd/www.solutions-consulting.biz
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bupis44.infoReferer:
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chifaebio.xyz
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chifaebio.xyz/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chifaebio.xyz/rexd/www.mxcpgj.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chifaebio.xyzReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.collective4choice.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.collective4choice.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.collective4choice.com/rexd/www.bupis44.info
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.collective4choice.comReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.doanhnhanvietnam.info
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.doanhnhanvietnam.info/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.doanhnhanvietnam.info/rexd/www.invitiz.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.doanhnhanvietnam.infoReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.essaispsoriasisenfants-ca.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.essaispsoriasisenfants-ca.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.essaispsoriasisenfants-ca.com/rexd/www.doanhnhanvietnam.info
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.essaispsoriasisenfants-ca.comReferer:
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307291346.0000000001997000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdiao
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307291346.0000000001997000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comrsiva
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hairandspa-aimer-kadsume.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hairandspa-aimer-kadsume.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hairandspa-aimer-kadsume.com/rexd/www.tminus-10.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hairandspa-aimer-kadsume.comReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.invitiz.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.invitiz.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.invitiz.com/rexd/www.primebradescocadastro.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.invitiz.comReferer:
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.live9words.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.live9words.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.live9words.comReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.loj-kits.xyz
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.loj-kits.xyz/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.loj-kits.xyz/rexd/www.chifaebio.xyz
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.loj-kits.xyzReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mxcpgj.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mxcpgj.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mxcpgj.com/rexd/www.nalainteriores.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mxcpgj.comReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nalainteriores.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nalainteriores.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nalainteriores.com/rexd/www.essaispsoriasisenfants-ca.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.nalainteriores.comReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pointconstructionservices.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pointconstructionservices.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pointconstructionservices.com/rexd/www.amr-fire.net
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pointconstructionservices.comReferer:
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.primebradescocadastro.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.primebradescocadastro.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.primebradescocadastro.com/rexd/www.live9words.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.primebradescocadastro.comReferer:
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.solutions-consulting.biz
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.solutions-consulting.biz/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.solutions-consulting.biz/rexd/www.hairandspa-aimer-kadsume.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.solutions-consulting.bizReferer:
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 00000000.00000003.264704646.000000000199C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tminus-10.com
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tminus-10.com/rexd/
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tminus-10.com/rexd/www.loj-kits.xyz
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tminus-10.comReferer:
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.pointconstructionservices.com

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 0_2_0303D3B4
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00401030
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041B903
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041CC4E
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00408C70
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00402D87
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00402D90
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041C6A8
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041CFD2
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03546E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03520D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03544120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090CC4E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_008F8C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_008F2D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_008F2D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090C6A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_008F2FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090CFD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0352B150 appears 35 times
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00418622 NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0356A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0356A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0356A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569560 NtWriteFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0356AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0356B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03569820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_009085D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00908680 NtReadFile,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_009087B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00908700 NtClose,
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00908622 NtReadFile,
          Source: HSBC Bank Swift Copy.pdf.exeBinary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308047232.00000000031FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRuntimePropertyIn.exe4 vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308047232.00000000031FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308047232.00000000031FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.311397572.0000000008210000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.311069408.0000000007F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exeBinary or memory string: OriginalFilename vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.379431942.000000000153F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378583898.000000000127B000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exeBinary or memory string: OriginalFilenameRuntimePropertyIn.exe4 vs HSBC Bank Swift Copy.pdf.exe
