Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HSBC Payment Advice_pdf.exe

Overview

General Information

Sample name:HSBC Payment Advice_pdf.exe
Analysis ID:1462386
MD5:4a54a1cfb9a323654e9382645dd55f03
SHA1:2a569a45460a3a7251fe74fc0ce082dbe05de9d4
SHA256:88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b
Tags:AgentTeslaexeHSBC
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HSBC Payment Advice_pdf.exe (PID: 3088 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe" MD5: 4A54A1CFB9A323654E9382645DD55F03)
    • HSBC Payment Advice_pdf.exe (PID: 4996 cmdline: "C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe" MD5: 4A54A1CFB9A323654E9382645DD55F03)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@reivaix.cam", "Password": "Ukbase123."}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3501087252.000000000319C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.3501087252.0000000003171000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.3501087252.0000000003171000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.HSBC Payment Advice_pdf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              3.2.HSBC Payment Advice_pdf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                3.2.HSBC Payment Advice_pdf.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x334ef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33561:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x335eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3367d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x336e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33759:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x337ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3387f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 66.29.159.53, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe, Initiated: true, ProcessId: 4996, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49726

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://smtp.privateemail.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.privateemail.com", "Username": "info@reivaix.cam", "Password": "Ukbase123."}
                    Multi AV Scanner detection for submitted file
                    Source: HSBC Payment Advice_pdf.exeReversingLabs: Detection: 39%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: HSBC Payment Advice_pdf.exeJoe Sandbox ML: detected
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49724 version: TLS 1.2
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: FyLs.pdb source: HSBC Payment Advice_pdf.exe
                    Source: Binary string: FyLs.pdbSHA256 source: HSBC Payment Advice_pdf.exe
                    Source: global trafficTCP traffic: 192.168.2.6:49726 -> 66.29.159.53:587
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 66.29.159.53 66.29.159.53
                    Source: Joe Sandbox ViewASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49726 -> 66.29.159.53:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.privateemail.com
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001418000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001418000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.000000000319C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.privateemail.com
                    Source: HSBC Payment Advice_pdf.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.0000000003121000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001418000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49724 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, R1W.cs.Net Code: _9lBUx
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.raw.unpack, R1W.cs.Net Code: _9lBUx

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.2.HSBC Payment Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: HSBC Payment Advice_pdf.exe
                    Source: initial sampleStatic PE information: Filename: HSBC Payment Advice_pdf.exe
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 0_2_028D50E00_2_028D50E0
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 0_2_028D18200_2_028D1820
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 0_2_04ECD4440_2_04ECD444
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_0181E2B13_2_0181E2B1
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_01814A983_2_01814A98
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_01813E803_2_01813E80
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_018141C83_2_018141C8
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E1A0683_2_06E1A068
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E266383_2_06E26638
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E255F83_2_06E255F8
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E2B2703_2_06E2B270
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E230B03_2_06E230B0
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E27DC83_2_06E27DC8
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E276E83_2_06E276E8
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E2E3E83_2_06E2E3E8
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E223883_2_06E22388
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E200403_2_06E20040
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E25D333_2_06E25D33
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E200073_2_06E20007
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2272931406.0000000006E70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000000.2251469667.0000000000768000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFyLs.exe4 vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename69a68dfb-b596-44fb-81cc-4f8cdf6ef50f.exe4 vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2270067141.0000000003C5E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2269413753.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2269413753.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename69a68dfb-b596-44fb-81cc-4f8cdf6ef50f.exe4 vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2267083009.0000000000D4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2272174277.0000000005240000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRT.dll. vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename69a68dfb-b596-44fb-81cc-4f8cdf6ef50f.exe4 vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3499408043.0000000000FE9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exeBinary or memory string: OriginalFilenameFyLs.exe4 vs HSBC Payment Advice_pdf.exe
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 3.2.HSBC Payment Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, AxXwoOcwjGCrIEPcHi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, Nq3SuCIVXQe0AM9YEE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, Nq3SuCIVXQe0AM9YEE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, Nq3SuCIVXQe0AM9YEE.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, Nq3SuCIVXQe0AM9YEE.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, Nq3SuCIVXQe0AM9YEE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, Nq3SuCIVXQe0AM9YEE.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, AxXwoOcwjGCrIEPcHi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.HSBC Payment Advice_pdf.exe.2c5dabc.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.HSBC Payment Advice_pdf.exe.5520000.11.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.HSBC Payment Advice_pdf.exe.2c3c8ec.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC Payment Advice_pdf.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMutant created: NULL
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: HSBC Payment Advice_pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: HSBC Payment Advice_pdf.exeReversingLabs: Detection: 39%
                    Source: unknownProcess created: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe "C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe"
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe "C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe"
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe "C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: FyLs.pdb source: HSBC Payment Advice_pdf.exe
                    Source: Binary string: FyLs.pdbSHA256 source: HSBC Payment Advice_pdf.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: HSBC Payment Advice_pdf.exe, Form1.cs.Net Code: InitializeComponent
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, Nq3SuCIVXQe0AM9YEE.cs.Net Code: snwNAWyx7a System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, Nq3SuCIVXQe0AM9YEE.cs.Net Code: snwNAWyx7a System.Reflection.Assembly.Load(byte[])
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: 0xDABCAD09 [Tue Apr 16 12:22:33 2086 UTC]
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_01810C45 push ebx; retf 3_2_01810C52
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E15150 push es; ret 3_2_06E15160
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E1FCC7 push es; retf 3_2_06E1FCC8
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeCode function: 3_2_06E2AED5 push 8B0418B5h; iretd 3_2_06E2AEDA
                    Source: HSBC Payment Advice_pdf.exeStatic PE information: section name: .text entropy: 7.913356403013591
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, LywPj5aBTkLsYaQkEe.csHigh entropy of concatenated method names: 'Dispose', 'VjJq4XmJ4r', 'Gw66LUchLb', 'HS6nnyraZ8', 'Xwsq2eqGJs', 'DPQqzexiE5', 'ProcessDialogKey', 'UJP6j9kqc4', 'xwF6qqJBCZ', 'ihV668wdCA'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, FeX0bTrFKdvkCk1YxR.csHigh entropy of concatenated method names: 'mGsAApFDM', 'sbcVNyaVO', 'CIF3JkOCL', 'V3bU32u52', 'YBl8E4tVT', 'oaVet3TeA', 'vKHLHBTUlC2iY2IvmU', 'WC0j6tALbpvBKDZrVk', 'LrC5Aih4V', 'vPksvdDXN'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, LtFOm3yJUyYxnuYCdo.csHigh entropy of concatenated method names: 'tu4ECIUjMr', 'OkHE8hoIsK', 'vktEvZ8CyK', 'HNkELMknt5', 'gXIEwJEFFh', 'H8BErtpZR6', 'CsmEZhVWTH', 'fD1ESeGLtN', 'oiaEOqDOyI', 'RIsEWlg0JL'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, d5k0o8DUfPNwqd6W7f.csHigh entropy of concatenated method names: 'wFKqMWtMkA', 'n63qmN0B3k', 'IbkqTVmctk', 'UbjqoYFD82', 'CB9qJHcmFR', 'f29qQki7RF', 'YZj15L6XUjDycQfV4C', 'aPChcavvoZS17yT7aE', 'yW4qqMCSTQ', 'SBgqBet6UV'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, vcZsWwjVaviwocgtGb.csHigh entropy of concatenated method names: 'ah8iVcNRgY', 'yVsi3Rpljp', 'Ol5iCi4PDw', 'pX4i8TebDy', 'ChbiJnNJvm', 'Vd1iQqhnZT', 'lx9iXkHPbb', 'TxPi5G61xT', 'BOBi9YqED1', 'FXxisIAhUg'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, rxalHNPCeN6G7cSWoi.csHigh entropy of concatenated method names: 'MamxpuVq80', 'ul5xU0MduQ', 'NsJiulHc9Z', 'gOTiw9bZ72', 'VZrirhwblM', 'QnLiFDIUdo', 'u5oiZs8STa', 'p5JiSXyLku', 'TU7i0rfLJ6', 'cIiiOgWVjj'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, roZQWm12lnekpJn6JL.csHigh entropy of concatenated method names: 'YT5Xc8TUJO', 'hAPX2awNIF', 'kIk5jeEXo6', 'V735q713Eg', 'x6EXWXVjCT', 'OwFXGAyScD', 'cKMXtCXr5E', 'KJjXbePd9p', 'AwrXDEOU1Q', 'y3VXRhfqp4'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, qO5U8v7TKwF86LJ1B9K.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DCRsbMAmlm', 'KqtsDo3oNw', 'nCQsR97FS8', 'OUjsIUJYRG', 'd5NskyICYp', 'LXysKgC3N1', 'eGxsdWwbqd'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, du55YQwiFlGgqtfXe8.csHigh entropy of concatenated method names: 'w045vU8I6M', 'JDQ5LBwLTZ', 'JIr5uuwd8q', 'D5m5wiHTaF', 'puv5bDtuVq', 'PeQ5rDdh2X', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, POytPAV3XRTWXWhQXl.csHigh entropy of concatenated method names: 'aMvXTTW2vr', 'k5oXobtpaU', 'ToString', 'uINXh6ZUEy', 'xMHXlc8ugY', 'T3AXiGy2KV', 'UwsXxh6KZ1', 'EmcXaD1QWy', 'NsCXM76FBW', 'e2EXmaCty8'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, mAcxIfpZrxBho2Ub10.csHigh entropy of concatenated method names: 'UeF5h7G8Jp', 'EaH5lUsQuS', 'ivd5iwEqFD', 'BBb5xU6B81', 'VkC5ajf8RA', 'kJa5MC1riE', 'TpN5mJ6lmp', 'VcD5fOdhff', 'YnV5TNvVUu', 'l8e5o2J4s7'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, SSxpw32RBkkqa09pAX.csHigh entropy of concatenated method names: 'bMpM739XSE', 'dECMgqMMhr', 'cQsMAjy3wL', 'mVWMVDQ6qh', 'eynMpEHPTD', 'a6AM3IAkqf', 'iwyMU0s4NH', 'WNsMC5sTZ5', 'XkFM8Rw7B6', 'ehMMeOYyiM'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, Nq3SuCIVXQe0AM9YEE.csHigh entropy of concatenated method names: 'ruXBY5q1Mm', 'nd1Bhgxhpo', 'OZUBlObk6A', 'qKVBibjU38', 'YKUBxEHUME', 'zMvBaaRqCH', 'JVvBMcvc7R', 'WAgBm9ZgHh', 'sRaBfO0dh8', 'v3JBTQxs9Z'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, xVE05LhJEonTZpAyst.csHigh entropy of concatenated method names: 'ToString', 'WTGQWRbPfe', 'tOgQLdcCHB', 'gxnQuNZKkh', 'ExsQw2YxWG', 'NBbQrlNwdF', 'I4dQF043As', 'mu5QZlIqyb', 'oMpQSMRXCd', 'M8vQ0N7hDT'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, K5TUoG6qmlwZ7hrE6O.csHigh entropy of concatenated method names: 'jmNaYx71x2', 'YjoalMQBDG', 'EKnaxaXYTe', 'qGxaMogxtq', 'Gf6amDUrqH', 'gSexkDwyXe', 'vMnxKNqZha', 'zf3xd5Ch2t', 'BKgxcU3ro0', 'jTHx4pbi8o'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, bHf3hUkXOo7SVjpqLR.csHigh entropy of concatenated method names: 'e049qu4Oxt', 'F7T9BSvc4H', 'Gap9NJNZ27', 'cAT9hUYC8m', 'AKL9lqiftP', 'LtS9x02ggS', 'P3p9aKdbyV', 'nOL5dDlpq3', 'gq65craU2J', 'Vr754ft9JQ'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, AxXwoOcwjGCrIEPcHi.csHigh entropy of concatenated method names: 'vILlb9Yj9E', 'zeNlDttiFY', 'hTVlRWFfGJ', 'kRFlIClIC1', 'ahLlkYjlDJ', 'ztUlKH7N2t', 'oYDldWqMho', 'Gg1lcq9aRg', 'V6el4Q935R', 'URMl2BETDy'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, x0Mqm19QWQXmhvEQL0.csHigh entropy of concatenated method names: 'IE6MhNpauL', 'iViMiUAaBd', 'IfGMaCPGdF', 'du0a2uH7Oe', 'GMkazE8Ubk', 'MnEMjBE4iM', 'LrLMqlilF7', 's4CM6o0rAE', 'hDfMBF5y7v', 'DFsMNFIhjm'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.3e653f0.6.raw.unpack, iksoQ078TDhpuDj5Nj7.csHigh entropy of concatenated method names: 'rZo97s3dnW', 'KYi9gBAh11', 'pcQ9ANMThX', 'khA9VOTfjx', 'sIm9pDa1Rb', 'Yl593tnZ2Y', 'Wgt9UQbqg3', 'GOI9CAcoNa', 'QvB989LWcm', 'khX9eaFQXg'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, LywPj5aBTkLsYaQkEe.csHigh entropy of concatenated method names: 'Dispose', 'VjJq4XmJ4r', 'Gw66LUchLb', 'HS6nnyraZ8', 'Xwsq2eqGJs', 'DPQqzexiE5', 'ProcessDialogKey', 'UJP6j9kqc4', 'xwF6qqJBCZ', 'ihV668wdCA'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, FeX0bTrFKdvkCk1YxR.csHigh entropy of concatenated method names: 'mGsAApFDM', 'sbcVNyaVO', 'CIF3JkOCL', 'V3bU32u52', 'YBl8E4tVT', 'oaVet3TeA', 'vKHLHBTUlC2iY2IvmU', 'WC0j6tALbpvBKDZrVk', 'LrC5Aih4V', 'vPksvdDXN'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, LtFOm3yJUyYxnuYCdo.csHigh entropy of concatenated method names: 'tu4ECIUjMr', 'OkHE8hoIsK', 'vktEvZ8CyK', 'HNkELMknt5', 'gXIEwJEFFh', 'H8BErtpZR6', 'CsmEZhVWTH', 'fD1ESeGLtN', 'oiaEOqDOyI', 'RIsEWlg0JL'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, d5k0o8DUfPNwqd6W7f.csHigh entropy of concatenated method names: 'wFKqMWtMkA', 'n63qmN0B3k', 'IbkqTVmctk', 'UbjqoYFD82', 'CB9qJHcmFR', 'f29qQki7RF', 'YZj15L6XUjDycQfV4C', 'aPChcavvoZS17yT7aE', 'yW4qqMCSTQ', 'SBgqBet6UV'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, vcZsWwjVaviwocgtGb.csHigh entropy of concatenated method names: 'ah8iVcNRgY', 'yVsi3Rpljp', 'Ol5iCi4PDw', 'pX4i8TebDy', 'ChbiJnNJvm', 'Vd1iQqhnZT', 'lx9iXkHPbb', 'TxPi5G61xT', 'BOBi9YqED1', 'FXxisIAhUg'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, rxalHNPCeN6G7cSWoi.csHigh entropy of concatenated method names: 'MamxpuVq80', 'ul5xU0MduQ', 'NsJiulHc9Z', 'gOTiw9bZ72', 'VZrirhwblM', 'QnLiFDIUdo', 'u5oiZs8STa', 'p5JiSXyLku', 'TU7i0rfLJ6', 'cIiiOgWVjj'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, roZQWm12lnekpJn6JL.csHigh entropy of concatenated method names: 'YT5Xc8TUJO', 'hAPX2awNIF', 'kIk5jeEXo6', 'V735q713Eg', 'x6EXWXVjCT', 'OwFXGAyScD', 'cKMXtCXr5E', 'KJjXbePd9p', 'AwrXDEOU1Q', 'y3VXRhfqp4'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, qO5U8v7TKwF86LJ1B9K.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'DCRsbMAmlm', 'KqtsDo3oNw', 'nCQsR97FS8', 'OUjsIUJYRG', 'd5NskyICYp', 'LXysKgC3N1', 'eGxsdWwbqd'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, du55YQwiFlGgqtfXe8.csHigh entropy of concatenated method names: 'w045vU8I6M', 'JDQ5LBwLTZ', 'JIr5uuwd8q', 'D5m5wiHTaF', 'puv5bDtuVq', 'PeQ5rDdh2X', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, POytPAV3XRTWXWhQXl.csHigh entropy of concatenated method names: 'aMvXTTW2vr', 'k5oXobtpaU', 'ToString', 'uINXh6ZUEy', 'xMHXlc8ugY', 'T3AXiGy2KV', 'UwsXxh6KZ1', 'EmcXaD1QWy', 'NsCXM76FBW', 'e2EXmaCty8'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, mAcxIfpZrxBho2Ub10.csHigh entropy of concatenated method names: 'UeF5h7G8Jp', 'EaH5lUsQuS', 'ivd5iwEqFD', 'BBb5xU6B81', 'VkC5ajf8RA', 'kJa5MC1riE', 'TpN5mJ6lmp', 'VcD5fOdhff', 'YnV5TNvVUu', 'l8e5o2J4s7'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, SSxpw32RBkkqa09pAX.csHigh entropy of concatenated method names: 'bMpM739XSE', 'dECMgqMMhr', 'cQsMAjy3wL', 'mVWMVDQ6qh', 'eynMpEHPTD', 'a6AM3IAkqf', 'iwyMU0s4NH', 'WNsMC5sTZ5', 'XkFM8Rw7B6', 'ehMMeOYyiM'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, Nq3SuCIVXQe0AM9YEE.csHigh entropy of concatenated method names: 'ruXBY5q1Mm', 'nd1Bhgxhpo', 'OZUBlObk6A', 'qKVBibjU38', 'YKUBxEHUME', 'zMvBaaRqCH', 'JVvBMcvc7R', 'WAgBm9ZgHh', 'sRaBfO0dh8', 'v3JBTQxs9Z'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, xVE05LhJEonTZpAyst.csHigh entropy of concatenated method names: 'ToString', 'WTGQWRbPfe', 'tOgQLdcCHB', 'gxnQuNZKkh', 'ExsQw2YxWG', 'NBbQrlNwdF', 'I4dQF043As', 'mu5QZlIqyb', 'oMpQSMRXCd', 'M8vQ0N7hDT'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, K5TUoG6qmlwZ7hrE6O.csHigh entropy of concatenated method names: 'jmNaYx71x2', 'YjoalMQBDG', 'EKnaxaXYTe', 'qGxaMogxtq', 'Gf6amDUrqH', 'gSexkDwyXe', 'vMnxKNqZha', 'zf3xd5Ch2t', 'BKgxcU3ro0', 'jTHx4pbi8o'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, bHf3hUkXOo7SVjpqLR.csHigh entropy of concatenated method names: 'e049qu4Oxt', 'F7T9BSvc4H', 'Gap9NJNZ27', 'cAT9hUYC8m', 'AKL9lqiftP', 'LtS9x02ggS', 'P3p9aKdbyV', 'nOL5dDlpq3', 'gq65craU2J', 'Vr754ft9JQ'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, AxXwoOcwjGCrIEPcHi.csHigh entropy of concatenated method names: 'vILlb9Yj9E', 'zeNlDttiFY', 'hTVlRWFfGJ', 'kRFlIClIC1', 'ahLlkYjlDJ', 'ztUlKH7N2t', 'oYDldWqMho', 'Gg1lcq9aRg', 'V6el4Q935R', 'URMl2BETDy'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, x0Mqm19QWQXmhvEQL0.csHigh entropy of concatenated method names: 'IE6MhNpauL', 'iViMiUAaBd', 'IfGMaCPGdF', 'du0a2uH7Oe', 'GMkazE8Ubk', 'MnEMjBE4iM', 'LrLMqlilF7', 's4CM6o0rAE', 'hDfMBF5y7v', 'DFsMNFIhjm'
                    Source: 0.2.HSBC Payment Advice_pdf.exe.6e70000.12.raw.unpack, iksoQ078TDhpuDj5Nj7.csHigh entropy of concatenated method names: 'rZo97s3dnW', 'KYi9gBAh11', 'pcQ9ANMThX', 'khA9VOTfjx', 'sIm9pDa1Rb', 'Yl593tnZ2Y', 'Wgt9UQbqg3', 'GOI9CAcoNa', 'QvB989LWcm', 'khX9eaFQXg'
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice_pdf.exe PID: 3088, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: 2880000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: ACF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: 6EF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: BDF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: CDF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: 17D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: 5120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWindow / User API: threadDelayed 1227Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWindow / User API: threadDelayed 3645Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 612Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7300Thread sleep count: 1227 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7300Thread sleep count: 3645 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99714s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99605s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99499s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99171s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -99062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98843s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98402s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -97969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -97856s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -97750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -97640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -97531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -97421s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99714Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99605Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99499Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99390Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99281Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99171Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 99062Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98843Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98734Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98625Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98515Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98402Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98187Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 97969Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 97856Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 97750Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 97640Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 97531Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 97421Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: HSBC Payment Advice_pdf.exe, 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeMemory written: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeProcess created: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe "C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.HSBC Payment Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3501087252.000000000319C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3501087252.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice_pdf.exe PID: 3088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice_pdf.exe PID: 4996, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\HSBC Payment Advice_pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 3.2.HSBC Payment Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3501087252.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice_pdf.exe PID: 3088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice_pdf.exe PID: 4996, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 3.2.HSBC Payment Advice_pdf.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3ac4390.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.HSBC Payment Advice_pdf.exe.3a89970.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3501087252.000000000319C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3501087252.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice_pdf.exe PID: 3088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSBC Payment Advice_pdf.exe PID: 4996, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS111
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    HSBC Payment Advice_pdf.exe39%ReversingLabsWin32.Trojan.Generic
                    HSBC Payment Advice_pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://ocsp.sectigo.com00%URL Reputationsafe
                    https://api.ipify.org/t0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%Avira URL Cloudsafe
                    http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
                    http://smtp.privateemail.com100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		unknown
                      smtp.privateemail.com
                      		66.29.159.53
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001418000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001477000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.orgHSBC Payment Advice_pdf.exe, 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://sectigo.com/CPS0HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001418000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001477000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/HSBC Payment Advice_pdf.exe, 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.sectigo.com0HSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001418000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.00000000014A6000.00000004.00000020.00020000.00000000.sdmp, HSBC Payment Advice_pdf.exe, 00000003.00000002.3499588618.0000000001477000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org/tHSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.0000000003121000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://smtp.privateemail.comHSBC Payment Advice_pdf.exe, 00000003.00000002.3501087252.000000000319C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://tempuri.org/DataSet1.xsdHSBC Payment Advice_pdf.exefalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        104.26.13.205
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse
                        66.29.159.53
                        		smtp.privateemail.comUnited States
                        		19538ADVANTAGECOMUStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1462386
                        Start date and time:2024-06-25 15:47:04 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 36s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:HSBC Payment Advice_pdf.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 89
                        • Number of non-executed functions: 2
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: HSBC Payment Advice_pdf.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:48:10API Interceptor25x Sleep call for process: HSBC Payment Advice_pdf.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        104.26.13.205Ransom.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                        • api.ipify.org/
                        ld.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                        • api.ipify.org/
                        ReturnLegend.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                        • api.ipify.org/
                        Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                        • api.ipify.org/?format=json
                        Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/?format=json
                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                        • api.ipify.org/
                        SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                        • api.ipify.org/
                        66.29.159.53Payment List.bat.exeGet hashmaliciousAgentTeslaBrowse
                          INQUIRY RE44535_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                  17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                    Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                      1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                        1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                          https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zipGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            smtp.privateemail.comPayment List.bat.exeGet hashmaliciousAgentTeslaBrowse
                                            • 66.29.159.53
                                            INQUIRY RE44535_pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 66.29.159.53
                                            Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 66.29.159.53
                                            Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 66.29.159.53
                                            e-dekont_swift-details.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            • 66.29.159.53
                                            17129052285907bbffa1e06db9a2c2be9b124dbfe370dcce33488c29504b5286529b8a6aa8471.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                            • 66.29.159.53
                                            Scan_IMG-Payment Sheet _Till Febuary 2024...bat.exeGet hashmaliciousAgentTeslaBrowse
                                            • 66.29.159.53
                                            1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                            • 66.29.159.53
                                            1709572324a197889913f96ec9bd444cdc1a03ae72cd8e81098994f82b76ebbbd558d62ba0270.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                            • 66.29.159.53
                                            https://www.wikiran.org/attachments/leaks/asbgroup//4d90f5a202dda02e5900334984637a7fd0d3b2e2/CIMB%20PAYMENT%200520.zipGet hashmaliciousAgentTeslaBrowse
                                            • 66.29.159.53
                                            api.ipify.orgE-dekont.exeGet hashmaliciousGuLoaderBrowse
                                            • 172.67.74.152
                                            0097-CGM CIGIEMME S.p.A.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            gdC5AKTv6RiIgyr.exeGet hashmaliciousAgentTeslaBrowse
                                            • 172.67.74.152
                                            Payroll List or Salary List.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            crypted file.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 172.67.74.152
                                            SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.12.205
                                            Cosco_RFQ_June_.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            NEW ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205
                                            loading advice.exeGet hashmaliciousAgentTeslaBrowse
                                            • 104.26.13.205

