55453f794fbc569bf4afdf593aa27ff863bf1e1c67c7ccb5eb7bf48f29ff0de4

Analysis

max time kernel
600s
max time network
577s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/05/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HSBC_UKToolv1.0.0.6.exe
Size

3.5MB
MD5

7b7702067e951bd5efd6930025432c64
SHA1

dc9130c769472eeadeac380c0fc40029d2e8e295
SHA256

55453f794fbc569bf4afdf593aa27ff863bf1e1c67c7ccb5eb7bf48f29ff0de4
SHA512

7c107885607c73121f1dfc6ab3f7f6c3e2c21264229eb9b3551fc9bb5e6bf830d4fd072ba900ab039715e99afc50d79ce6812c646ca4531f88fdbfe07e3930f7
SSDEEP

98304:8XBnHfsvIWrreL4Zld+oyjgCCPMBHyiciqK8DWoYoA2e:SnEbe0MjgCCPMBSictGQe

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HSBC_client = "\"C:\\Program Files (x86)\\HSBC\\UKey\\HSBC_UKeyTool.exe\" /min"	HSBC_UKToolv1.0.0.6.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CFCA_HSBC_scsp.sig	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\system32\CryptoKit.HSBC.x64.dll	CryptoKit.HSBC.exe
File created	C:\Windows\system32\CFCA_HSBC_SRV.exe	HSBC_UKToolv1.0.0.6.exe
File opened for modification	C:\Windows\system32\CFCA_HSBC_scsp.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CFCA_HSBC_CSP.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CFCA_HSBC_SRV.exe	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CFCA_HSBC_P11.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\system32\CFCA_HSBC_CSP.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\system32\CFCA_HSBC_LIB.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CFCA_HSBC_LIB.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CryptoKit.HSBC.exe	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\system32\CFCA_HSBC_scsp.sig	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\system32\CFCA_HSBC_GMAPI.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CFCA_HSBC_scsp.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CFCA_HSBC_GMAPI.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\SysWOW64\CryptoKit.HSBC.x86.dll	CryptoKit.HSBC.exe
File created	C:\Windows\SysWOW64\npCryptoKit.HSBC.x86.dll	CryptoKit.HSBC.exe
File created	C:\Windows\system32\CFCA_HSBC_scsp.dll	HSBC_UKToolv1.0.0.6.exe
File created	C:\Windows\system32\CFCA_HSBC_P11.dll	HSBC_UKToolv1.0.0.6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.text	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1028\string.txt	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\PNG\208	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\MENU\205	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\129	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\209	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\GROUP_ICON\205	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc_1	7zG.exe
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\com.cfca.CryptoKitHost.HSBC-win.json	CryptoKit.HSBC.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\PNG\206	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\ICON\1.ico	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\216	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\CERTIFICATE	7zG.exe
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\uninst.exe	CryptoKit.HSBC.exe
File created	C:\Program Files (x86)\HSBC\UKey\uninst.exe	HSBC_UKToolv1.0.0.6.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rdata	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\ICON\3.ico	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\ACCELERATOR\128	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\GROUP_ICON\128	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\217	7zG.exe
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\com.cfca.CryptoKitHost.HSBC-firefox.json	CryptoKit.HSBC.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.data	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\version.txt	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\ICON\2.ico	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\ICON\4.ico	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\207	7zG.exe
File created	C:\Program Files (x86)\CFCA\CryptoKit.HSBC\CryptoKitHost.HSBC.x86.exe	CryptoKit.HSBC.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe	HSBC_UKToolv1.0.0.6.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\string.txt	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\130	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\MANIFEST\1	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.reloc	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\100	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\string.txt	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\ICON\5.ico	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\1033\DIALOG\211	7zG.exe
File created	C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\.rsrc\2052\GROUP_ICON\204	7zG.exe

Executes dropped EXE 13 IoCs

pid	Process
5008	CryptoKit.HSBC.exe
4824	CFCA_HSBC_SRV.exe
4768	CFCA_HSBC_SRV.exe
2332	HSBC_UKeyTool.exe
3484	CFCA_HSBC_SRV.exe
4300	CFCA_HSBC_SRV.exe
5112	CFCA_HSBC_SRV.exe
2064	HSBC_UKeyTool.exe
4680	HSBC_UKeyTool.exe
200	HSBC_UKeyTool.exe
312	HSBC_UKeyTool.exe
5932	HSBC_UKeyTool.exe
3796	HSBC_UKeyTool.exe