          Source: HSBC Bank Swift Copy.pdf.exeVirustotal: Detection: 31%
          Source: HSBC Bank Swift Copy.pdf.exeReversingLabs: Detection: 48%
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeFile read: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe:Zone.IdentifierJump to behavior
          Source: HSBC Bank Swift Copy.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess created: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess created: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC Bank Swift Copy.pdf.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@3/1
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_01
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: HSBC Bank Swift Copy.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HSBC Bank Swift Copy.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: HSBC Bank Swift Copy.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: wntdll.pdbUGP source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378603886.0000000001290000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.379797360.0000000003300000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.378166081.0000000001000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.534695085.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.533914214.0000000003500000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378821180.00000000013AF000.00000040.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378603886.0000000001290000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000011.00000003.379797360.0000000003300000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000003.378166081.0000000001000000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.534695085.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.533914214.0000000003500000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 0000001D.00000002.544532140.00007FFF94751000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: svchost.pdb source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378549777.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: HSBC Bank Swift Copy.pdf.exe, 0000000C.00000002.378549777.0000000001270000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\SRnftbxSiX\src\obj\Debug\RuntimePropertyIn.pdb source: HSBC Bank Swift Copy.pdf.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: HSBC Bank Swift Copy.pdf.exe, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.HSBC Bank Swift Copy.pdf.exe.e60000.0.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.HSBC Bank Swift Copy.pdf.exe.e60000.0.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.9.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.7.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.2.HSBC Bank Swift Copy.pdf.exe.810000.1.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.3.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.0.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.2.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.5.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 12.0.HSBC Bank Swift Copy.pdf.exe.810000.1.unpack, _5ball/Form1.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 0_2_00E6667D push es; retf 0007h
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 0_2_00E66691 push es; retf 0007h
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00415058 pushfd ; ret
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041516A push esi; retf
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0040C3AC push es; iretd
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00414DFF push ebx; retf
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0041B7C5 push eax; ret
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00816691 push es; retf 0007h
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_0081667D push es; retf 0007h
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0357D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090B812 push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090B81B push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00905058 pushfd ; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090B87C push eax; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090516A push esi; retf
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_008FC3AC push es; iretd
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_00904DFF push ebx; retf
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090BD6F push ecx; ret
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0090B7C5 push eax; ret

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
          Uses an obfuscated file name to hide its real file extension (double extension)
          Source: Possible double extension: pdf.exeStatic PE information: HSBC Bank Swift Copy.pdf.exe
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.31ed1ec.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.326c734.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HSBC Bank Swift Copy.pdf.exe PID: 4712, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000008F8604 second address: 00000000008F860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000008F898E second address: 00000000008F8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe TID: 4000Thread sleep time: -39813s >= -30000s
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe TID: 5428Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeThread delayed: delay time: 39813
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeThread delayed: delay time: 922337203685477
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000E.00000000.338683531.0000000008A32000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000E.00000000.338683531.0000000008A32000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000001D.00000000.513716413.0000000009A43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
          Source: explorer.exe, 0000001D.00000003.501324592.0000000009A81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001D.00000003.507940526.00000000099F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 0000001D.00000003.505130040.0000000009A43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,h\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O0M0K
          Source: explorer.exe, 0000001D.00000000.477720516.00000000074BE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000001D.00000003.501551888.0000000009936000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}f
          Source: explorer.exe, 0000000E.00000000.355788907.0000000008C73000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S""
          Source: explorer.exe, 0000000E.00000000.355307217.0000000008B88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 0000001D.00000003.501717975.00000000099F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00$
          Source: explorer.exe, 0000001D.00000003.501509475.0000000009913000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000:
          Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}!
          Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 0000001D.00000003.500774605.00000000099B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
          Source: explorer.exe, 0000000E.00000000.355147226.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000001D.00000000.502730509.00000000073CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00ta
          Source: explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AASCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000&09F6E&0&00A8AUTHORITY\SYSTEMP
          Source: explorer.exe, 0000001D.00000000.511352280.00000000073CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}K
          Source: explorer.exe, 0000001D.00000002.540226124.00000000099F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000001D.00000003.500774605.00000000099B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA(P
          Source: explorer.exe, 0000001D.00000000.506076169.00000000098B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00#
          Source: explorer.exe, 0000001D.00000002.540333961.0000000009A43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: om&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
          Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000001D.00000000.506378037.0000000009A69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001D.00000000.506076169.00000000098B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000E.00000000.355147226.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 0000000E.00000000.355307217.0000000008B88000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000's
          Source: explorer.exe, 0000001D.00000003.505130040.0000000009A43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000f
          Source: explorer.exe, 0000000E.00000000.351546776.00000000069DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 0000001D.00000000.511352280.00000000073CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}2
          Source: explorer.exe, 0000001D.00000000.512012339.00000000074A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
          Source: explorer.exe, 0000001D.00000003.501509475.0000000009913000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03553B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03553B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03524F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03524F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03538794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03531B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03531B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03554BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03554BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03554BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03537E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0356927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03525210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03525210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03525210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03525210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03543A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03558E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03538A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03564A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03564A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03568EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03547D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03563D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03533D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03554D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03554D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03554D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03544120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03544120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0352B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03552581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03522D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03551DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03551DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03551DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03540050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03540050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0354746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0353849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_03529080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_0355F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_035690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeCode function: 12_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 1210000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 4524
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeProcess created: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
          Source: explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 0000000E.00000000.314124995.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.476334037.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.477072596.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.468133229.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535978081.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535583862.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510518709.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510678631.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.501563088.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.461471102.00000000044E8000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.502198515.00000000061A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.485552747.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.473223264.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.460008601.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.501476505.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.476195476.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535454990.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.468100591.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.477072596.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.535978081.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510678631.00000000061A0000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.507621751.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.510357758.00000000060B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.529597108.00000000005A7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.502198515.00000000061A0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000E.00000000.346283837.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.330693683.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.413334676.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.309431737.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 0000000E.00000000.330983528.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.309774426.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.413808591.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.346663673.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000E.00000000.321946931.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.338770667.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.355147226.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: explorer.exe, 0000001D.00000000.500099390.00000000042BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.4355240.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HSBC Bank Swift Copy.pdf.exe.42fac20.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception412