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUSSecuriteInfo.com.Win64.Evo-gen.25703.16605.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.0.5
                                            SecuriteInfo.com.W64.Agent.NV.tr.9318.30020.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.0.5
                                            PEC Statement 770925.pdfGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14
                                            SecuriteInfo.com.Win64.Evo-gen.25703.16605.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.1.5
                                            SecuriteInfo.com.Win32.Evo-gen.1540.18028.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.0.5
                                            Promotion letter-2.docxGet hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            7rBFEWNRqy.exeGet hashmaliciousLummaC, SmokeLoaderBrowse
                                            • 188.114.96.3
                                            SecuriteInfo.com.W64.Agent.NV.tr.9318.30020.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.0.5
                                            E-dekont.exeGet hashmaliciousGuLoaderBrowse
                                            • 172.67.74.152
                                            Promotion letter-3.docxGet hashmaliciousUnknownBrowse
                                            • 188.114.96.3
                                            ADVANTAGECOMUShttps://tgbot.cyb3r.army/700975049/Instagram.com.htmlGet hashmaliciousUnknownBrowse
                                            • 66.29.146.75
                                            https://tgbot.cyb3r.army/1598573024/Instagram.com.htmlGet hashmaliciousUnknownBrowse
                                            • 66.29.146.75
                                            http://tgbot.cyb3r.army/6453936172/Instagram.com.htmlGet hashmaliciousUnknownBrowse
                                            • 66.29.146.75
                                            Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                            • 66.29.145.248
                                            Arrival Notice.bat.exeGet hashmaliciousFormBookBrowse
                                            • 66.29.145.248
                                            AWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                            • 66.29.145.248
                                            60a8.scr.exeGet hashmaliciousFormBookBrowse
                                            • 66.29.137.12
                                            https://tgbot.cyb3r.army/1440835494/Instagram.com.htmlGet hashmaliciousUnknownBrowse
                                            • 66.29.146.75
                                            https://tgbot.cyb3r.army/6695883664/Instagram.com.htmlGet hashmaliciousUnknownBrowse
                                            • 66.29.146.75
                                            PO 060624.exeGet hashmaliciousFormBookBrowse
                                            • 66.29.149.46