Loads dropped DLL 16 IoCs

pid	Process
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
5008	CryptoKit.HSBC.exe
4608	regsvr32.exe
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
1000	regsvr32.exe
1000	regsvr32.exe
1000	regsvr32.exe
2332	HSBC_UKeyTool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	CFCA_HSBC_SRV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	CFCA_HSBC_SRV.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615361278462219"	chrome.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\ = "{772C831A-5AB0-4E66-A03D-1174F8690D40}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID\ = "{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\TypeLib\ = "{772C831A-5AB0-4E66-A03D-1174F8690D40}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ = "ICryptoAgent"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\ProgID\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\InprocServer32\ = "C:\\Windows\\SysWow64\\CryptoKit.HSBC.x86.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\ = "{772C831A-5AB0-4E66-A03D-1174F8690D40}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\CryptoKit.HSBC.x86.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\ = "CryptoAgent Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\ = "CryptoKit.HSBC.x86 3.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\VersionIndependentProgID\ = "CryptoKit.CryptoAgent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\ = "ICryptoAgent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent.1\CLSID\ = "{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CryptoKit.CryptoAgent\CurVer\ = "CryptoKit.CryptoAgent.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6AEB90D6-B42F-4FA5-A126-493F2AA8F354}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{772C831A-5AB0-4E66-A03D-1174F8690D40}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39946100-D817-497C-AF89-D72EF3C2479F}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1340	HSBC_UKToolv1.0.0.6.exe
1340	HSBC_UKToolv1.0.0.6.exe
4768	CFCA_HSBC_SRV.exe
4768	CFCA_HSBC_SRV.exe
4040	chrome.exe
4040	chrome.exe
1060	chrome.exe
1060	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	firefox.exe
Token: SeDebugPrivilege	4348	firefox.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe
Token: SeShutdownPrivilege	4040	chrome.exe
Token: SeCreatePagefilePrivilege	4040	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2332	HSBC_UKeyTool.exe
2332	HSBC_UKeyTool.exe
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
3852	7zG.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2332	HSBC_UKeyTool.exe
2332	HSBC_UKeyTool.exe
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe
4348	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 5008	1340	HSBC_UKToolv1.0.0.6.exe	72
PID 1340 wrote to memory of 5008	1340	HSBC_UKToolv1.0.0.6.exe	72
PID 1340 wrote to memory of 5008	1340	HSBC_UKToolv1.0.0.6.exe	72
PID 5008 wrote to memory of 2256	5008	CryptoKit.HSBC.exe	73
PID 5008 wrote to memory of 2256	5008	CryptoKit.HSBC.exe	73
PID 5008 wrote to memory of 3616	5008	CryptoKit.HSBC.exe	74
PID 5008 wrote to memory of 3616	5008	CryptoKit.HSBC.exe	74
PID 5008 wrote to memory of 3616	5008	CryptoKit.HSBC.exe	74
PID 5008 wrote to memory of 2152	5008	CryptoKit.HSBC.exe	75
PID 5008 wrote to memory of 2152	5008	CryptoKit.HSBC.exe	75
PID 5008 wrote to memory of 2152	5008	CryptoKit.HSBC.exe	75
PID 5008 wrote to memory of 4608	5008	CryptoKit.HSBC.exe	76
PID 5008 wrote to memory of 4608	5008	CryptoKit.HSBC.exe	76
PID 5008 wrote to memory of 4608	5008	CryptoKit.HSBC.exe	76
PID 1340 wrote to memory of 4824	1340	HSBC_UKToolv1.0.0.6.exe	77
PID 1340 wrote to memory of 4824	1340	HSBC_UKToolv1.0.0.6.exe	77
PID 1340 wrote to memory of 4824	1340	HSBC_UKToolv1.0.0.6.exe	77
PID 4768 wrote to memory of 2332	4768	CFCA_HSBC_SRV.exe	79
PID 4768 wrote to memory of 2332	4768	CFCA_HSBC_SRV.exe	79
PID 4768 wrote to memory of 2332	4768	CFCA_HSBC_SRV.exe	79
PID 1340 wrote to memory of 1000	1340	HSBC_UKToolv1.0.0.6.exe	80
PID 1340 wrote to memory of 1000	1340	HSBC_UKToolv1.0.0.6.exe	80
PID 1340 wrote to memory of 3484	1340	HSBC_UKToolv1.0.0.6.exe	81
PID 1340 wrote to memory of 3484	1340	HSBC_UKToolv1.0.0.6.exe	81
PID 1340 wrote to memory of 3484	1340	HSBC_UKToolv1.0.0.6.exe	81
PID 1340 wrote to memory of 4300	1340	HSBC_UKToolv1.0.0.6.exe	82
PID 1340 wrote to memory of 4300	1340	HSBC_UKToolv1.0.0.6.exe	82
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 3272 wrote to memory of 4348	3272	firefox.exe	94
PID 4348 wrote to memory of 5108	4348	firefox.exe	95
PID 4348 wrote to memory of 5108	4348	firefox.exe	95
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96
PID 4348 wrote to memory of 1108	4348	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HSBC_UKToolv1.0.0.6.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC_UKToolv1.0.0.6.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\CryptoKit.HSBC.exe
  "C:\Windows\system32\CryptoKit.HSBC.exe" /i /S
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.HSBC.x64.dll" /s
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /u "C:\Windows\system32\CryptoKit.HSBC.x86.dll" /s
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32.exe" "C:\Windows\system32\CryptoKit.HSBC.x64.dll" /s
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32.exe" "C:\Windows\system32\CryptoKit.HSBC.x86.dll" /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4608
- C:\Windows\SysWOW64\CFCA_HSBC_SRV.exe
  "C:\Windows\system32\CFCA_HSBC_SRV.exe " /i /s
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\system32\regsvr32.exe
  "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\CFCA_HSBC_scsp.dll"
  2⤵
  - Loads dropped DLL
  PID:1000
- C:\Windows\SysWOW64\CFCA_HSBC_SRV.exe
  "C:\Windows\system32\CFCA_HSBC_SRV.exe " /i /s
  2⤵
  - Executes dropped EXE
  PID:3484
- C:\Windows\system32\CFCA_HSBC_SRV.exe
  "C:\Windows\system32\CFCA_HSBC_SRV.exe " /i /s
  2⤵
  - Executes dropped EXE
  PID:4300