          Process Injection          		11
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory241
          Security Software Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Non-Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)412
          Process Injection          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common12
          Obfuscated Files or Information          		Cached Domain Credentials112
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items11
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562044 Sample: HSBC Bank Swift Copy.pdf.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 31 www.pointconstructionservices.com 2->31 33 www.collective4choice.com 2->33 35 3 other IPs or domains 2->35 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 13 other signatures 2->45 11 HSBC Bank Swift Copy.pdf.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\HSBC Bank Swift Copy.pdf.exe.log, ASCII 11->29 dropped 14 HSBC Bank Swift Copy.pdf.exe 11->14         started        process6 signatures7 55 Modifies the context of a thread in another process (thread injection) 14->55 57 Maps a DLL or memory area into another process 14->57 59 Sample uses process hollowing technique 14->59 61 Queues an APC in another process (thread injection) 14->61 17 explorer.exe 14->17 injected process8 process9 19 svchost.exe 17->19         started        signatures10 47 Self deletion via cmd delete 19->47 49 Modifies the context of a thread in another process (thread injection) 19->49 51 Maps a DLL or memory area into another process 19->51 53 Tries to detect virtualization through RDTSC time measurements 19->53 22 explorer.exe 1 122 19->22         started        25 cmd.exe 1 19->25         started        process11 dnsIp12 37 192.168.2.1 unknown unknown 22->37 27 conhost.exe 25->27         started        process13

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HSBC Bank Swift Copy.pdf.exe32%VirustotalBrowse
          HSBC Bank Swift Copy.pdf.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          HSBC Bank Swift Copy.pdf.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          12.0.HSBC Bank Swift Copy.pdf.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          12.2.HSBC Bank Swift Copy.pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          12.0.HSBC Bank Swift Copy.pdf.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          12.0.HSBC Bank Swift Copy.pdf.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.chifaebio.xyz0%Avira URL Cloudsafe
          http://www.loj-kits.xyz0%Avira URL Cloudsafe
          http://www.mxcpgj.com0%Avira URL Cloudsafe
          http://www.bupis44.infoReferer:0%Avira URL Cloudsafe
          http://www.pointconstructionservices.comReferer:0%Avira URL Cloudsafe
          http://www.nalainteriores.com/rexd/www.essaispsoriasisenfants-ca.com0%Avira URL Cloudsafe
          http://www.invitiz.com/rexd/www.primebradescocadastro.com0%Avira URL Cloudsafe
          http://www.doanhnhanvietnam.infoReferer:0%Avira URL Cloudsafe
          http://www.primebradescocadastro.com/rexd/0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.solutions-consulting.biz0%Avira URL Cloudsafe
          http://www.chifaebio.xyz/rexd/0%Avira URL Cloudsafe
          http://www.doanhnhanvietnam.info/rexd/100%Avira URL Cloudmalware
          http://www.tminus-10.com0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.primebradescocadastro.com0%Avira URL Cloudsafe
          http://www.invitiz.com/rexd/0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.tminus-10.com/rexd/www.loj-kits.xyz0%Avira URL Cloudsafe
          http://www.invitiz.comReferer:0%Avira URL Cloudsafe
          http://www.essaispsoriasisenfants-ca.comReferer:0%Avira URL Cloudsafe
          http://www.hairandspa-aimer-kadsume.com/rexd/100%Avira URL Cloudmalware
          http://www.pointconstructionservices.com/rexd/www.amr-fire.net0%Avira URL Cloudsafe
          http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov0%Avira URL Cloudsafe
          http://www.mxcpgj.comReferer:0%Avira URL Cloudsafe
          http://www.amr-fire.net/rexd/0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.collective4choice.comReferer:0%Avira URL Cloudsafe
          http://www.bupis44.info/rexd/www.solutions-consulting.biz100%Avira URL Cloudmalware
          www.loj-kits.xyz/rexd/100%Avira URL Cloudmalware
          http://www.chifaebio.xyzReferer:0%Avira URL Cloudsafe
          http://www.doanhnhanvietnam.info0%Avira URL Cloudsafe
          http://www.nalainteriores.com0%Avira URL Cloudsafe
          http://www.collective4choice.com/rexd/www.bupis44.info100%Avira URL Cloudmalware
          http://blog.iandreev.com/0%Avira URL Cloudsafe
          http://www.collective4choice.com/rexd/100%Avira URL Cloudmalware
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.loj-kits.xyz/rexd/www.chifaebio.xyz100%Avira URL Cloudmalware
          http://www.solutions-consulting.biz/rexd/www.hairandspa-aimer-kadsume.com0%Avira URL Cloudsafe
          http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro0%Avira URL Cloudsafe
          http://www.amr-fire.net0%Avira URL Cloudsafe
          http://www.nalainteriores.comReferer:0%Avira URL Cloudsafe
          http://www.essaispsoriasisenfants-ca.com/rexd/0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.doanhnhanvietnam.info/rexd/www.invitiz.com100%Avira URL Cloudmalware
          http://blog.iandreev.com/AClick0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.essaispsoriasisenfants-ca.com0%Avira URL Cloudsafe
          http://www.hairandspa-aimer-kadsume.comReferer:0%Avira URL Cloudsafe
          http://www.live9words.com0%Avira URL Cloudsafe
          http://www.bupis44.info/rexd/100%Avira URL Cloudmalware