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eMKiN8877.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            SecuriteInfo.com.Win64.Evo-gen.25703.16605.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            SecuriteInfo.com.W64.Agent.NV.tr.9318.30020.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            MKiN8877.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            SecuriteInfo.com.Win64.Evo-gen.25703.16605.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            SecuriteInfo.com.Win32.Evo-gen.1540.18028.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            Promotion letter-2.docxGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            SecuriteInfo.com.W64.Agent.NV.tr.9318.30020.exeGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205
                                            E-dekont.exeGet hashmaliciousGuLoaderBrowse
                                            • 104.26.13.205
                                            https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onionGet hashmaliciousUnknownBrowse
                                            • 104.26.13.205

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBC Payment Advice_pdf.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.9063089183462045
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Windows Screen Saver (13104/52) 0.07%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:HSBC Payment Advice_pdf.exe
                                            File size:683'008 bytes
                                            MD5:4a54a1cfb9a323654e9382645dd55f03
                                            SHA1:2a569a45460a3a7251fe74fc0ce082dbe05de9d4
                                            SHA256:88ee50dbfee90121de2f56cbb6fb8e23384f2423a0598a45147fe08f6503cb3b
                                            SHA512:6830e11f411b50da12361bbd8749dc80386b49895823986609d990871c8a9c01884c38e9dc8698f913b00f1f273809e225430b22c2f0d9241735892b96d5cab5
                                            SSDEEP:12288:wo5wtN2gPFocYNclSS51hq2t7ud/I59A/IFlDBUun3BYMn/:7LESc5F5F8dQ40lDeGr/
                                            TLSH:5CE4122035684F53E9BD4BF4122CF68127FB460F5261E79C8DE271DB2876F8143A1A9B
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..N...........m... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:b6b3a3a398988cb3

                                            Static PE Info

                                            General

                                            Entrypoint:0x4a6d1e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0xDABCAD09 [Tue Apr 16 12:22:33 2086 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa6ccc0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x1830.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xa3dac0x70.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xa4d240xa4e0087803562fdd55e743e493f4829c2b7a2False0.9306870143100834data7.913356403013591IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xa80000x18300x1a005d1a70fc93af3de7628df5a9dcb23b6cFalse0.7546574519230769data7.208753987549188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xaa0000xc0x200926647611823790aa4d07c775db48281False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xa81300x11f4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9253698868581375
                                            RT_GROUP_ICON0xa93240x14data0.95
                                            RT_VERSION0xa93380x30cdata0.4358974358974359
                                            RT_MANIFEST0xa96440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jun 25, 2024 15:48:12.571446896 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:12.571485043 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:12.571620941 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:12.575650930 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:12.575675964 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:13.143501043 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:13.143625975 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:13.155802011 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:13.155834913 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:13.156124115 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:13.215030909 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:13.241041899 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:13.284499884 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:13.348980904 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:13.349482059 CEST44349724104.26.13.205192.168.2.6
                                            Jun 25, 2024 15:48:13.349711895 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:13.352097034 CEST49724443192.168.2.6104.26.13.205
                                            Jun 25, 2024 15:48:13.966964960 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:13.971774101 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:13.973421097 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:14.580679893 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:14.580889940 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:14.585813999 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:14.732760906 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:14.732959986 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:14.737910986 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:14.884553909 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:14.885117054 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:14.890372992 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.038047075 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.038074970 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.038104057 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.038121939 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.038137913 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.038136959 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.038156033 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.038167000 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.038206100 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.055073023 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.059933901 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.207079887 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.211055040 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.217530012 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.363845110 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.365010977 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.369828939 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.517115116 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.518285990 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.523305893 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.672975063 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.673288107 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.678319931 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.837208033 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:15.837480068 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:15.842369080 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.051855087 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.052453041 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:16.059823990 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.208861113 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.209608078 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:16.209608078 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:16.209638119 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:16.209638119 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:48:16.214504957 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.214550018 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.214595079 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.214608908 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.597390890 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:48:16.652478933 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:49:53.965826035 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:49:53.971306086 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:49:54.117594957 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:49:54.118865967 CEST5874972666.29.159.53192.168.2.6
                                            Jun 25, 2024 15:49:54.118921041 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:49:54.118921041 CEST49726587192.168.2.666.29.159.53
                                            Jun 25, 2024 15:49:54.123832941 CEST5874972666.29.159.53192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jun 25, 2024 15:48:12.557495117 CEST5204253192.168.2.61.1.1.1
                                            Jun 25, 2024 15:48:12.564709902 CEST53520421.1.1.1192.168.2.6
                                            Jun 25, 2024 15:48:13.948128939 CEST5496953192.168.2.61.1.1.1
                                            Jun 25, 2024 15:48:13.966038942 CEST53549691.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Jun 25, 2024 15:48:12.557495117 CEST192.168.2.61.1.1.10x110eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                            Jun 25, 2024 15:48:13.948128939 CEST192.168.2.61.1.1.10xde6fStandard query (0)smtp.privateemail.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Jun 25, 2024 15:48:12.564709902 CEST1.1.1.1192.168.2.60x110eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                            Jun 25, 2024 15:48:12.564709902 CEST1.1.1.1192.168.2.60x110eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                            Jun 25, 2024 15:48:12.564709902 CEST1.1.1.1192.168.2.60x110eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                            Jun 25, 2024 15:48:13.966038942 CEST1.1.1.1192.168.2.60xde6fNo error (0)smtp.privateemail.com66.29.159.53A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.ipify.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.649724104.26.13.2054434996C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe
                                            TimestampBytes transferredDirectionData
                                            2024-06-25 13:48:13 UTC155OUTGET / HTTP/1.1
                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                            Host: api.ipify.org
                                            Connection: Keep-Alive
                                            2024-06-25 13:48:13 UTC211INHTTP/1.1 200 OK
                                            Date: Tue, 25 Jun 2024 13:48:13 GMT
                                            Content-Type: text/plain
                                            Content-Length: 11
                                            Connection: close
                                            Vary: Origin
                                            CF-Cache-Status: DYNAMIC
                                            Server: cloudflare
                                            CF-RAY: 899569f71b3941f2-EWR
                                            2024-06-25 13:48:13 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                            Data Ascii: 8.46.123.33


                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Jun 25, 2024 15:48:14.580679893 CEST5874972666.29.159.53192.168.2.6220 PrivateEmail.com prod Mail Node
                                            Jun 25, 2024 15:48:14.580889940 CEST49726587192.168.2.666.29.159.53EHLO 367706
                                            Jun 25, 2024 15:48:14.732760906 CEST5874972666.29.159.53192.168.2.6250-mta-05.privateemail.com
                                            250-PIPELINING
                                            250-SIZE 81788928
                                            250-ETRN
                                            250-AUTH PLAIN LOGIN
                                            250-ENHANCEDSTATUSCODES
                                            250-8BITMIME
                                            250-CHUNKING
                                            250 STARTTLS
                                            Jun 25, 2024 15:48:14.732959986 CEST49726587192.168.2.666.29.159.53STARTTLS
                                            Jun 25, 2024 15:48:14.884553909 CEST5874972666.29.159.53192.168.2.6220 Ready to start TLS

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:09:48:09
                                            Start date:25/06/2024
                                            Path:C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe"
                                            Imagebase:0x6c0000
                                            File size:683'008 bytes
                                            MD5 hash:4A54A1CFB9A323654E9382645DD55F03
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2270067141.0000000003A89000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:09:48:10
                                            Start date:25/06/2024
                                            Path:C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\HSBC Payment Advice_pdf.exe"
                                            Imagebase:0xdb0000
                                            File size:683'008 bytes
                                            MD5 hash:4A54A1CFB9A323654E9382645DD55F03
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3501087252.000000000319C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3501087252.00000000031A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3501087252.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3501087252.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3499187438.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:10.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:235
                                              Total number of Limit Nodes:24
                                              execution_graph 21939 4ec4668 21940 4ec467a 21939->21940 21941 4ec4686 21940->21941 21943 4ec4778 21940->21943 21944 4ec479d 21943->21944 21948 4ec4888 21944->21948 21952 4ec4878 21944->21952 21950 4ec48af 21948->21950 21949 4ec498c 21949->21949 21950->21949 21956 4ec44e4 21950->21956 21954 4ec48af 21952->21954 21953 4ec498c 21953->21953 21954->21953 21955 4ec44e4 CreateActCtxA 21954->21955 21955->21953 21957 4ec5918 CreateActCtxA 21956->21957 21959 4ec59db 21957->21959 21959->21959 22193 4ecd518 22194 4ecd55e 22193->22194 22198 4ecd6f8 22194->22198 22201 4ecd6e7 22194->22201 22195 4ecd64b 22199 4ecd726 22198->22199 22206 4ecb870 22198->22206 22199->22195 22202 4ecd6f2 22201->22202 22205 4ecd6ac 22201->22205 22203 4ecb870 DuplicateHandle 22202->22203 22204 4ecd726 22203->22204 22204->22195 22205->22195 22207 4ecd760 DuplicateHandle 22206->22207 22208 4ecd7f6 22207->22208 22208->22199 21960 28d4368 21961 28d44f3 21960->21961 21962 28d438e 21960->21962 21962->21961 21964 28d1fa8 21962->21964 21965 28d45e8 PostMessageW 21964->21965 21966 28d4654 21965->21966 21966->21962 22209 4ecad90 22212 4ecae79 22209->22212 22210 4ecad9f 22213 4ecae99 22212->22213 22214 4ecaebc 22212->22214 22213->22214 22220 4ecb120 22213->22220 22224 4ecb111 22213->22224 22214->22210 22215 4ecaeb4 22215->22214 22216 4ecb0c0 GetModuleHandleW 22215->22216 22217 4ecb0ed 22216->22217 22217->22210 22222 4ecb134 22220->22222 22221 4ecb159 22221->22215 22222->22221 22228 4eca248 22222->22228 22225 4ecb134 22224->22225 22226 4eca248 LoadLibraryExW 22225->22226 22227 4ecb159 22225->22227 22226->22227 22227->22215 22229 4ecb300 LoadLibraryExW 22228->22229 22231 4ecb379 22229->22231 22231->22221 21967 28d28e0 21968 28d28e4 21967->21968 21969 28d290a 21968->21969 21973 28d3149 21968->21973 21993 28d3188 21968->21993 21970 28d2a61 21974 28d316a 21973->21974 21975 28d30ed 21973->21975 22012 28d38c2 21974->22012 22017 28d4023 21974->22017 22022 28d35a0 21974->22022 22027 28d3e66 21974->22027 22031 28d37c7 21974->22031 22036 28d3c67 21974->22036 22049 28d3cab 21974->22049 22062 28d3de8 21974->22062 22066 28d39d3 21974->22066 22078 28d3971 21974->22078 22090 28d36f4 21974->22090 22098 28d3675 21974->22098 22106 28d3935 21974->22106 22117 28d383b 21974->22117 22122 28d3758 21974->22122 22134 28d3bb8 21974->22134 21975->21970 21976 28d31c6 21976->21970 21994 28d31a2 21993->21994 21996 28d3de8 2 API calls 21994->21996 21997 28d3cab 4 API calls 21994->21997 21998 28d3c67 4 API calls 21994->21998 21999 28d37c7 2 API calls 21994->21999 22000 28d3e66 2 API calls 21994->22000 22001 28d35a0 2 API calls 21994->22001 22002 28d4023 2 API calls 21994->22002 22003 28d38c2 2 API calls 21994->22003 22004 28d3bb8 4 API calls 21994->22004 22005 28d3758 4 API calls 21994->22005 22006 28d383b 2 API calls 21994->22006 22007 28d3935 4 API calls 21994->22007 22008 28d3675 2 API calls 21994->22008 22009 28d36f4 2 API calls 21994->22009 22010 28d3971 4 API calls 21994->22010 22011 28d39d3 4 API calls 21994->22011 21995 28d31c6 21995->21970 21996->21995 21997->21995 21998->21995 21999->21995 22000->21995 22001->21995 22002->21995 22003->21995 22004->21995 22005->21995 22006->21995 22007->21995 22008->21995 22009->21995 22010->21995 22011->21995 22013 28d384d 22012->22013 22145 28d1e01 22013->22145 22149 28d1e08 22013->22149 22014 28d3e1c 22018 28d402b 22017->22018 22019 28d3fd1 22017->22019 22019->22017 22153 28d1698 22019->22153 22157 28d1690 22019->22157 22023 28d35aa 22022->22023 22161 28d2394 22023->22161 22165 28d23a0 22023->22165 22169 28d1c58 22027->22169 22173 28d1c50 22027->22173 22028 28d3e84 22032 28d3864 22031->22032 22177 28d1d18 22032->22177 22181 28d1d10 22032->22181 22033 28d379c 22037 28d3c74 22036->22037 22038 28d3948 22036->22038 22040 28d3681 22038->22040 22043 28d1d18 WriteProcessMemory 22038->22043 22044 28d1d10 WriteProcessMemory 22038->22044 22039 28d3ee4 22039->21976 22040->22039 22041 28d3fd1 22040->22041 22047 28d1698 ResumeThread 22040->22047 22048 28d1690 ResumeThread 22040->22048 22042 28d402b 22041->22042 22045 28d1698 ResumeThread 22041->22045 22046 28d1690 ResumeThread 22041->22046 22043->22038 22044->22038 22045->22041 22046->22041 22047->22041 22048->22041 22050 28d384d 22049->22050 22051 28d3cb8 22049->22051 22060 28d1e08 ReadProcessMemory 22050->22060 22061 28d1e01 ReadProcessMemory 22050->22061 22051->22050 22053 28d3681 22051->22053 22052 28d3e1c 22054 28d3fd1 22053->22054 22058 28d1698 ResumeThread 22053->22058 22059 28d1690 ResumeThread 22053->22059 22055 28d402b 22054->22055 22056 28d1698 ResumeThread 22054->22056 22057 28d1690 ResumeThread 22054->22057 22056->22054 22057->22054 22058->22054 22059->22054 22060->22052 22061->22052 22063 28d3e1c 22062->22063 22064 28d1e08 ReadProcessMemory 22062->22064 22065 28d1e01 ReadProcessMemory 22062->22065 22064->22063 22065->22063 22068 28d3948 22066->22068 22067 28d3ee4 22067->21976 22068->22066 22069 28d3681 22068->22069 22076 28d1d18 WriteProcessMemory 22068->22076 22077 28d1d10 WriteProcessMemory 22068->22077 22069->22067 22070 28d3fd1 22069->22070 22072 28d1698 ResumeThread 22069->22072 22073 28d1690 ResumeThread 22069->22073 22071 28d402b 22070->22071 22074 28d1698 ResumeThread 22070->22074 22075 28d1690 ResumeThread 22070->22075 22072->22070 22073->22070 22074->22070 22075->22070 22076->22068 22077->22068 22079 28d3948 22078->22079 22081 28d3681 22079->22081 22086 28d1d18 WriteProcessMemory 22079->22086 22087 28d1d10 WriteProcessMemory 22079->22087 22080 28d3ee4 22080->21976 22081->22080 22082 28d3fd1 22081->22082 22084 28d1698 ResumeThread 22081->22084 22085 28d1690 ResumeThread 22081->22085 22083 28d402b 22082->22083 22088 28d1698 ResumeThread 22082->22088 22089 28d1690 ResumeThread 22082->22089 22084->22082 22085->22082 22086->22079 22087->22079 22088->22082 22089->22082 22091 28d370e 22090->22091 22092 28d3fd1 22091->22092 22094 28d1698 ResumeThread 22091->22094 22095 28d1690 ResumeThread 22091->22095 22093 28d402b 22092->22093 22096 28d1698 ResumeThread 22092->22096 22097 28d1690 ResumeThread 22092->22097 22094->22092 22095->22092 22096->22092 22097->22092 22099 28d3681 22098->22099 22100 28d3fd1 22099->22100 22104 28d1698 ResumeThread 22099->22104 22105 28d1690 ResumeThread 22099->22105 22101 28d402b 22100->22101 22102 28d1698 ResumeThread 22100->22102 22103 28d1690 ResumeThread 22100->22103 22102->22100 22103->22100 22104->22100 22105->22100 22107 28d3942 22106->22107 22108 28d3681 22106->22108 22185 28d1741 22107->22185 22189 28d1748 22107->22189 22109 28d3fd1 22108->22109 22113 28d1698 ResumeThread 22108->22113 22114 28d1690 ResumeThread 22108->22114 22110 28d402b 22109->22110 22115 28d1698 ResumeThread 22109->22115 22116 28d1690 ResumeThread 22109->22116 22113->22109 22114->22109 22115->22109 22116->22109 22118 28d384d 22117->22118 22120 28d1e08 ReadProcessMemory 22118->22120 22121 28d1e01 ReadProcessMemory 22118->22121 22119 28d3e1c 22120->22119 22121->22119 22123 28d377f 22122->22123 22130 28d1d18 WriteProcessMemory 22123->22130 22131 28d1d10 WriteProcessMemory 22123->22131 22124 28d3ee4 22124->21976 22125 28d3681 22125->22124 22126 28d3fd1 22125->22126 22132 28d1698 ResumeThread 22125->22132 22133 28d1690 ResumeThread 22125->22133 22127 28d402b 22126->22127 22128 28d1698 ResumeThread 22126->22128 22129 28d1690 ResumeThread 22126->22129 22128->22126 22129->22126 22130->22125 22131->22125 22132->22126 22133->22126 22135 28d3bd2 22134->22135 22138 28d3681 22134->22138 22135->22138 22143 28d1748 Wow64SetThreadContext 22135->22143 22144 28d1741 Wow64SetThreadContext 22135->22144 22136 28d3fd1 22137 28d402b 22136->22137 22139 28d1698 ResumeThread 22136->22139 22140 28d1690 ResumeThread 22136->22140 22138->22136 22141 28d1698 ResumeThread 22138->22141 22142 28d1690 ResumeThread 22138->22142 22139->22136 22140->22136 22141->22136 22142->22136 22143->22138 22144->22138 22146 28d1e53 ReadProcessMemory 22145->22146 22148 28d1e97 22146->22148 22148->22014 22150 28d1e53 ReadProcessMemory 22149->22150 22152 28d1e97 22150->22152 22152->22014 22154 28d16d8 ResumeThread 22153->22154 22156 28d1709 22154->22156 22156->22019 22158 28d16d8 ResumeThread 22157->22158 22160 28d1709 22158->22160 22160->22019 22162 28d2429 CreateProcessA 22161->22162 22164 28d25eb 22162->22164 22166 28d2429 CreateProcessA 22165->22166 22168 28d25eb 22166->22168 22170 28d1c98 VirtualAllocEx 22169->22170 22172 28d1cd5 22170->22172 22172->22028 22174 28d1c98 VirtualAllocEx 22173->22174 22176 28d1cd5 22174->22176 22176->22028 22178 28d1d60 WriteProcessMemory 22177->22178 22180 28d1db7 22178->22180 22180->22033 22182 28d1d60 WriteProcessMemory 22181->22182 22184 28d1db7 22182->22184 22184->22033 22186 28d178d Wow64SetThreadContext 22185->22186 22188 28d17d5 22186->22188 22188->22108 22190 28d178d Wow64SetThreadContext 22189->22190 22192 28d17d5 22190->22192 22192->22108