C:\Windows\SysWOW64\CFCA_HSBC_SRV.exe
C:\Windows\SysWOW64\CFCA_HSBC_SRV.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe
  /min
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2332

C:\Windows\system32\CFCA_HSBC_SRV.exe
C:\Windows\system32\CFCA_HSBC_SRV.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5112

C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe
"C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe"
1⤵
- Executes dropped EXE
PID:2064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:488

C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe
"C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe"
1⤵
- Executes dropped EXE
PID:4680

C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe
"C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe"
1⤵
- Executes dropped EXE
PID:200

C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe
"C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe"
1⤵
- Executes dropped EXE
PID:312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.0.152238600\2078673202" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d8018a2-e4d7-4825-904c-7bd28762ba03} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 1792 1dbe35f8158 gpu
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.1.433425215\867158027" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ee0ece4-549b-4d39-aea2-9de1723774f0} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 2148 1dbd856fe58 socket
    3⤵
    PID:1108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.2.1734711223\2009425679" -childID 1 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab298cf9-f5a9-4e73-960a-ab812e93971d} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 2732 1dbe7697958 tab
    3⤵
    PID:4076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.3.1290333960\1105980016" -childID 2 -isForBrowser -prefsHandle 3460 -prefMapHandle 3456 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab8da15b-33b9-47fb-8e4f-a70fba9b68ab} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 3464 1dbd8568458 tab
    3⤵
    PID:3624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.4.1106854813\1111607908" -childID 3 -isForBrowser -prefsHandle 3996 -prefMapHandle 3988 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b865139-4bc0-4a24-a2e6-4fccfab12839} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 4008 1dbe89b8c58 tab
    3⤵
    PID:3996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.5.259583501\627701039" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fd98154-a4a3-4cc5-92f5-2727bf311052} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 4960 1dbe98c3e58 tab
    3⤵
    PID:1676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.6.997422150\291003950" -childID 5 -isForBrowser -prefsHandle 4808 -prefMapHandle 4840 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {748f0787-1a89-4e33-ba4a-a12b2b825c19} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 5084 1dbe9afb558 tab
    3⤵
    PID:1740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4348.7.565184619\1500170871" -childID 6 -isForBrowser -prefsHandle 5200 -prefMapHandle 5204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d5b23fb-4b83-40de-9939-7edad396bd67} 4348 "\\.\pipe\gecko-crash-server-pipe.4348" 5192 1dbe9afa958 tab
    3⤵
    PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaa4199758,0x7ffaa4199768,0x7ffaa4199778
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1636 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:2
  2⤵
  PID:5160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:5172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4476 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4928 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4768 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:6120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4496 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:6136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3704 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5244 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2992
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff61c347688,0x7ff61c347698,0x7ff61c3476a8
    3⤵
    PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2408 --field-trial-handle=1852,i,18399684867199943296,16771667919586122049,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1060

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5524

C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe
"C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe"
1⤵
- Executes dropped EXE
PID:5932

C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe
"C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool\" -ad -an -ai#7zMap19175:104:7zEvent31995
1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CFCA\CryptoKit.HSBC\uninst.exe