          http://www.hairandspa-aimer-kadsume.com0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.loj-kits.xyz/rexd/100%Avira URL Cloudmalware
          http://www.pointconstructionservices.com0%Avira URL Cloudsafe
          http://www.amr-fire.net/rexd/www.collective4choice.com0%Avira URL Cloudsafe
          http://www.live9words.com/rexd/0%Avira URL Cloudsafe
          http://www.essaispsoriasisenfants-ca.com/rexd/www.doanhnhanvietnam.info0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.hairandspa-aimer-kadsume.com/rexd/www.tminus-10.com100%Avira URL Cloudmalware
          http://www.chifaebio.xyz/rexd/www.mxcpgj.com0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.nalainteriores.com/rexd/0%Avira URL Cloudsafe
          http://blog.iandreev.com0%Avira URL Cloudsafe
          http://www.tminus-10.comReferer:0%Avira URL Cloudsafe
          http://www.pointconstructionservices.com/rexd/0%Avira URL Cloudsafe
          http://www.primebradescocadastro.comReferer:0%Avira URL Cloudsafe
          http://www.tminus-10.com/rexd/0%Avira URL Cloudsafe
          http://crl.verisign.60%Avira URL Cloudsafe
          http://www.collective4choice.com0%Avira URL Cloudsafe
          http://www.loj-kits.xyzReferer:0%Avira URL Cloudsafe
          http://www.solutions-consulting.bizReferer:0%Avira URL Cloudsafe
          http://www.live9words.comReferer:0%Avira URL Cloudsafe
          http://www.solutions-consulting.biz/rexd/0%Avira URL Cloudsafe
          http://www.amr-fire.netReferer:0%Avira URL Cloudsafe
          http://www.primebradescocadastro.com/rexd/www.live9words.com0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.bupis44.info100%Avira URL Cloudmalware
          http://www.mxcpgj.com/rexd/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.fontbureau.comrsiva0%URL Reputationsafe
          http://www.invitiz.com0%Avira URL Cloudsafe
          http://www.fontbureau.comdiao0%Avira URL Cloudsafe
          http://www.mxcpgj.com/rexd/www.nalainteriores.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          pointconstructionservices.com
          		34.102.136.180
          		truetrue
            		unknown
            d1g9pg5cncourf.cloudfront.net
            		13.225.39.103
            		truefalse
              		high
              www.amr-fire.net
              		unknown
              		unknowntrue
                		unknown
                www.pointconstructionservices.com
                		unknown
                		unknowntrue
                  		unknown
                  www.collective4choice.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    www.loj-kits.xyz/rexd/true
                    • Avira URL Cloud: malware
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.chifaebio.xyzexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.loj-kits.xyzexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mxcpgj.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.bupis44.infoReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.pointconstructionservices.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.nalainteriores.com/rexd/www.essaispsoriasisenfants-ca.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designersHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.invitiz.com/rexd/www.primebradescocadastro.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.doanhnhanvietnam.infoReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.primebradescocadastro.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.sajatypeworks.comHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cTheHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.solutions-consulting.bizexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.chifaebio.xyz/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.doanhnhanvietnam.info/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.tminus-10.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.primebradescocadastro.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.invitiz.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.deDPleaseHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.tminus-10.com/rexd/www.loj-kits.xyzexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.invitiz.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000E.00000000.351270316.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.335111009.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.418985985.0000000006870000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.314141640.0000000006840000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.essaispsoriasisenfants-ca.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.hairandspa-aimer-kadsume.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.pointconstructionservices.com/rexd/www.amr-fire.netexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groovexplorer.exe, 0000001D.00000002.545811581.00007FFF94839000.00000002.00000001.01000000.00000008.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mxcpgj.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.amr-fire.net/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.carterandcone.comlHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.collective4choice.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.bupis44.info/rexd/www.solutions-consulting.bizexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.chifaebio.xyzReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.doanhnhanvietnam.infoexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.nalainteriores.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.collective4choice.com/rexd/www.bupis44.infoexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.fontbureau.com/designersGHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://blog.iandreev.com/HSBC Bank Swift Copy.pdf.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.collective4choice.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.fontbureau.com/designers/?HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.loj-kits.xyz/rexd/www.chifaebio.xyzexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.solutions-consulting.biz/rexd/www.hairandspa-aimer-kadsume.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers?HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.groexplorer.exe, 0000001D.00000002.545811581.00007FFF94839000.00000002.00000001.01000000.00000008.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.amr-fire.netexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.nalainteriores.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.essaispsoriasisenfants-ca.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.tiro.comHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmp, HSBC Bank Swift Copy.pdf.exe, 00000000.00000003.264704646.000000000199C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.doanhnhanvietnam.info/rexd/www.invitiz.