                                              Executed Functions

                                              Function 028D50E0 Relevance: .6, Instructions: 626COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03422d217a417636c3a35163731f82e60353416c6e288f37035675f5b1284ae1
                                              • Instruction ID: 4a9f215204af078526f39bcb9964b1630d4f9d7b579841c1d3e07a1a39f649e3
                                              • Opcode Fuzzy Hash: 03422d217a417636c3a35163731f82e60353416c6e288f37035675f5b1284ae1
                                              • Instruction Fuzzy Hash: 64328A38B012049FEB19DB69D550BAEBBF7AF89304F54406AE109DB391DB38ED06CB51
                                              Function 028D2394 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 28d2394-28d2435 2 28d246e-28d248e 0->2 3 28d2437-28d2441 0->3 10 28d24c7-28d24f6 2->10 11 28d2490-28d249a 2->11 3->2 4 28d2443-28d2445 3->4 5 28d2468-28d246b 4->5 6 28d2447-28d2451 4->6 5->2 8 28d2455-28d2464 6->8 9 28d2453 6->9 8->8 12 28d2466 8->12 9->8 17 28d252f-28d25e9 CreateProcessA 10->17 18 28d24f8-28d2502 10->18 11->10 13 28d249c-28d249e 11->13 12->5 15 28d24c1-28d24c4 13->15 16 28d24a0-28d24aa 13->16 15->10 19 28d24ac 16->19 20 28d24ae-28d24bd 16->20 31 28d25eb-28d25f1 17->31 32 28d25f2-28d2678 17->32 18->17 21 28d2504-28d2506 18->21 19->20 20->20 22 28d24bf 20->22 23 28d2529-28d252c 21->23 24 28d2508-28d2512 21->24 22->15 23->17 26 28d2514 24->26 27 28d2516-28d2525 24->27 26->27 27->27 28 28d2527 27->28 28->23 31->32 42 28d2688-28d268c 32->42 43 28d267a-28d267e 32->43 45 28d269c-28d26a0 42->45 46 28d268e-28d2692 42->46 43->42 44 28d2680 43->44 44->42 48 28d26b0-28d26b4 45->48 49 28d26a2-28d26a6 45->49 46->45 47 28d2694 46->47 47->45 50 28d26c6-28d26cd 48->50 51 28d26b6-28d26bc 48->51 49->48 52 28d26a8 49->52 53 28d26cf-28d26de 50->53 54 28d26e4 50->54 51->50 52->48 53->54 56 28d26e5 54->56 56->56
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 028D25D6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 535866912f9cd458f1fa7d63d48a0ceefe90daeeb0d6861155f5dd101f377269
                                              • Instruction ID: db894dc4748fc316c9cc7c3e520babdffe9d4e3dc8602e5ece80e39708013162
                                              • Opcode Fuzzy Hash: 535866912f9cd458f1fa7d63d48a0ceefe90daeeb0d6861155f5dd101f377269
                                              • Instruction Fuzzy Hash: EFA14A79D002198FEB14DF68D851BAEBBB2BF48314F1481A9EC08E7245DB749989CF91
                                              Function 028D23A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 57 28d23a0-28d2435 59 28d246e-28d248e 57->59 60 28d2437-28d2441 57->60 67 28d24c7-28d24f6 59->67 68 28d2490-28d249a 59->68 60->59 61 28d2443-28d2445 60->61 62 28d2468-28d246b 61->62 63 28d2447-28d2451 61->63 62->59 65 28d2455-28d2464 63->65 66 28d2453 63->66 65->65 69 28d2466 65->69 66->65 74 28d252f-28d25e9 CreateProcessA 67->74 75 28d24f8-28d2502 67->75 68->67 70 28d249c-28d249e 68->70 69->62 72 28d24c1-28d24c4 70->72 73 28d24a0-28d24aa 70->73 72->67 76 28d24ac 73->76 77 28d24ae-28d24bd 73->77 88 28d25eb-28d25f1 74->88 89 28d25f2-28d2678 74->89 75->74 78 28d2504-28d2506 75->78 76->77 77->77 79 28d24bf 77->79 80 28d2529-28d252c 78->80 81 28d2508-28d2512 78->81 79->72 80->74 83 28d2514 81->83 84 28d2516-28d2525 81->84 83->84 84->84 85 28d2527 84->85 85->80 88->89 99 28d2688-28d268c 89->99 100 28d267a-28d267e 89->100 102 28d269c-28d26a0 99->102 103 28d268e-28d2692 99->103 100->99 101 28d2680 100->101 101->99 105 28d26b0-28d26b4 102->105 106 28d26a2-28d26a6 102->106 103->102 104 28d2694 103->104 104->102 107 28d26c6-28d26cd 105->107 108 28d26b6-28d26bc 105->108 106->105 109 28d26a8 106->109 110 28d26cf-28d26de 107->110 111 28d26e4 107->111 108->107 109->105 110->111 113 28d26e5 111->113 113->113
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 028D25D6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: edfe354718d02008da937d5125ccc1f46ec253a422b2a629504428705a3a66e2
                                              • Instruction ID: ecd9fd57030ff320c4ba18ea89c167706381bdd7ad2730a2b5a59ff3cf8bb658
                                              • Opcode Fuzzy Hash: edfe354718d02008da937d5125ccc1f46ec253a422b2a629504428705a3a66e2
                                              • Instruction Fuzzy Hash: C0914A79D00219CFEB14DF68D851BAEBBB2BF48314F1481A9EC08E7245DB749989CF91
                                              Function 04ECAE79 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 114 4ecae79-4ecae97 115 4ecae99-4ecaea6 call 4eca1e0 114->115 116 4ecaec3-4ecaec7 114->116 121 4ecaebc 115->121 122 4ecaea8 115->122 117 4ecaec9-4ecaed3 116->117 118 4ecaedb-4ecaf1c 116->118 117->118 125 4ecaf1e-4ecaf26 118->125 126 4ecaf29-4ecaf37 118->126 121->116 169 4ecaeae call 4ecb120 122->169 170 4ecaeae call 4ecb111 122->170 125->126 128 4ecaf39-4ecaf3e 126->128 129 4ecaf5b-4ecaf5d 126->129 127 4ecaeb4-4ecaeb6 127->121 132 4ecaff8-4ecb0b8 127->132 130 4ecaf49 128->130 131 4ecaf40-4ecaf47 call 4eca1ec 128->131 133 4ecaf60-4ecaf67 129->133 135 4ecaf4b-4ecaf59 130->135 131->135 164 4ecb0ba-4ecb0bd 132->164 165 4ecb0c0-4ecb0eb GetModuleHandleW 132->165 136 4ecaf69-4ecaf71 133->136 137 4ecaf74-4ecaf7b 133->137 135->133 136->137 139 4ecaf7d-4ecaf85 137->139 140 4ecaf88-4ecaf91 call 4eca1fc 137->140 139->140 145 4ecaf9e-4ecafa3 140->145 146 4ecaf93-4ecaf9b 140->146 148 4ecafa5-4ecafac 145->148 149 4ecafc1-4ecafce 145->149 146->145 148->149 150 4ecafae-4ecafbe call 4eca20c call 4eca21c 148->150 155 4ecafd0-4ecafee 149->155 156 4ecaff1-4ecaff7 149->156 150->149 155->156 164->165 166 4ecb0ed-4ecb0f3 165->166 167 4ecb0f4-4ecb108 165->167 166->167 169->127 170->127
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 04ECB0DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: a3b66b07e15011a98cbe4070954ba636f39ad595aa23ac13dfe53f7b4abd9837
                                              • Instruction ID: 3abff288faa0b711fcbee60b3529fb7dd2ceb36e19cafab92c06cc808ea4c844
                                              • Opcode Fuzzy Hash: a3b66b07e15011a98cbe4070954ba636f39ad595aa23ac13dfe53f7b4abd9837
                                              • Instruction Fuzzy Hash: B68134B0A00B498FD724DF29D64575ABBF1FF88304F008A2ED45AD7A40DB75E946CB94
                                              Function 04EC590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 171 4ec590c-4ec598c 173 4ec598f-4ec59d9 CreateActCtxA 171->173 175 4ec59db-4ec59e1 173->175 176 4ec59e2-4ec5a3c 173->176 175->176 183 4ec5a3e-4ec5a41 176->183 184 4ec5a4b-4ec5a4f 176->184 183->184 185 4ec5a60 184->185 186 4ec5a51-4ec5a5d 184->186 188 4ec5a61 185->188 186->185 188->188
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 04EC59C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 5b54d838abf8c2e240259a0496a1de1ca6d73a0f7e2888b9ac9b2070ea2c25cb
                                              • Instruction ID: 5af16617f140db171b552d40b61604cb49c40cb1009cb2627e81a4d786b04422
                                              • Opcode Fuzzy Hash: 5b54d838abf8c2e240259a0496a1de1ca6d73a0f7e2888b9ac9b2070ea2c25cb
                                              • Instruction Fuzzy Hash: E141E0B1C0072DCBEB24DFAAC98579EBBF1BF48714F20805AD408AB251DB756946CF91
                                              Function 04EC44E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 189 4ec44e4-4ec59d9 CreateActCtxA 193 4ec59db-4ec59e1 189->193 194 4ec59e2-4ec5a3c 189->194 193->194 201 4ec5a3e-4ec5a41 194->201 202 4ec5a4b-4ec5a4f 194->202 201->202 203 4ec5a60 202->203 204 4ec5a51-4ec5a5d 202->204 206 4ec5a61 203->206 204->203 206->206
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 04EC59C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 74328a9015d4e44d2644f24f6f6b2ba8e6ca26abd67fc7dc97b126b196c264ec
                                              • Instruction ID: 25102e21663b37421a75d26b5a198ec94c3734e61d489d55bb148ce2f58abb13
                                              • Opcode Fuzzy Hash: 74328a9015d4e44d2644f24f6f6b2ba8e6ca26abd67fc7dc97b126b196c264ec
                                              • Instruction Fuzzy Hash: B441F3B0C0072DDBEB24DFAAC94479EBBF5BF48304F20806AD508AB251DB756946CF90
                                              Function 04EC5A84 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 207 4ec5a84-4ec5a90 208 4ec5a42-4ec5a47 207->208 209 4ec5a92-4ec5b14 207->209 212 4ec5a4b-4ec5a4f 208->212 213 4ec5a60 212->213 214 4ec5a51-4ec5a5d 212->214 216 4ec5a61 213->216 214->213 216->216
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e92021e267ab4270a0b32f03dcf6cf841a828055224e78973cda1a66f05cdec
                                              • Instruction ID: e130dde4eab9d136457fa91fbb0e817bf2acab43b8114fc1e5e9a66c5c1ad9b5
                                              • Opcode Fuzzy Hash: 3e92021e267ab4270a0b32f03dcf6cf841a828055224e78973cda1a66f05cdec
                                              • Instruction Fuzzy Hash: 9931DAB1805358CFEB11CFA8C9447ADBBF0AF46308F20418AC055AB292DB74B946CB01
                                              Function 028D1D10 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 217 28d1d10-28d1d66 219 28d1d68-28d1d74 217->219 220 28d1d76-28d1db5 WriteProcessMemory 217->220 219->220 222 28d1dbe-28d1dee 220->222 223 28d1db7-28d1dbd 220->223 223->222
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028D1DA8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: dd09f3a373dbe8f541b6a7434f665f6226bae3804b5e2e9463c483b9dc27ff7a
                                              • Instruction ID: 367c98f212171dbf0cd3c398c8034a49e03dc990ee2222ea5469d5a5c01d8cd3
                                              • Opcode Fuzzy Hash: dd09f3a373dbe8f541b6a7434f665f6226bae3804b5e2e9463c483b9dc27ff7a
                                              • Instruction Fuzzy Hash: 97216675900359DFDB00CFAAC985BDEBBF0FF88310F10842AE918A7240D778A954CBA4
                                              Function 028D1D18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 227 28d1d18-28d1d66 229 28d1d68-28d1d74 227->229 230 28d1d76-28d1db5 WriteProcessMemory 227->230 229->230 232 28d1dbe-28d1dee 230->232 233 28d1db7-28d1dbd 230->233 233->232
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 028D1DA8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: fd9a1820ec6f10a079b65fcdd5deb1ca97c921aa69cf410f462d86be47ad1470
                                              • Instruction ID: 897811c2712160d82eed3c0ea5b1325164511f9a48b05b99467262174b2e3ac5
                                              • Opcode Fuzzy Hash: fd9a1820ec6f10a079b65fcdd5deb1ca97c921aa69cf410f462d86be47ad1470
                                              • Instruction Fuzzy Hash: D02157759003099FDF10CFAAC985BDEBBF5FF48310F10842AE919A7240D778A954CBA4
                                              Function 028D1E01 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 247 28d1e01-28d1e95 ReadProcessMemory 250 28d1e9e-28d1ece 247->250 251 28d1e97-28d1e9d 247->251 251->250
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028D1E88
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: b49c438cfdc2355a42327e02064b659f4fd73efa005e82fa63833a7aafb48986
                                              • Instruction ID: ed3a8edc20c292d33ed64d20e01257bf40cd3f901b39116f24c01dd3405fcfde
                                              • Opcode Fuzzy Hash: b49c438cfdc2355a42327e02064b659f4fd73efa005e82fa63833a7aafb48986
                                              • Instruction Fuzzy Hash: D8212775900349DFDB10CFAAC881BEEBBF1FF88310F10842AE518A7250C7749954CBA5
                                              Function 028D1741 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 237 28d1741-28d1793 239 28d1795-28d17a1 237->239 240 28d17a3-28d17d3 Wow64SetThreadContext 237->240 239->240 242 28d17dc-28d180c 240->242 243 28d17d5-28d17db 240->243 243->242
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 028D17C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: e3aee66f5a24fd1bb1023a0aee39f9835101719553d70b2b34785261d38c5ad1
                                              • Instruction ID: 59db555e7273de372bdc9c90ea58601ea1013ad635abd8913d983585c9cd6960
                                              • Opcode Fuzzy Hash: e3aee66f5a24fd1bb1023a0aee39f9835101719553d70b2b34785261d38c5ad1
                                              • Instruction Fuzzy Hash: D82168B9D003098FDB10CFAAC5857EEBBF4EF88714F14842AD519A7240CB78A544CFA5
                                              Function 04ECB870 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 255 4ecb870-4ecd7f4 DuplicateHandle 257 4ecd7fd-4ecd81a 255->257 258 4ecd7f6-4ecd7fc 255->258 258->257
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04ECD726,?,?,?,?,?), ref: 04ECD7E7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: c130b53e37617007e70a4f2842b19448b535eef217f5a02e2601f06d988e225f
                                              • Instruction ID: 2df989b223c00ee3c751181ca45a778234ae809e2a9ad2df79423fdeebd24db6
                                              • Opcode Fuzzy Hash: c130b53e37617007e70a4f2842b19448b535eef217f5a02e2601f06d988e225f
                                              • Instruction Fuzzy Hash: 7121E3B5900209EFDB10CF9AD984ADEBBF8EF48320F14802AE914B3310D375A955CFA5
                                              Function 028D1E08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 271 28d1e08-28d1e95 ReadProcessMemory 274 28d1e9e-28d1ece 271->274 275 28d1e97-28d1e9d 271->275 275->274