Filesize
2.3MB

MD5
40bafd11b40122e35c347bf3ab6a63ad

SHA1
58ccff78316b8365a5f79800bacc9193bc35ec06

SHA256
8cd86358dfde34f34f41431d49d098879a72748fd09a986be28f1aadd51fe33b

SHA512
063dc32ed8731a1f73d8003e33417d8c9162f0b97d50a1e0565ea601aff0c5a105e5f837505cfa5eb129781541e92a865b90bb3f508347e2ede54681b4f6a64c

Download Submit
C:\Program Files (x86)\HSBC\UKey\HSBC_UKeyTool.exe

Filesize
223KB

MD5
ba8cca1bb7a11644bd700452e4a92ddd

SHA1
b8cd8668bafd14eff7abfea72a8f32dd85c8259b

SHA256
24f2211816c726dec4a5b8809b7455bd34a00f4391746f7b3b7b55d13452a043

SHA512
768e24bdcf90c4f7118154c823a1cd680a822c2fabb7b978747fedb4805f24bef46a3576b7b64d63b60c5167e9adfc4adede216d25ad64ee92e3696750412d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
3b6c282f2b55253510f3793e3516a36a

SHA1
256cbe4d51e735a6e55b012c17e80ad7bb55cc66

SHA256
5bb4b67a5600e9574be15d1396c703e0c4abb711caa7f3b1fd30dc56d4e1ce99

SHA512
73a29caf467fc1a4716d36e175cccaa36160a776666901b16067947a32959f3172698744cbeab01aad4785511689c7cd844178865fb5795ec4e72e5296e8d079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
668d167702987501037db55bfec39c13

SHA1
af75823b8fa6f4c8e4f33fee9766d03959999bb9

SHA256
9a059c9bcccf799af39379864a880c6c4bfc18a0b0a11940459a83ab96ff04f7

SHA512
230683b5b56c2977f7be2d014a0d0dc0b78730605596e91613014eba94b92724598b61fa62dded5c035aed41fbfe42d05b47750b4c9e33fe675c1dd8f7849286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
fdbfe9dc51b8f449eb22294e7623afe7

SHA1
1b8c95fd8d48ccab6c1bd3862fecfc2a5c511902

SHA256
c2a3b90ce041641372c779d12c4f3ad8b28e541b25671642a3590676a53ae68c

SHA512
7f9a85bcc2557e19bd61fa1991286dccf99b57824162a050bc80454cd3ce9d274a0a35a75a0eb8abb7a987ba78d33c975c51e1b2c2bc9cdd66f1a8529467e755

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d8aa14615dcc7a4c8e71516204d3e8d6

SHA1
8bfc7bd5f82a41c2d86466a9eae165297f1b9e39

SHA256
7b6edaa8c9b7c2fe09deb91ee3c34d62c4f722433eea04a4e4f9cd3cfd3a092d

SHA512
7ad46138913886f2f07f3711927aebed93bdc46c9a9d0c377dd2bd7ffe6aa7aa8f8bf95dbeee893fba7aac36ed7c40dbb5b34716a24b31580d38d976a0cf4555

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fdeb2bdb856d4f56d96c2dd956d62f84

SHA1
1041b1a0d4a5d8801fb383287ab4bfbf8eeec58f

SHA256
5e1ab566a45d44634074a05b74c674e1a2689fc152a548b124aaadecd01f8251

SHA512
dc8993ce5e459deda7500f7906aa1be69154aae2c3c7fd33c9d0203471f3b8d0433c7a8348cf9e9f13a14f4d133d92a19c8a3a62ca01c56a6a3b6402ccf5c7ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
56ec1cda2199ed131a2b53da3f3e00f2

SHA1
30f4ec992a4a073079931dccec83ee69626aa576

SHA256
cf121a9af434c92dda108eb04cc753cf0c953f2142e754c5077dc73739ecd65e

SHA512
f6634f759dc53b07ac084cbff79af222dbe8de4d42197c971b6aca8444f4d46feae6c868b8ca8bdf1dd1dc629435d569a9b226def3d702a592d94cf765af2e05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
0186f15454f00f62050885f8826796f9

SHA1
05db3104c1680d28b98a09002cfc5547538e6ff0

SHA256
fb68a5d955be9281d75b8b82c61c458d7caf59d9dc394bb88ffa407735a7e7cf

SHA512
695a918676b7722ed86b0fca0711c84b6a60ea8bd7ab4b7b2c195effbf3ea92493f72502b0347f4459af51f01901a3b50c00ebec46ab0d9e94d8d339cda4da6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
278KB

MD5
17aa8ef6db2ee42d77cd4f7390e581a3

SHA1
c3573c90a35321ebaf57c1363a9b62df0acf41f4

SHA256
2252bb4c5a63172db463e7de5ace7418a1ddc445bc6549375b2b6d11a39a4086

SHA512
6cd60e1b3e0237262fed63f4e9db2c11a1785b9dc9d061dbca056bcac3d875826988997c6d5b2e5ef6e19c6f14ac7a84edae19f858dd0574a470906324127b26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
277KB