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://blog.iandreev.com/AClickHSBC Bank Swift Copy.pdf.exefalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.goodfont.co.krHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.essaispsoriasisenfants-ca.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hairandspa-aimer-kadsume.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.live9words.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.bupis44.info/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.hairandspa-aimer-kadsume.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.typography.netDHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.loj-kits.xyz/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.pointconstructionservices.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.amr-fire.net/rexd/www.collective4choice.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.live9words.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.essaispsoriasisenfants-ca.com/rexd/www.doanhnhanvietnam.infoexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hairandspa-aimer-kadsume.com/rexd/www.tminus-10.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.chifaebio.xyz/rexd/www.mxcpgj.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sakkal.comHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.nalainteriores.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://blog.iandreev.comHSBC Bank Swift Copy.pdf.exefalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.tminus-10.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.pointconstructionservices.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.primebradescocadastro.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.tminus-10.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://crl.verisign.6explorer.exe, 0000001D.00000000.506321945.0000000009A2B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502118090.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.502938145.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.500906015.0000000009A06000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.505028040.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.504397605.0000000009A2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000003.503803391.0000000009A08000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.513670120.0000000009A2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.collective4choice.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.loj-kits.xyzReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.solutions-consulting.bizReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.live9words.comReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.solutions-consulting.biz/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.amr-fire.netReferer:explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.primebradescocadastro.com/rexd/www.live9words.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.founder.com.cn/cnHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.bupis44.infoexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.mxcpgj.com/rexd/explorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comrsivaHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307291346.0000000001997000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8HSBC Bank Swift Copy.pdf.exe, 00000000.00000002.309728380.00000000072E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.invitiz.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comdiaoHSBC Bank Swift Copy.pdf.exe, 00000000.00000002.307291346.0000000001997000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.mxcpgj.com/rexd/www.nalainteriores.comexplorer.exe, 0000001D.00000002.540010356.0000000009913000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:562044
                                          Start date:28.01.2022
                                          Start time:10:55:25
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 12m 40s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:HSBC Bank Swift Copy.pdf.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:34
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@8/1@3/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 69.1% (good quality ratio 64.5%)
                                          • Quality average: 71.3%
                                          • Quality standard deviation: 30.9%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, dllhost.exe, backgroundTaskHost.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.189.173.22
                                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          10:56:47API Interceptor1x Sleep call for process: HSBC Bank Swift Copy.pdf.exe modified
                                          10:58:02API Interceptor82x Sleep call for process: explorer.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC Bank Swift Copy.pdf.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.450297231968026
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:HSBC Bank Swift Copy.pdf.exe
                                          File size:770048
                                          MD5:76b0f4441930d3f2f480830681c426e7
                                          SHA1:0b28664196cd55adcc7b82647602db984dd49f61
                                          SHA256:3cc59342fdbb5aa332f7d99216ac3f1ede121e0752e5aaff260e16432c23908d
                                          SHA512:63d7cbcaa3b46cce81727e5baa82e5daa055b3ad95d1fb14086bf2dd2bbd2811400b15e9231a18dc5ab1771c18f2047077baaefe8b970463da947fc650d32884
                                          SSDEEP:12288:9vlo9vY4GuoGLzezhMXxJYpfuRss38iZ:foFY4GuoG3ezhMXxJO/c
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2.a..............0.................. ........@.. ....................... ............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4bd4ea
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61F332EA [Fri Jan 28 00:03:54 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbd4980x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x5cc.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xbd3600x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xbb4f00xbb600False0.488747706805data6.45404426837IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xbe0000x5cc0x600False0.427083333333data4.13288039483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xc00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xbe0900x33cdata
                                          RT_MANIFEST0xbe3dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2016
                                          Assembly Version1.0.0.0
                                          InternalNameRuntimePropertyIn.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameOthelloCS
                                          ProductVersion1.0.0.0
                                          FileDescriptionOthelloCS
                                          OriginalFilenameRuntimePropertyIn.exe

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          01/28/22-10:58:40.442828TCP1201ATTACK-RESPONSES 403 Forbidden804986134.102.136.180192.168.2.7

                                          Network Port Distribution

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 28, 2022 10:58:40.275278091 CET5191953192.168.2.78.8.8.8
                                          Jan 28, 2022 10:58:40.305191040 CET53519198.8.8.8192.168.2.7
                                          Jan 28, 2022 10:58:45.456741095 CET6429653192.168.2.78.8.8.8
                                          Jan 28, 2022 10:58:45.480979919 CET53642968.8.8.8192.168.2.7
                                          Jan 28, 2022 10:58:50.542371035 CET5882053192.168.2.78.8.8.8
                                          Jan 28, 2022 10:58:50.569107056 CET53588208.8.8.8192.168.2.7

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 28, 2022 10:58:40.275278091 CET192.168.2.78.8.8.80x5b67Standard query (0)www.pointconstructionservices.comA (IP address)IN (0x0001)
                                          Jan 28, 2022 10:58:45.456741095 CET192.168.2.78.8.8.80x741dStandard query (0)www.amr-fire.netA (IP address)IN (0x0001)
                                          Jan 28, 2022 10:58:50.542371035 CET192.168.2.78.8.8.80x7770Standard query (0)www.collective4choice.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 28, 2022 10:58:40.305191040 CET8.8.8.8192.168.2.70x5b67No error (0)www.pointconstructionservices.compointconstructionservices.comCNAME (Canonical name)IN (0x0001)
                                          Jan 28, 2022 10:58:40.305191040 CET8.8.8.8192.168.2.70x5b67No error (0)pointconstructionservices.com34.102.136.180A (IP address)IN (0x0001)
                                          Jan 28, 2022 10:58:45.480979919 CET8.8.8.8192.168.2.70x741dNo error (0)www.amr-fire.netd1g9pg5cncourf.cloudfront.netCNAME (Canonical name)IN (0x0001)
                                          Jan 28, 2022 10:58:45.480979919 CET8.8.8.8192.168.2.70x741dNo error (0)d1g9pg5cncourf.cloudfront.net13.225.39.103A (IP address)IN (0x0001)
                                          Jan 28, 2022 10:58:45.480979919 CET8.8.8.8192.168.2.70x741dNo error (0)d1g9pg5cncourf.cloudfront.net13.225.39.125A (IP address)IN (0x0001)
                                          Jan 28, 2022 10:58:45.480979919 CET8.8.8.8192.168.2.70x741dNo error (0)d1g9pg5cncourf.cloudfront.net13.225.39.124A (IP address)IN (0x0001)
                                          Jan 28, 2022 10:58:45.480979919 CET8.8.8.8192.168.2.70x741dNo error (0)d1g9pg5cncourf.cloudfront.net13.225.39.100A (IP address)IN (0x0001)
                                          Jan 28, 2022 10:58:50.569107056 CET8.8.8.8192.168.2.70x7770Name error (3)www.collective4choice.comnonenoneA (IP address)IN (0x0001)

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:10:56:23
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
                                          Imagebase:0xe60000
                                          File size:770048 bytes
                                          MD5 hash:76B0F4441930D3F2F480830681C426E7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.308215845.0000000003258000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.307751069.00000000031A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.308628609.00000000041A9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          General

                                          Target ID:12
                                          Start time:10:56:48
                                          Start date:28/01/2022
                                          Path:C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe
                                          Imagebase:0x810000
                                          File size:770048 bytes
                                          MD5 hash:76B0F4441930D3F2F480830681C426E7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.378377402.0000000000E50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.378466176.00000000011A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.304686882.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.304254698.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.377961712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          General

                                          Target ID:14
                                          Start time:10:56:52
                                          Start date:28/01/2022
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff662bf0000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.339842712.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.356870466.000000000B7CD000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          General

                                          Target ID:17
                                          Start time:10:57:20
                                          Start date:28/01/2022
                                          Path:C:\Windows\SysWOW64\svchost.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\svchost.exe
                                          Imagebase:0x1210000
                                          File size:44520 bytes
                                          MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.531069292.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.528571201.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.532271564.0000000000F80000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          General

                                          Target ID:19
                                          Start time:10:57:25
                                          Start date:28/01/2022
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del "C:\Users\user\Desktop\HSBC Bank Swift Copy.pdf.exe"
                                          Imagebase:0x870000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:20
                                          Start time:10:57:26
                                          Start date:28/01/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff774ee0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:29
                                          Start time:10:58:01
                                          Start date:28/01/2022
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:explorer.exe
                                          Imagebase:0x7ff662bf0000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          No disassembly