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028D1E88
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: d07921d26aacf81b5357d72e13b0f0bb826c0b6dda6958a3a7c897eac3cc8aae
                                              • Instruction ID: aeb4fb037fc13a32031e923608d1100b103845cf301dadbbc85600837e9c13be
                                              • Opcode Fuzzy Hash: d07921d26aacf81b5357d72e13b0f0bb826c0b6dda6958a3a7c897eac3cc8aae
                                              • Instruction Fuzzy Hash: 862128B59003599FDB10CFAAC885BEEBBF5FF88320F50842AE518A7240C7799514CBA5
                                              Function 028D1748 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 261 28d1748-28d1793 263 28d1795-28d17a1 261->263 264 28d17a3-28d17d3 Wow64SetThreadContext 261->264 263->264 266 28d17dc-28d180c 264->266 267 28d17d5-28d17db 264->267 267->266
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 028D17C6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 05a587170e2d2710b187fec292ee54acb6bc85a9f29eb21aedaaec46c04a910d
                                              • Instruction ID: 045ff09d1a75bc8a9db3a802f98d0086684ddf34dd1b85f66d6dfb8d5ea436b0
                                              • Opcode Fuzzy Hash: 05a587170e2d2710b187fec292ee54acb6bc85a9f29eb21aedaaec46c04a910d
                                              • Instruction Fuzzy Hash: 3A211875D003098FDB10DFAAC4857EEBBF4EF88324F14842AD519A7240DB78A944CFA5
                                              Function 04ECD759 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 279 4ecd759-4ecd7f4 DuplicateHandle 280 4ecd7fd-4ecd81a 279->280 281 4ecd7f6-4ecd7fc 279->281 281->280
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,04ECD726,?,?,?,?,?), ref: 04ECD7E7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 6cdfbd5ada07b8c3cfb477b38c850a77e6aa1a16d457e2b764deffd86417928c
                                              • Instruction ID: 044c52a2371a26f858e946fe3aefaa2b2508ff67cd3918652130571477a32f89
                                              • Opcode Fuzzy Hash: 6cdfbd5ada07b8c3cfb477b38c850a77e6aa1a16d457e2b764deffd86417928c
                                              • Instruction Fuzzy Hash: D821E0B5900209DFDB10CF9AD581ADEBBF5FB48324F14802AE918A3250C779A950CF64
                                              Function 028D1C50 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 284 28d1c50-28d1cd3 VirtualAllocEx 287 28d1cdc-28d1d01 284->287 288 28d1cd5-28d1cdb 284->288 288->287
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 028D1CC6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 0be98f14a8ee2541f81fa5bf34536a7b3b93ebb8d8f1c82f0b48c7492ef91aa6
                                              • Instruction ID: e6cbf5ff73f0b38b2d10c3be967f94ff641d79807aca95755858ba1dee2c5d4f
                                              • Opcode Fuzzy Hash: 0be98f14a8ee2541f81fa5bf34536a7b3b93ebb8d8f1c82f0b48c7492ef91aa6
                                              • Instruction Fuzzy Hash: 3E118976900249DFDB10DFA9C944BDFBBF5EF48310F108819E519A7210C7759554CFA4
                                              Function 04ECA248 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04ECB159,00000800,00000000,00000000), ref: 04ECB36A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: d9f86420d8c84ccc0791e9e3a9d6c75a59e38b36d2fe65575b473a9208000e38
                                              • Instruction ID: 8eb30cae3168b488e4fdc422b8784a104fe393287cc1e59c9bfc52ec27c3146c
                                              • Opcode Fuzzy Hash: d9f86420d8c84ccc0791e9e3a9d6c75a59e38b36d2fe65575b473a9208000e38
                                              • Instruction Fuzzy Hash: C811D6B69003099FDB10CF9AD545BAEFBF4EB48714F10841EE919A7210C3B5A545CFA5
                                              Function 028D1C58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 028D1CC6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 0603f45eaaf45892065fa07681db00adf9bc53a2cb2ba30ee347e1cdb3ab47df
                                              • Instruction ID: 7844a37f67b84ebdaa747b977d3be7b87cfe43d43313fbbddc6f430b3d4e1fac
                                              • Opcode Fuzzy Hash: 0603f45eaaf45892065fa07681db00adf9bc53a2cb2ba30ee347e1cdb3ab47df
                                              • Instruction Fuzzy Hash: 4F1156769002499FDB20DFAAC844BDFBBF5EF88320F208819E519A7250C775A914CBA4
                                              Function 028D1690 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: a2b94d47d7c279310ed131489f6dae9bbf228ef4b897282c60207e4ad8226533
                                              • Instruction ID: b5e461ca9441e5fa3e587b145a01089aa8d50e479efa7077491ca0fea5b61a68
                                              • Opcode Fuzzy Hash: a2b94d47d7c279310ed131489f6dae9bbf228ef4b897282c60207e4ad8226533
                                              • Instruction Fuzzy Hash: 971188B5900349CFDB20DFAAD4457DEFFF4EF88224F24842AD519A7250CB79A944CB94
                                              Function 028D1698 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 893b34e1c64407b161d273b0ab102a8d4110db321bfe7003e7bcff7531469844
                                              • Instruction ID: cca38ee64366e4660f33b9c17ea1bfb6e9ad322afdb84c6e765b5d99bc99c1ef
                                              • Opcode Fuzzy Hash: 893b34e1c64407b161d273b0ab102a8d4110db321bfe7003e7bcff7531469844
                                              • Instruction Fuzzy Hash: 2B1166B59003498FDB20DFAAC44579FFBF4EF88324F24841AD519A7240CB79A944CBA4
                                              Function 04ECB2F9 Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04ECB159,00000800,00000000,00000000), ref: 04ECB36A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 8e605043f9b30f4d7c9323e3f48b5bd1581da0cbd2152beb829dfc37ab669253
                                              • Instruction ID: 0efd4ec5ddc6a7005cbca50b96f4e735e31f588392b90038748b64906ec3330d
                                              • Opcode Fuzzy Hash: 8e605043f9b30f4d7c9323e3f48b5bd1581da0cbd2152beb829dfc37ab669253
                                              • Instruction Fuzzy Hash: 191112B69003098FDB14CF9AD540BAEFBF5BB88310F14841ED968A7210C7B9A506CFA5
                                              Function 04ECB078 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 04ECB0DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: f9162d4aa3be35f43c013a51f414f936eed6252b49ea544afef300da11d12e62
                                              • Instruction ID: 68358006ad24a677f07dc69b18d92e0bfdf87025c3c1769dd044a56f1f4e48ca
                                              • Opcode Fuzzy Hash: f9162d4aa3be35f43c013a51f414f936eed6252b49ea544afef300da11d12e62
                                              • Instruction Fuzzy Hash: E2110FB6C00249CFDB10CF9AD545B9EFBF8EF88324F10841AD828A7210D379A545CFA5
                                              Function 028D1FA8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 028D4645
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 5d92a9336b8b822073eb14ed25eaff243b178e5da64a447125664050ac354bba
                                              • Instruction ID: 91975ce58aac22926e2ec6579ad8be7b13021bf0f52ce9da9dbcce5084f22199
                                              • Opcode Fuzzy Hash: 5d92a9336b8b822073eb14ed25eaff243b178e5da64a447125664050ac354bba
                                              • Instruction Fuzzy Hash: 7A11F5B98003499FDB10CF9AD545BDEBBF8EB48324F10845AE919A7210C3B5A954CFA5
                                              Function 028D45E0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 028D4645
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: f83c3f316295148c31129de4c78ecf14e6c737575fe86b2e19b4e3a3fba09da3
                                              • Instruction ID: e2a61d4bd61696dab0c30b0fcfe698682be6b23c35ae185f0db7c55ee569e7a5
                                              • Opcode Fuzzy Hash: f83c3f316295148c31129de4c78ecf14e6c737575fe86b2e19b4e3a3fba09da3
                                              • Instruction Fuzzy Hash: 8E1110B98003498FDB10CF99D685BDEBBF8EF48324F20844AE558A3611C375A544CFA4
                                              Function 00D3D4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2267056203.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d3d000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5aac6da0459b5951123b957956712c4266ab0f0f8d09ed25464fdc528c5ada5e
                                              • Instruction ID: 86b438f458f360f6eb202db03cd7d26cfe3cf72cd560dee2a32b87b3a20978fd
                                              • Opcode Fuzzy Hash: 5aac6da0459b5951123b957956712c4266ab0f0f8d09ed25464fdc528c5ada5e
                                              • Instruction Fuzzy Hash: DF21F572504244EFDB15DF14E9C0B26BF66FB88318F24C569E9490B256C336D856CEB1
                                              Function 011DD01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268039058.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11dd000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a341757feb4faa9df30e54f6ec445190d980a353a875333484842fe99a8d165
                                              • Instruction ID: 3ca010eef383f0548a336674a326f70fed956fa9308acf04c3a7b18810488630
                                              • Opcode Fuzzy Hash: 0a341757feb4faa9df30e54f6ec445190d980a353a875333484842fe99a8d165
                                              • Instruction Fuzzy Hash: 45210075604200EFDF19DF68E980B26BB65EBC8314F20C56DD90A0B296C77AD406CA62
                                              Function 011DD1D4 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268039058.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11dd000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 80b966f6b86fe0b3bd099367388f31bdde33ed65cd759331aa42d2c6296af731
                                              • Instruction ID: a258ac4758a6463cb5134487e6f7aef5e76b593ff903a42e21c4d4a6bda26afd
                                              • Opcode Fuzzy Hash: 80b966f6b86fe0b3bd099367388f31bdde33ed65cd759331aa42d2c6296af731
                                              • Instruction Fuzzy Hash: 50212675504304EFDF09DF94E9C0F26BBA5FB84324F20C56DE90A4B292C77AD446CA62
                                              Function 011DD006 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268039058.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11dd000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9de4ea31916f7024ddad8496a5476b991176820d290d0d52bf473a9dde53bdf7
                                              • Instruction ID: b3c78557f878e6eed1b012bedb1b075535dfe912497d54cbf6a6c9066b061cca
                                              • Opcode Fuzzy Hash: 9de4ea31916f7024ddad8496a5476b991176820d290d0d52bf473a9dde53bdf7
                                              • Instruction Fuzzy Hash: 2721C3755093808FCB17CF24D990B15BF71EB85314F28C5EAD8498B6A7C33AD40ACB62
                                              Function 00D3D4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2267056203.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d3d000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction ID: 65dbf69d0789dcbcb8d77217ec5e23e748ec84d6a9d552dcc3d92ceaf5911f5d
                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction Fuzzy Hash: 3511E676504280CFCB16CF10D9C4B16BF72FB94318F28C6A9D8490B656C33AD856CFA1
                                              Function 011DD1CF Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268039058.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_11dd000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction ID: 023c235932f58d30f3b219bf5fe983f62620d92fcb4eaa2efbbc5caca3f7d7f6
                                              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction Fuzzy Hash: 6011BB75504280DFCF06CF54D5C0B15BBB1FB84224F24C6A9D8494B6A6C33AD40ACB62
                                              Function 00D3D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2267056203.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d3d000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df762e10dbabc8a388ca12afc20442c7fd2a6df60481d8866b91b6b445a22f24
                                              • Instruction ID: d1688ca5c14d86753f4177d7295d3697d84d1ee8b7f62c6e94a8490cd19b1ad2
                                              • Opcode Fuzzy Hash: df762e10dbabc8a388ca12afc20442c7fd2a6df60481d8866b91b6b445a22f24
                                              • Instruction Fuzzy Hash: 1901F2B20043409AE7104A25ED84B66BF98EF41320F28841AED4A0A286C7B9D840CAB1
                                              Function 00D3D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2267056203.0000000000D3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D3D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_d3d000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b8dab1dcceca1abdd27e2a1b8863a2195ab5b3b88f1594489bf50dd6bc4f6d1d
                                              • Instruction ID: 9f239a7fa3c9061a299875857f3145e7796e393a7c9f6a22e3c735d078f26487
                                              • Opcode Fuzzy Hash: b8dab1dcceca1abdd27e2a1b8863a2195ab5b3b88f1594489bf50dd6bc4f6d1d
                                              • Instruction Fuzzy Hash: C6F0C2B2404344AEE7108A06ECC4B62FFA8EF50724F18C45AED090B286C3B9AC40CAB1