MD5
42efe7aa2734902301abef296fda64ea

SHA1
5da96270fe4e86b8b292948f89eb6a52d7765e62

SHA256
42afd8c2cf72deaadd59a128165de97bd8c7f2a818d6a659837139660fcae3d7

SHA512
9f01f0443eccf6f3a3663b8997dbaeac5c39c60e45b7ed272bfd008db9ebdc6439a6153fba4749511776f7d30952136a2361bc568bef0e63eda0945b565a10e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
c0c7932e572e5446ab09ea9e79ad8763

SHA1
cb7bc677b8a8c9ddb43cfe8a41970f08baf69757

SHA256
62f7e01b94f76d8bc706af208c964c10cfbb9d93ffb4eaf73a893e7e6de5ae8d

SHA512
a90c978732ff11368ef6f59e4f6faaf29bb2d0fab3b865208483a11c4064462f40548d268f6f31bba9ec2bf2f2cc3252e7abdb5f54cb02a6e6eb3da3b492f385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe593a9e.TMP

Filesize
92KB

MD5
0e300259c3862603b772e184431db394

SHA1
5d543aaea692b6ea8bb5cd01450b6602d75422ad

SHA256
1d6c872a4f0d9f7b37e1d8cff3aa7dcd0418fc1997a1401e05d304f37abe9c0e

SHA512
78d8d4e64a7690d3b5ef242597b110b9cdfef3039661dc166728fe02ac507a2258d8f44624d6b69760d54445c380915bdbb157792f61f5768416f677877700f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
9b2fc522c0a4b031d24c59bc6ad91b6f

SHA1
9ea6ee4f51738aed7b0eb8d609e0e71e89e751e2

SHA256
353e43b0c05a1c4f9dce4bee518c03e99511d37a669c6cbe9530ff7c19517526

SHA512
814dce8ae90544fa565d67edf06f31c6d46cfb8422c6914d3b227ddcf39691a013085d25f2db23caaa37e0f19bd7d5cf2e48513fef7ff412f6d46b8ae2ec02a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw569E.tmp\ioSpecial.ini

Filesize
1KB

MD5
bb731c3dbcb74e62fc3fa911d24739fe

SHA1
afe2a12626be552e5b4cb4081546f82440b627bb

SHA256
4b3fe4ef647d7add381cc0a3f3a15ed7490994fbbd70eee26be1d9b928c36d0c

SHA512
f21cf229427c4034040cfc3632fe66ea458c80a9f6474af569203deb677799f39ea96fa31948ef4e236fcffc7124d67de8303edd7411b588038d8474101db20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw569E.tmp\ioSpecial.ini

Filesize
1KB

MD5
f17dfbb479d0e357b0e531e3c9b1745b

SHA1
bc475864ffcf85a325284f39c6bb092bf983183c

SHA256
b86fafbe60d6f90b64ba1666e180bff008c55a088353515e02b38e2a0765110c

SHA512
5f48c610c845d2427ca3a53f39a064ae7f36e79b7d56d0276c65d845e254852a167c993395213240dea38e14a862e97078d37dabd9e0db70406f897182fff3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
b96c0e18c67824a9d5b82f17c1513a6d

SHA1
147d5567d9f3a3a027857c99970af4214d792106

SHA256
de89c2c1d81a3fdf653e492be63c89c2b815d0cb5322eb2b2d7695642efdaa24

SHA512
2331df003d140b93b4bca86a498513ba0533b783c8e6a449946ec70b2aa192eb62869dd8d918b75459136908539e36ed880ce8cfee4c183ceb406f8d51d6a1f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-05-30_11_JYHA1IDH37kjW2ud4k03lA==.jsonlz4

Filesize
948B

MD5
7c618c5385632ed123b3929e89a9104a

SHA1
877eef304b5bca587c7f990c0b187b1fbe666e04

SHA256
0c052f029079668e4dc8f63800c6b2fd173fd97de4739e5a66d017df726f519c

SHA512
78e0c287f8367a1fb67e816d2ca7a675cf880d1a245ebc1f4633c52a54bd7fb8ba4564d7c07ceddd9f56c9efbaadb2da1ccc928f679645b3d91dcdac7c87d64e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json

Filesize
216B

MD5
68d38163610b1d1f361ec71d991d355d

SHA1
b62e06febeecf225a0c47d6a1f3e60a4151e34e1

SHA256
43e83094444a19c3c835e2e0dffe9e6984cda9e35912238b1220ee55b626ed34

SHA512
55e8f193c99c997c836b1307ff9a7563b152f4a0f5382f41162ce7a93bae9901cc41764e656ba8f41eb8f5124ffea8e71d9457ad3a80289bb2693d4252dd3c63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
bef456aef84f8aa7b0f2ba877113b23d