                                              Non-executed Functions

                                              Function 028D1820 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2268886102.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_28d0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4bd56d41d95a75e90f9f9015166699f216d474fcb7189ac773e2116d8cad9b95
                                              • Instruction ID: 7b63e65bca6b9d4ca8659a25f39c026b85dbd26d32ff65378db78500957ef876
                                              • Opcode Fuzzy Hash: 4bd56d41d95a75e90f9f9015166699f216d474fcb7189ac773e2116d8cad9b95
                                              • Instruction Fuzzy Hash: BBE11A78E002598FDB14DF99C584AAEFBB2FF88304F248269D418A7355D731AD86CF60
                                              Function 04ECD444 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2271188001.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_4ec0000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f82026c03c4a3a6521ecaa85a1e95c3ce6e250dbfd3589c4b07f7ff03d34962e
                                              • Instruction ID: f6d035cd34f5ed55edb447d3bd42936691dfe9c549bd64f18c3e036a354d4461
                                              • Opcode Fuzzy Hash: f82026c03c4a3a6521ecaa85a1e95c3ce6e250dbfd3589c4b07f7ff03d34962e
                                              • Instruction Fuzzy Hash: 50A17D32E002098FCF05DFB5CA4499EBBB3FF85304B15956EE805AB2A1DB75E916CB40

                                              Execution Graph

                                              Execution Coverage:10.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:184
                                              Total number of Limit Nodes:20
                                              execution_graph 38945 6e1b680 38946 6e1b6c2 38945->38946 38947 6e1b6c8 LoadLibraryExW 38945->38947 38946->38947 38948 6e1b6f9 38947->38948 39101 6e13050 DuplicateHandle 39102 6e130e6 39101->39102 39103 6e1d810 39104 6e1d878 CreateWindowExW 39103->39104 39106 6e1d934 39104->39106 39106->39106 39107 173d044 39108 173d05c 39107->39108 39109 173d0b6 39108->39109 39114 6e1cc44 39108->39114 39123 6e1d9c8 39108->39123 39127 6e1e718 39108->39127 39136 6e1d9b7 39108->39136 39115 6e1cc4f 39114->39115 39116 6e1e789 39115->39116 39118 6e1e779 39115->39118 39156 6e1cd6c 39116->39156 39140 6e1e8a0 39118->39140 39145 6e1e8b0 39118->39145 39150 6e1e97c 39118->39150 39119 6e1e787 39124 6e1d9ee 39123->39124 39125 6e1cc44 CallWindowProcW 39124->39125 39126 6e1da0f 39125->39126 39126->39109 39130 6e1e755 39127->39130 39128 6e1e789 39129 6e1cd6c CallWindowProcW 39128->39129 39132 6e1e787 39129->39132 39130->39128 39131 6e1e779 39130->39131 39133 6e1e8a0 CallWindowProcW 39131->39133 39134 6e1e8b0 CallWindowProcW 39131->39134 39135 6e1e97c CallWindowProcW 39131->39135 39133->39132 39134->39132 39135->39132 39137 6e1d9c5 39136->39137 39138 6e1cc44 CallWindowProcW 39137->39138 39139 6e1da0f 39138->39139 39139->39109 39142 6e1e8b1 39140->39142 39141 6e1e950 39141->39119 39160 6e1e968 39142->39160 39163 6e1e958 39142->39163 39146 6e1e8c4 39145->39146 39148 6e1e968 CallWindowProcW 39146->39148 39149 6e1e958 CallWindowProcW 39146->39149 39147 6e1e950 39147->39119 39148->39147 39149->39147 39151 6e1e93a 39150->39151 39152 6e1e98a 39150->39152 39154 6e1e968 CallWindowProcW 39151->39154 39155 6e1e958 CallWindowProcW 39151->39155 39153 6e1e950 39153->39119 39154->39153 39155->39153 39157 6e1cd77 39156->39157 39158 6e1fe6a CallWindowProcW 39157->39158 39159 6e1fe19 39157->39159 39158->39159 39159->39119 39161 6e1e979 39160->39161 39167 6e1fd90 39160->39167 39161->39141 39164 6e1e968 39163->39164 39165 6e1e979 39164->39165 39166 6e1fd90 CallWindowProcW 39164->39166 39165->39141 39166->39165 39168 6e1cd6c CallWindowProcW 39167->39168 39169 6e1fdba 39168->39169 39169->39161 38949 1810848 38951 1810849 38949->38951 38950 181091b 38951->38950 38955 1811388 38951->38955 38960 6e11cf0 38951->38960 38964 6e11d00 38951->38964 38957 181138b 38955->38957 38958 1811311 38955->38958 38956 1811484 38956->38951 38957->38956 38968 1817eb0 38957->38968 38958->38951 38961 6e11d00 38960->38961 38981 6e114c4 38961->38981 38965 6e11d0f 38964->38965 38966 6e114c4 3 API calls 38965->38966 38967 6e11d30 38966->38967 38967->38951 38969 1817eba 38968->38969 38970 1817ed4 38969->38970 38973 6e2fa78 38969->38973 38977 6e2fa69 38969->38977 38970->38957 38975 6e2fa8d 38973->38975 38974 6e2fca2 38974->38970 38975->38974 38976 6e2fcb8 GlobalMemoryStatusEx 38975->38976 38976->38975 38979 6e2fa8d 38977->38979 38978 6e2fca2 38978->38970 38979->38978 38980 6e2fcb8 GlobalMemoryStatusEx 38979->38980 38980->38979 38982 6e114cf 38981->38982 38985 6e12c2c 38982->38985 38984 6e136b6 38984->38984 38986 6e12c37 38985->38986 38987 6e13ddc 38986->38987 38990 6e15a60 38986->38990 38994 6e15a5e 38986->38994 38987->38984 38991 6e15a81 38990->38991 38992 6e15aa5 38991->38992 38998 6e15c10 38991->38998 38992->38987 38995 6e15a60 38994->38995 38996 6e15aa5 38995->38996 38997 6e15c10 3 API calls 38995->38997 38996->38987 38997->38996 38999 6e15c1d 38998->38999 39000 6e15c56 38999->39000 39002 6e1495c 38999->39002 39000->38992 39003 6e14967 39002->39003 39005 6e15cc8 39003->39005 39006 6e14990 39003->39006 39007 6e1499b 39006->39007 39013 6e149a0 39007->39013 39009 6e15d37 39017 6e1af48 39009->39017 39026 6e1af60 39009->39026 39010 6e15d71 39010->39005 39016 6e149ab 39013->39016 39014 6e16ed8 39014->39009 39015 6e15a60 3 API calls 39015->39014 39016->39014 39016->39015 39019 6e1af91 39017->39019 39020 6e1b091 39017->39020 39018 6e1af9d 39018->39010 39019->39018 39035 6e1b1c8 39019->39035 39040 6e1b1d8 39019->39040 39020->39010 39021 6e1afdd 39044 6e1c4c9 39021->39044 39054 6e1c4d8 39021->39054 39028 6e1af91 39026->39028 39030 6e1b091 39026->39030 39027 6e1af9d 39027->39010 39028->39027 39033 6e1b1c8 3 API calls 39028->39033 39034 6e1b1d8 3 API calls 39028->39034 39029 6e1afdd 39031 6e1c4c9 GetModuleHandleW 39029->39031 39032 6e1c4d8 GetModuleHandleW 39029->39032 39030->39010 39031->39030 39032->39030 39033->39029 39034->39029 39036 6e1b1d8 39035->39036 39064 6e1b228 39036->39064 39073 6e1b218 39036->39073 39037 6e1b1e2 39037->39021 39042 6e1b228 2 API calls 39040->39042 39043 6e1b218 2 API calls 39040->39043 39041 6e1b1e2 39041->39021 39042->39041 39043->39041 39045 6e1c503 39044->39045 39082 6e1a24c 39045->39082 39048 6e1c586 39050 6e1c5b2 39048->39050 39097 6e1a17c 39048->39097 39053 6e1a24c GetModuleHandleW 39053->39048 39055 6e1c503 39054->39055 39056 6e1a24c GetModuleHandleW 39055->39056 39057 6e1c56a 39056->39057 39061 6e1ca40 GetModuleHandleW 39057->39061 39062 6e1c990 GetModuleHandleW 39057->39062 39063 6e1a24c GetModuleHandleW 39057->39063 39058 6e1c586 39059 6e1a17c GetModuleHandleW 39058->39059 39060 6e1c5b2 39058->39060 39059->39060 39061->39058 39062->39058 39063->39058 39065 6e1b239 39064->39065 39069 6e1b25c 39064->39069 39066 6e1a17c GetModuleHandleW 39065->39066 39067 6e1b244 39066->39067 39067->39069 39072 6e1b4b3 GetModuleHandleW 39067->39072 39068 6e1b254 39068->39069 39070 6e1b460 GetModuleHandleW 39068->39070 39069->39037 39071 6e1b48d 39070->39071 39071->39037 39072->39068 39074 6e1b21d 39073->39074 39075 6e1a17c GetModuleHandleW 39074->39075 39077 6e1b25c 39074->39077 39076 6e1b244 39075->39076 39076->39077 39081 6e1b4b3 GetModuleHandleW 39076->39081 39077->39037 39078 6e1b460 GetModuleHandleW 39080 6e1b48d 39078->39080 39079 6e1b254 39079->39077 39079->39078 39080->39037 39081->39079 39083 6e1a257 39082->39083 39084 6e1c56a 39083->39084 39085 6e1cfa8 GetModuleHandleW 39083->39085 39086 6e1cfb8 GetModuleHandleW 39083->39086 39084->39053 39087 6e1c990 39084->39087 39092 6e1ca40 39084->39092 39085->39084 39086->39084 39088 6e1c9a0 39087->39088 39089 6e1c9ab 39088->39089 39090 6e1cfa8 GetModuleHandleW 39088->39090 39091 6e1cfb8 GetModuleHandleW 39088->39091 39089->39048 39090->39089 39091->39089 39093 6e1ca6d 39092->39093 39094 6e1caee 39093->39094 39095 6e1cfa8 GetModuleHandleW 39093->39095 39096 6e1cfb8 GetModuleHandleW 39093->39096 39095->39094 39096->39094 39098 6e1b418 GetModuleHandleW 39097->39098 39100 6e1b48d 39098->39100 39100->39050

                                              Executed Functions

                                              Function 06E255F8 Relevance: 1.8, Strings: 1, Instructions: 598COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 6e255f8-6e25615 1 6e25617-6e2561a 0->1 2 6e25624-6e25627 1->2 3 6e2561c-6e2561f 1->3 4 6e2568b-6e25691 2->4 5 6e25629-6e2562c 2->5 3->2 6 6e25697 4->6 7 6e2571f-6e25725 4->7 8 6e25648-6e2564b 5->8 9 6e2562e-6e25643 5->9 14 6e2569c-6e2569f 6->14 12 6e2572b-6e25733 7->12 13 6e257cc-6e257fb 7->13 10 6e2566f-6e25672 8->10 11 6e2564d-6e2566a 8->11 9->8 16 6e25674-6e25677 10->16 17 6e2567c-6e2567f 10->17 11->10 12->13 15 6e25739-6e25746 12->15 42 6e25805-6e25808 13->42 18 6e256a5-6e256a8 14->18 19 6e2575a-6e25760 14->19 15->13 22 6e2574c-6e25750 15->22 16->17 23 6e25681-6e25683 17->23 24 6e25686-6e25689 17->24 28 6e256aa-6e256b7 18->28 29 6e256bc-6e256bf 18->29 25 6e25702-6e2570c 19->25 26 6e25762 19->26 32 6e25755-6e25758 22->32 23->24 24->4 24->14 34 6e25713-6e25715 25->34 33 6e25767-6e2576a 26->33 28->29 30 6e256c1-6e256c7 29->30 31 6e256ce-6e256d1 29->31 30->16 36 6e256c9 30->36 38 6e256d3-6e256e9 31->38 39 6e256ee-6e256f1 31->39 32->19 32->33 40 6e25772-6e25775 33->40 41 6e2576c-6e2576d 33->41 43 6e2571a-6e2571d 34->43 36->31 38->39 44 6e256f3-6e256fc 39->44 45 6e256fd-6e25700 39->45 46 6e25777-6e25786 40->46 47 6e2578b-6e2578e 40->47 41->40 48 6e25820-6e25823 42->48 49 6e2580a-6e2581b 42->49 43->7 43->32 45->25 45->43 46->47 50 6e25790-6e25794 47->50 51 6e2579b-6e2579e 47->51 52 6e25845-6e25848 48->52 53 6e25825-6e25829 48->53 49->48 56 6e25796 50->56 57 6e257be-6e257cb 50->57 60 6e257a0-6e257a7 51->60 61 6e257ac-6e257ae 51->61 62 6e2586a-6e2586d 52->62 63 6e2584a-6e2584e 52->63 58 6e258f2-6e2592c 53->58 59 6e2582f-6e25837 53->59 56->51 77 6e2592e-6e25931 58->77 59->58 65 6e2583d-6e25840 59->65 60->61 66 6e257b0 61->66 67 6e257b5-6e257b8 61->67 69 6e2586f-6e25876 62->69 70 6e2587d-6e25880 62->70 63->58 68 6e25854-6e2585c 63->68 65->52 66->67 67->1 67->57 68->58 72 6e25862-6e25865 68->72 73 6e258ea-6e258f1 69->73 74 6e25878 69->74 75 6e25882-6e25889 70->75 76 6e2588a-6e2588d 70->76 72->62 74->70 78 6e258a7-6e258aa 76->78 79 6e2588f-6e25893 76->79 81 6e25933-6e25944 77->81 82 6e2594f-6e25952 77->82 83 6e258c4-6e258c7 78->83 84 6e258ac-6e258b0 78->84 79->58 80 6e25895-6e2589d 79->80 80->58 85 6e2589f-6e258a2 80->85 97 6e2594a 81->97 98 6e25cec-6e25cff 81->98 87 6e25954-6e25965 82->87 88 6e2596c-6e2596f 82->88 89 6e258d8-6e258da 83->89 90 6e258c9-6e258d3 83->90 84->58 86 6e258b2-6e258ba 84->86 85->78 86->58 92 6e258bc-6e258bf 86->92 104 6e25987-6e25998 87->104 105 6e25967 87->105 95 6e25971-6e25974 88->95 96 6e259a8-6e25b3c 88->96 93 6e258e1-6e258e4 89->93 94 6e258dc 89->94 90->89 92->83 93->42 93->73 94->93 101 6e25982-6e25985 95->101 102 6e25976-6e2597d 95->102 149 6e25b42-6e25b49 96->149 150 6e25c75-6e25c88 96->150 97->82 101->104 106 6e2599f-6e259a2 101->106 102->101 104->102 113 6e2599a 104->113 105->88 106->96 108 6e25c8b-6e25c8e 106->108 110 6e25c90-6e25c97 108->110 111 6e25c9c-6e25c9f 108->111 110->111 114 6e25ca1-6e25cb2 111->114 115 6e25cbd-6e25cc0 111->115 113->106 114->102 121 6e25cb8 114->121 115->96 116 6e25cc6-6e25cc9 115->116 119 6e25ce7-6e25cea 116->119 120 6e25ccb-6e25cdc 116->120 119->98 123 6e25d02-6e25d05 119->123 120->102 129 6e25ce2 120->129 121->115 124 6e25d07-6e25d0c 123->124 125 6e25d0f-6e25d11 123->125 124->125 127 6e25d13 125->127 128 6e25d18-6e25d1b 125->128 127->128 128->77 131 6e25d21-6e25d2a 128->131 129->119 151 6e25b4f-6e25b82 149->151 152 6e25bfd-6e25c04 149->152 163 6e25b87-6e25bc8 151->163 164 6e25b84 151->164 152->150 153 6e25c06-6e25c39 152->153 165 6e25c3b 153->165 166 6e25c3e-6e25c6b 153->166 174 6e25be0-6e25be7 163->174 175 6e25bca-6e25bdb 163->175 164->163 165->166 166->131 177 6e25bef-6e25bf1 174->177 175->131 177->131
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: $
                                              • API String ID: 0-3993045852
                                              • Opcode ID: 0e008e1c40157f8667b2b21fc6c7b9bd6fcf9e6aad02861315abf7d7270eb83b
                                              • Instruction ID: 38ad29c9f1d56733e205cfb9e51bdccf1ef834dbd0a01a558b12f45e95c76a8a
                                              • Opcode Fuzzy Hash: 0e008e1c40157f8667b2b21fc6c7b9bd6fcf9e6aad02861315abf7d7270eb83b
                                              • Instruction Fuzzy Hash: 5122C035E0036A8FDB64DBA4C5846AEB7B2FF49324F248469D856EB384DB35DC41CB90
                                              Function 06E22388 Relevance: 1.0, Instructions: 1017COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4aece96608031818d406b4f296cdaafbd50a757276aa160aa811eba759df52fd
                                              • Instruction ID: 51344bd3216f803cc0ea3dd94941aca5c130cb356d40d8ef643dfb2fb3939ad0
                                              • Opcode Fuzzy Hash: 4aece96608031818d406b4f296cdaafbd50a757276aa160aa811eba759df52fd
                                              • Instruction Fuzzy Hash: 22925534A003168FDB64DF68C584B9DB7F2FB88318F5494A9D509AB365DB35ED81CB80
                                              Function 06E26638 Relevance: .8, Instructions: 817COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2feda312c715c93e76f6fa8ced42fd7effad35370514769f264e28ca627fb7ac
                                              • Instruction ID: 84e91f21c4648f64e6680e08c68cca8a09d5697090c307522f9055e547aed90e
                                              • Opcode Fuzzy Hash: 2feda312c715c93e76f6fa8ced42fd7effad35370514769f264e28ca627fb7ac
                                              • Instruction Fuzzy Hash: 7A627B34A002268FDB54DB68D584BADB7F3EF88314F249569E9069B394DB35EC46CB80
                                              Function 06E2B270 Relevance: .6, Instructions: 567COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bcc62c38954414485adbcef3403d6bea3bcd25a020a05ffe049420af11f9dbb1
                                              • Instruction ID: 5a9909102fe2034bee0288ff235f04749abb1177d9e1b1d6a4bbec9ef7f3e2c3
                                              • Opcode Fuzzy Hash: bcc62c38954414485adbcef3403d6bea3bcd25a020a05ffe049420af11f9dbb1
                                              • Instruction Fuzzy Hash: 51225230E1021A8FEF64CBA8D4847ADB7B7FB89318F649529E405DB391DA74DC81CB51
                                              Function 06E230B0 Relevance: .5, Instructions: 545COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4bd5428215ab252d2801c580d35b50a0b3de3142352b040f1ace4df0a63826a
                                              • Instruction ID: 2e3dca289b67b54e1e50e567cb969c89afbe3cb38d8334c07f8da82c74ce7fb8
                                              • Opcode Fuzzy Hash: a4bd5428215ab252d2801c580d35b50a0b3de3142352b040f1ace4df0a63826a
                                              • Instruction Fuzzy Hash: E9322C30E1075ACBDB14DB65C89059DB7B6FFC9300F2096AAD40AAB254EF74AD85CF90
                                              Function 06E27DC8 Relevance: .5, Instructions: 472COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: edc5b7aba1fb0a40759d09eb845d3a3473a8096e021964b77608976c6018bc66
                                              • Instruction ID: 705ac03072d031ffadb9b941a7f063a154f7bd38c547a852ab400a100c31d1d2
                                              • Opcode Fuzzy Hash: edc5b7aba1fb0a40759d09eb845d3a3473a8096e021964b77608976c6018bc66
                                              • Instruction Fuzzy Hash: 6902CE30B012268FDB54DB65D494BAEB7E3FF88304F249528E5069B394DB75EC86CB90
                                              Function 06E1B228 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 178 6e1b228-6e1b237 179 6e1b263-6e1b267 178->179 180 6e1b239-6e1b246 call 6e1a17c 178->180 182 6e1b269-6e1b273 179->182 183 6e1b27b-6e1b2bc 179->183 185 6e1b248-6e1b256 call 6e1b4b3 180->185 186 6e1b25c 180->186 182->183 189 6e1b2c9-6e1b2d7 183->189 190 6e1b2be-6e1b2c6 183->190 185->186 196 6e1b398-6e1b458 185->196 186->179 191 6e1b2d9-6e1b2de 189->191 192 6e1b2fb-6e1b2fd 189->192 190->189 194 6e1b2e0-6e1b2e7 call 6e1a188 191->194 195 6e1b2e9 191->195 197 6e1b300-6e1b307 192->197 199 6e1b2eb-6e1b2f9 194->199 195->199 229 6e1b460-6e1b48b GetModuleHandleW 196->229 230 6e1b45a-6e1b45d 196->230 200 6e1b314-6e1b31b 197->200 201 6e1b309-6e1b311 197->201 199->197 203 6e1b328-6e1b331 call 6e1399c 200->203 204 6e1b31d-6e1b325 200->204 201->200 209 6e1b333-6e1b33b 203->209 210 6e1b33e-6e1b343 203->210 204->203 209->210 211 6e1b361-6e1b36e 210->211 212 6e1b345-6e1b34c 210->212 219 6e1b391-6e1b397 211->219 220 6e1b370-6e1b38e 211->220 212->211 214 6e1b34e-6e1b35e call 6e19ff8 call 6e1a198 212->214 214->211 220->219 231 6e1b494-6e1b4a8 229->231 232 6e1b48d-6e1b493 229->232 230->229 232->231
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: da81851461fb7e02d933e965b0c3f59549d819e6733a7297a8ba7bd2a28aa1b1
                                              • Instruction ID: fb0332bb467fc641206b3f939a2a1dc87ea31ac0ba13be701fb3b1903edb6d05
                                              • Opcode Fuzzy Hash: da81851461fb7e02d933e965b0c3f59549d819e6733a7297a8ba7bd2a28aa1b1
                                              • Instruction Fuzzy Hash: E5815670A00B058FD764DF6AD44479ABBF5FF88304F008A2DD49ADBA50DB74E84ACB90
                                              Function 0181EB48 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 235 181eb48-181eb50 236 181eb52-181eb63 235->236 237 181eb0f 235->237 241 181eb65-181eb8c 236->241 242 181eb8d-181ebac call 181e748 236->242 238 181ea95-181eb03 237->238 247 181ebb2-181ec11 242->247 248 181ebae-181ebb1 242->248 255 181ec13-181ec16 247->255 256 181ec17-181eca4 GlobalMemoryStatusEx 247->256 260 181eca6-181ecac 256->260 261 181ecad-181ecd5 256->261 260->261
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3500742920.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1810000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fd1ab130a88f995d2bee19766018b516d007c0fa89887d9d04c0b145d2e31b4c
                                              • Instruction ID: bb5f0d398e6e59d8a87e7520f49931663b4b2a12356a6d5bced995de3be45a23
                                              • Opcode Fuzzy Hash: fd1ab130a88f995d2bee19766018b516d007c0fa89887d9d04c0b145d2e31b4c
                                              • Instruction Fuzzy Hash: EF413272D0439ACFDB14DFAAD8006EEBBF5AF89310F14856BD904E7240EB749945CBA0
                                              Function 06E1D804 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 264 6e1d804-6e1d876 266 6e1d881-6e1d888 264->266 267 6e1d878-6e1d87e 264->267 268 6e1d893-6e1d8cb 266->268 269 6e1d88a-6e1d890 266->269 267->266 270 6e1d8d3-6e1d932 CreateWindowExW 268->270 269->268 271 6e1d934-6e1d93a 270->271 272 6e1d93b-6e1d973 270->272 271->272 276 6e1d980 272->276 277 6e1d975-6e1d978 272->277 278 6e1d981 276->278 277->276 278->278
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E1D922
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 9568476b798da4145a87848cb8fe4dc75582b4f07d5a8d612c0eaee778c3b169
                                              • Instruction ID: ca7f869dd7e0ab7eca1ed46d4ce1f6b5c6dba139f9f838065e1ce72dc65228ef
                                              • Opcode Fuzzy Hash: 9568476b798da4145a87848cb8fe4dc75582b4f07d5a8d612c0eaee778c3b169
                                              • Instruction Fuzzy Hash: 9A51D2B1D00349DFDB14CFAAC894ADEBFB5BF48310F24912AE819AB210D7719985CF90
                                              Function 06E1D810 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 279 6e1d810-6e1d876 280 6e1d881-6e1d888 279->280 281 6e1d878-6e1d87e 279->281 282 6e1d893-6e1d932 CreateWindowExW 280->282 283 6e1d88a-6e1d890 280->283 281->280 285 6e1d934-6e1d93a 282->285 286 6e1d93b-6e1d973 282->286 283->282 285->286 290 6e1d980 286->290 291 6e1d975-6e1d978 286->291 292 6e1d981 290->292 291->290 292->292