SHA1
ff1fe23a12d03176214bfa5f7ffe78e72cc03184

SHA256
c81b7494ea4c678a200eeb0b3027e3727bda6d98862748f7b28ef93d262750a0

SHA512
89fb94bbee925efa9fac9c211787bf5641052543c56155a961a32ff79ca30c9522bcd27a6409c841d87a25d2209254700dfb292b956f4a7c633e1bcb47c9629e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\0953a1d0-6f56-4b41-acfa-e9d2b53e4a34

Filesize
10KB

MD5
199de5dba641c47a1a38d0231479da09

SHA1
0b3e177b42076cc9ba5c856e6039e94c35876d71

SHA256
7591d7c5dc5a257f7d4ce6d58ae1d85247c873b163aa1fab7a7c62efed84baea

SHA512
afe8f0ce7ad87fba322e05f62c193b57a100220ec03e27c27f67acad60c353299e9a4cce22a3ad346d52e2c4880e788f439dc592c2b1385ad3b994f9de4384af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\33481e38-d607-4241-b33c-e3378efa2497

Filesize
746B

MD5
92bf43094f28827b2c89bbba587a241d

SHA1
652ba282542a964f81f3278eff790e7745033f0c

SHA256
9d95c1d12fa54b945dea3f3d2175fd1aea2de79abe61cfa86c71baad933b2b02

SHA512
74055856cc5f96e42ac6893e362ab467c239609d7be16aa44027d29bc01e95e4d701ee9159e166917e6f3006faa380398220de6e2e143c167c1df130d2c44eb7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
12d54d9120994cbe46e99b04737c6e76

SHA1
c852f87295778ffc5536afa6edd38002f0a86394

SHA256
b68e33f07d2a293b7f207fc03ddc84538ca09fb88bc77b2bb9b85c3ef2a00a63

SHA512
ae471509e7e9ead8fe9e7cc6c2e8c8ef38587a96b1a55f595b033aef4b525d3bed9791e6b29b7d02c09fd238140695a4e300e0a2169f2735f5fec9ab2c9b4f29

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
9KB

MD5
c1aa816dbd066f0c2eb875ef9915eacc

SHA1
53e0367845ee22ade417edc5175accfa032fc1c9

SHA256
6689d9ddcc6cbcb254de6976de95cfdfc43d6a9befc36cacbe5d4dee201d44e1

SHA512
8196a72789e08aede46b30706a4841dd82a0b164c283a44f39725e50925aa347acb7fee4922107ad14ec7530f59f73bcc017512ef794b1df371bcbe4d8900f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
9KB

MD5
1195bc8e08a12cdd6bce3fe0a3dcaae1

SHA1
f12353d2597e1cd5f3e8057b62e956016d6d2924

SHA256
b83d6bf6b259fe669cf11c5a0b39d4a404a1ee4f16b0e42a24cd7777101fe13d

SHA512
6d9ca2c8f51f0e9460f760a0b7c739876995d536d610b9f4089cc2708579df578260a22065ded7521d355608d2cf2e44e6772d2e840764fc99ca63da9bcfda72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
7KB

MD5
3cec4b58c8537e6d8124f759ed61b490

SHA1
348faeacc0f0312a59aa85bf4159b127ce8aed4a

SHA256
00bb829513199db18cee0861de7b2eff8c3c67145f5501223865ec035cf21655

SHA512
ad988203dd307fae07e62c25c41b89b52cdac0ab845fbfe40dbf53082ff36e61eaa4e0207255feda23effa996b3ac802954177adb9cf941c7ea0ac0b1578baa6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
4826f47f356e6447e2c9eb86ebf72643

SHA1
fb7c85ceac932616edf0a455a18eb14d078c0b94

SHA256
9bcd16e5bb267a623c1591b55f14ea5ba641f31ec8e59efcd0e313cf293a51e9

SHA512
0d009e3c1beedeae97b2131817772a2fde66d30ae06fa62a6ba6b04a7205f82fe88b15a4a72b73e86caced3918d3a1fef4ff1b867340e5d43c655460937fee25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
281939853eaf8d35b2462f5ff1001a54

SHA1
accf4fa639864477224bf351c4d48c7200a29563

SHA256
d5e7a911bbf7bab0890f131c1ea3de092638a73ce4937868c9dd8cb802bb1896

SHA512
6eaaea7f893a1eab516d4d977f3a9aa9bd4c058bfa0e5de5e63af1017f206bed0e2cec1801b52390a16dd8864aada983dc83d8cb06262df1740e694d64626d4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.9MB

MD5
5f1fded2d7d6081a06b86d65c2729c01

SHA1
47df038165daf264be11a050e616f5a8540eae5d

SHA256
e3d6dbe032c5f66dd3dcd41cb92708aa7394a4e14db6e07a5f842496c760684f

SHA512
e2c774b42dfd478c3173f82feb2cbc959fcd48ac75d0041993ff37236f8bdc7eaceea679006e8d00173d56ed162c7d2bb32969be36e9982ab63e744cf99dc98c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json

Filesize
3KB

MD5
bac1aae811ff965522ae54852d5cc176

SHA1
1558dffefa77d5c581a0925256c504c9cd786c48

SHA256
1148181930857dcb14187c267a40bad86a497e7aefd985a8394e5cfdc0991bd0

SHA512
cb4c84753b29c1eefbf1a31a76ceecb938955b8a727a0697a8c2f433de4f65c05afe0ce6ec2916e7d92d8d29fa34f21783aac95dd7784a1af29082ddaad41563

Download Submit
C:\Windows\SysWOW64\CFCA_HSBC_SRV.exe

Filesize
69KB

MD5
eb168e545f4f09125c9b2537141b2131

SHA1
224a30956a26b35395f238d7c3692032d00e023e

SHA256
07d989855f4dd8bfd5e4e1d2a3cdea3696957fbe0f202ab699c9ea7294cffbfc

SHA512
a10bc667b69f0dde67da8cc2277688cd36cc659b0ceeb26c9c24934a8cc5454044ba0a2c07b593ce4428b6ce1fafe5b37e20c6577451f657810e6372f7dbc530

Download Submit
C:\Windows\SysWOW64\CryptoKit.HSBC.exe

Filesize
4.5MB

MD5
88b6ed048456d41f4f9bdcebc69fdc04

SHA1
05a0347a4abc84ec871932d6e9f8c59c4e206cc3

SHA256
ab6068524bed05e25cfb24987d3c29f833ebe684e3072458ea25a0c826441314

SHA512
9cd9e45f73427da24297a19aa4a4d5e4b7b928868879babd1e3b9a424ce0ff4cb23201e777b142d651c5a044364bb625badd546c55973ecc7c7a4538a0cabe08

Download Submit
C:\Windows\SysWOW64\CryptoKit.HSBC.x86.dll

Filesize
1.0MB

MD5
d6093ec468e383c616154ec1c92e3f53

SHA1
9dd2406105c67f86085c9a82475c1e903690dc81

SHA256
fa69867c017873a36f500ff84dddde62439e3960dfae7d30b4038a4b56e834b2

SHA512
10ab0650d7e8e294cb6d4b7a7ff3e6e2ea4f1893be32eb00bd5db4bee0b2e6b51dab50e0f66500bf5602f1eec3abc236b3492cec97afa67470928d6260676e89

Download Submit
C:\Windows\System32\CFCA_HSBC_SRV.exe

Filesize
79KB

MD5
57f3c99d3d85e59489e8e2fdd61fc933

SHA1
b123f9d39228dd795662bd5fe613f9738f294dac

SHA256
73d741ca1a1c287e07715744b9e1608cea29a8ebdf67456d30bb0298d168b34e

SHA512
f885996f1a83a62613f3f8de11f289e002d2a57c3e238ec3abdc22229bca1babda1fa162ee6d2af9cb50140b2628ac77f2a54da0f5eb2f6041f9867681edd707

Download Submit
C:\Windows\system32\CFCA_HSBC_LIB.dll

Filesize
296KB

MD5
54f92221977e88203b52b85b9b88966d

SHA1
79935dddac248401471f92c793fe9f60acee0170

SHA256
1009334cc0974e19e6e6e312c31122b11571227d7a4463d056b999318c255488

SHA512
c2163a324f8419cfff2389b30f548928f5ceb8e1d78843abea3998abc50459638e7c2555036290af698a07c556b822585e9ac8013fe9692d6d00c5ec7a182dd8

Download Submit
C:\Windows\system32\CFCA_HSBC_csp.dll

Filesize
211KB

MD5
d157d83ebeb236d18cf95e5f33f6d433

SHA1
35b018d6108b0dcd9c1711cbd9066d0230db122b

SHA256
c54abd3a4ee9c5a1b089624d84d2c98130f95ca0689c6004164d08bcfbba78d8

SHA512
1666e4d9b7a2d00aedf82d9546790449b6298494bd8a01e5d05f3d60e823bf86916214ecc440f4006e06aa54013aeb462673befd2549ff64ad7e8a14e5ccd1f9

Download Submit
C:\Windows\system32\CFCA_HSBC_scsp.dll

Filesize
46KB

MD5
5222c79ad33679d46e10929381b76350

SHA1
c9575c8408d6efcd4156228fd5f6fcea5ab8373f

SHA256
71e5c4e98e115ef9b7d812676ee98470677c7ea1183681b869d6246fcc6fd3e8

SHA512
85702f6b0978ccd7b27ae7ec52cb1fc75234958d4001a158ba2160d49ed9549e0c55e8090d9f0a0e48cadb7347b327c2da7557a6415b785c6e7a96b973679a24

Download Submit
C:\Windows\system32\CFCA_HSBC_scsp.sig

Filesize
136B

MD5
9b4a5c27c6f947b690aa8e5ef453527e

SHA1
54ab75fa5183eaf2f72e75fa6c3c8ca00d60ffa8

SHA256
aae5e04b683b7fe7ef165024e13c77a2b55c54628fa44da6912569ab9a5be71d

SHA512
f75a9755043f61952fd1f0691ae1c3f5656e5c572d3335db610396589fa1598b4c0385b7cbcf946d2b3cf74cc9b533dce4dfbf4c5be0b04580bce9ed25566afb

Download Submit
\Users\Admin\AppData\Local\Temp\nsj6A92.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsw569E.tmp\InstallOptions.dll

Filesize
15KB

MD5
09d8971beefefffd710030dd167a99e0

SHA1
a0117786ad77213f3eb48cfdc3819786cb796b7d

SHA256
caf64a4e9449220ba618a9aa2ae4ed3774c5d0f193bda44be22676c27ae0ec95

SHA512
3956f0c6bcdf033e4a10ab33872a66e0668da28ec31cb7a2c67ef7266d7c0845998a2a85a6cc25aba1df73909df8104119cf5f1f86c1e91f8fd201765aea49f0

Download Submit
\Users\Admin\AppData\Local\Temp\nsw569E.tmp\KillProcDLL.dll

Filesize
4KB

MD5
c1e153f9fa1001eb9fb34bbc4a3f3927

SHA1
dfca2dcce9b0486114692a23776191627b0c9839

SHA256
e594544cc4b4a0a5439a2b9a79db14e580d815c87e353781c47d4eab5e313b8e

SHA512
d2a7c2853b56f60f710dcea27c346dbd22593c98e5c000c22650613851f26e505b12260bcfc050473e97c2796a91c94a3c201785dad4d95de0b4e2de35c3a41f

Download Submit
\Users\Admin\AppData\Local\Temp\nsw569E.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nsw569E.tmp\UserInfo.dll

Filesize
4KB

MD5
dc90f96b169dcc9151ee6e93b47446ea

SHA1
61e57bbe333a98d14f48815db7382ddbf90db642

SHA256
afc939ebfd66a6c972d2d6bbcb978559ab3427d1582935e45392f9912ef186ad

SHA512
11658c2342a2a686a012d81c602cd8e50861506dcee9d38c416bc60451cb1d7fc24e964875b8edfc22c9647f06ffe90088f83a60973eeaffa98538294af1d5ba

Download Submit
\Windows\SysWOW64\CFCA_HSBC_CSP.dll

Filesize
186KB

MD5
3381efa4d0deaf0722439c0abd15f35f

SHA1
46bbc73777b4954749055c6c7a534cf8f0422556

SHA256
d9ecbdc7e2e31764549f5b7a5e8dce46cdfd6dd0664d491ec7203ba5253f610c

SHA512
eb560a40f589aec56cf2acb8229ba12c4a41dd5b835b0f79c5b583d28e6939751d544cb99bf7aa733cca269097123f05072a6eadadee0e490e4cb98de0a486d5

Download Submit
\Windows\SysWOW64\CFCA_HSBC_LIB.dll

Filesize
257KB

MD5
562ec71ced3842116f7addb2d78cdc4e

SHA1
e34b01795e025d6e83a82a805e5d2ab6d0022c2d

SHA256
58fa342fb8aa5b4dd6c70e7ac6be69fd892fbfb6dff7dc499fec9b0fad8fe00e

SHA512
354ab59d0eda6fbbc05989f4eb114f2877a3f27ac7f72a614ae3d2a06b2368d244528e71f376862e6ecf6f0b272a454cc9228c74c81dd2108a30ba993c144508

Download Submit
\Windows\SysWOW64\CFCA_HSBC_scsp.dll

Filesize
45KB

MD5
59671bf95699f5fd4ad23e6da2bd6284

SHA1
d50f9d1cdbaacabb86fb6106e98fff084e9ca9f5

SHA256
011523f383fe08bcd5a07307fc76cb644d6d7e955a88fdea02473a7591858386

SHA512
b7abb03eb4c2b395fc48679421668cf9ddd164c3b23d641b8631a97df0031133b5d8ea2102efdc0e07b881ebfe1668c0c4a3102ab6897e56ba734306ab01ecbc

Download Submit