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06E1D922
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 47968d34a9220a9335a734ab64ad5315312312c5cae26c8309809eb4aff74461
                                              • Instruction ID: 57f4bcb06fccff42a70a8860164fefd5b7fd7665915b58ca32912885edaadee9
                                              • Opcode Fuzzy Hash: 47968d34a9220a9335a734ab64ad5315312312c5cae26c8309809eb4aff74461
                                              • Instruction Fuzzy Hash: CA41C1B1D00349DFDB14CF9AC894ADEBFB5BF48314F24912AE819AB210D7B49985CF90
                                              Function 06E1CD6C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 293 6e1cd6c-6e1fe0c 296 6e1fe12-6e1fe17 293->296 297 6e1febc-6e1fedc call 6e1cc44 293->297 299 6e1fe19-6e1fe50 296->299 300 6e1fe6a-6e1fea2 CallWindowProcW 296->300 304 6e1fedf-6e1feec 297->304 307 6e1fe52-6e1fe58 299->307 308 6e1fe59-6e1fe68 299->308 301 6e1fea4-6e1feaa 300->301 302 6e1feab-6e1feba 300->302 301->302 302->304 307->308 308->304
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 06E1FE91
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 70c06d8ee5e50d989be5317c1c2465fdb23225790de3628c2ec2f56becb69827
                                              • Instruction ID: ed613a50448d5c1d15c498e6796a2c6c770b626e7cb2544bd400aa1e5348322b
                                              • Opcode Fuzzy Hash: 70c06d8ee5e50d989be5317c1c2465fdb23225790de3628c2ec2f56becb69827
                                              • Instruction Fuzzy Hash: 0F413BB5900309CFDB54CF99C848AAAFBF5FF88324F248459E519AB321D774A941CFA0
                                              Function 06E13048 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 310 6e13048-6e130e4 DuplicateHandle 311 6e130e6-6e130ec 310->311 312 6e130ed-6e1310a 310->312 311->312
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E130D7
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 5853d09388ec7eda1def6eb04cee392c1abe7d6b8b8658900761aaf16ace9078
                                              • Instruction ID: db8093dc51f0637cfab839b04c76a5e968ba4d75a25bb410b71009724a8c7d43
                                              • Opcode Fuzzy Hash: 5853d09388ec7eda1def6eb04cee392c1abe7d6b8b8658900761aaf16ace9078
                                              • Instruction Fuzzy Hash: B121E3B5D00209DFDB10CFAAD984AEEBBF5EB48310F14841AE915A7350D379A950CF61
                                              Function 06E13050 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 315 6e13050-6e130e4 DuplicateHandle 316 6e130e6-6e130ec 315->316 317 6e130ed-6e1310a 315->317 316->317
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06E130D7
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 11979e5fb6c96b50503520348b56c2e1865dbe0e18b0859723168c8a041ef891
                                              • Instruction ID: 9a17ac0668bb9d053aa948db5dff16f8361f9891d0539d52e13f83c58f58744e
                                              • Opcode Fuzzy Hash: 11979e5fb6c96b50503520348b56c2e1865dbe0e18b0859723168c8a041ef891
                                              • Instruction Fuzzy Hash: 2A21E3B5900309DFDB10CFAAD984ADEBBF4EB48320F14841AE914A7210D379A950CF61
                                              Function 06E1B67B Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 320 6e1b67b-6e1b6c0 322 6e1b6c2-6e1b6c5 320->322 323 6e1b6c8-6e1b6f7 LoadLibraryExW 320->323 322->323 324 6e1b700-6e1b71d 323->324 325 6e1b6f9-6e1b6ff 323->325 325->324
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06E1B6EA
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 5aad872981cd6eaf9bd91f172d2f37046b10d59c8f2b93419b0832a8f7c5fdf0
                                              • Instruction ID: ce258f940ac446d12eee72317456238045acbf864863e1699027acac9c2e835e
                                              • Opcode Fuzzy Hash: 5aad872981cd6eaf9bd91f172d2f37046b10d59c8f2b93419b0832a8f7c5fdf0
                                              • Instruction Fuzzy Hash: 0A1126B6C003498FDB10CFAAD844ADEFBF4EF88320F10841AE519A7200C375A545CFA5
                                              Function 0181EC30 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 328 181ec30-181ec6e 329 181ec76-181eca4 GlobalMemoryStatusEx 328->329 330 181eca6-181ecac 329->330 331 181ecad-181ecd5 329->331 330->331
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0181EC97
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3500742920.0000000001810000.00000040.00000800.00020000.00000000.sdmp, Offset: 01810000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1810000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 56172107b43cee3ff016ac4baf3941c7429d0aeb9f5d19deca6bce437bf70be5
                                              • Instruction ID: fde2c3675774b3e9d4b3d8bde605cb65a9913b01db91cd86678ed143c76fc8b3
                                              • Opcode Fuzzy Hash: 56172107b43cee3ff016ac4baf3941c7429d0aeb9f5d19deca6bce437bf70be5
                                              • Instruction Fuzzy Hash: 511114B2C0065ADFDB10CF9AC544BDEFBF4AF48320F14852AD918A7240D378A954CFA1
                                              Function 06E1B680 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 334 6e1b680-6e1b6c0 335 6e1b6c2-6e1b6c5 334->335 336 6e1b6c8-6e1b6f7 LoadLibraryExW 334->336 335->336 337 6e1b700-6e1b71d 336->337 338 6e1b6f9-6e1b6ff 336->338 338->337
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 06E1B6EA
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 5c5704dac84673c177a7cc5e701727a6e31b505736b96f5cd5d3e94052762d9c
                                              • Instruction ID: 7564831739117d043405a25c25343c09965a171419a0e392e90e090fa9c361d8
                                              • Opcode Fuzzy Hash: 5c5704dac84673c177a7cc5e701727a6e31b505736b96f5cd5d3e94052762d9c
                                              • Instruction Fuzzy Hash: C911F6B6C003098FDB10CF9AD844ADEFBF4AF48324F10841AD519A7210C375A545CFA5
                                              Function 06E1A17C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 341 6e1a17c-6e1b458 343 6e1b460-6e1b48b GetModuleHandleW 341->343 344 6e1b45a-6e1b45d 341->344 345 6e1b494-6e1b4a8 343->345 346 6e1b48d-6e1b493 343->346 344->343 346->345
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06E1B244), ref: 06E1B47E
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3505985999.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e10000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 2fe90ae1dbb6567a2fcc6e15ac7db4c668f7e0d261fe1de161341a55a85a3f1d
                                              • Instruction ID: f6b0816af5f00fefc33d2da14ac41a9c1bbe51c591840b9e049623cbf2f6396c
                                              • Opcode Fuzzy Hash: 2fe90ae1dbb6567a2fcc6e15ac7db4c668f7e0d261fe1de161341a55a85a3f1d
                                              • Instruction Fuzzy Hash: FA11F0B5C007498FDB20CF9AC444ADEFBF4EB88724F10846AD919A7210D3B9A545CFA1
                                              Function 06E2CF88 Relevance: .8, Instructions: 803COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b07791f98172574330ef987e2b39ed56c9163abeb358a93e62137a342b39e4b4
                                              • Instruction ID: ccd42949a99473f92b06f172038cce9f0b5816cde29b65ecc737d51238ba94ef
                                              • Opcode Fuzzy Hash: b07791f98172574330ef987e2b39ed56c9163abeb358a93e62137a342b39e4b4
                                              • Instruction Fuzzy Hash: 5F625B30B1021B8FDB65DB69D990A5DBBB3FF84304F209A29D105DB255DB79EC86CB80
                                              Function 06E2C1C0 Relevance: .6, Instructions: 642COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 370c1b329c98cc76e263a6c94518fb79e0308767f19379d66bafb4985076e270
                                              • Instruction ID: c7304798218c758293740eeebcfa897507ca3a97ba58704c74dbbf93de921260
                                              • Opcode Fuzzy Hash: 370c1b329c98cc76e263a6c94518fb79e0308767f19379d66bafb4985076e270
                                              • Instruction Fuzzy Hash: A1328134B0021A9FDB94DB69D890BAEB7B3FB88714F209529E505E7345DB35EC81CB90
                                              Function 06E2B690 Relevance: .5, Instructions: 471COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c856b6bdbe02fe1160e248b97ab059985163679efad30d580f665e6545786f7
                                              • Instruction ID: 4cd5bff86378410e97fb03876018a854fc7766439d9933f50984cf51137acd0a
                                              • Opcode Fuzzy Hash: 3c856b6bdbe02fe1160e248b97ab059985163679efad30d580f665e6545786f7
                                              • Instruction Fuzzy Hash: 91028C30E1032A8FEBA4CB68D4847ADB7B2FF85318F14996AE405DB255DB74DC81CB91
                                              Function 06E291A0 Relevance: .2, Instructions: 231COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b95d17ffedd527bb631ea5f407ff1513bb444783b940acdbd9d3700b77b4e4bd
                                              • Instruction ID: c157abac0bc17602ca10b607b863f61c38df6cca024bc7dd7458739470221267
                                              • Opcode Fuzzy Hash: b95d17ffedd527bb631ea5f407ff1513bb444783b940acdbd9d3700b77b4e4bd
                                              • Instruction Fuzzy Hash: 3B915130B0125B8FDB54DB6AD890BAEB7F6FF85200F109469D50AEB345EF74AC458B90
                                              Function 06E26238 Relevance: .2, Instructions: 229COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb46f996760a0019902fa3160192a3e800f2bd292a6d7d0208bdd7b186eb60c3
                                              • Instruction ID: 5b44356d3fbc9cc8f7069276c595a31bcaea1c1235f071ce7f8a23508719424c
                                              • Opcode Fuzzy Hash: fb46f996760a0019902fa3160192a3e800f2bd292a6d7d0208bdd7b186eb60c3
                                              • Instruction Fuzzy Hash: 5661E3B2F002624BDF549A6DC88066FBBD7EFC4220B154079E90ADB364DEB5EC0287C1
                                              Function 06E242F0 Relevance: .2, Instructions: 228COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 087597777e49567ca9b512d6b527b19cd0bf0b8b0f9e39e43cf3b0749c0a31f1
                                              • Instruction ID: e257d45e2ad6d63d56355369f424c1a341f4e66377444bcf5820805632b6c080
                                              • Opcode Fuzzy Hash: 087597777e49567ca9b512d6b527b19cd0bf0b8b0f9e39e43cf3b0749c0a31f1
                                              • Instruction Fuzzy Hash: 34814D34B0125A8BDB54DBA9D59475EB7F3FF89304F248528E40ADB384EB34DC468B91
                                              Function 06E24614 Relevance: .2, Instructions: 221COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7df00a874c48f11b7184ff75b8b6b1a291c813b9a4d01ff2f8e9b5782e340c66
                                              • Instruction ID: 5a7c5aac63084c709d65da829fd841a09deeda2c96de2115ddb0b9e17294c0f3
                                              • Opcode Fuzzy Hash: 7df00a874c48f11b7184ff75b8b6b1a291c813b9a4d01ff2f8e9b5782e340c66
                                              • Instruction Fuzzy Hash: E1914130E1071ACBDF60DF68C840B9DB7B2FF89314F208599D549AB285DB70AA85CF90
                                              Function 06E2AF68 Relevance: .2, Instructions: 215COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c4b2e41c6d6c2d953410f89041e447a6462f36a8d63f662cd0b3062136f4caeb
                                              • Instruction ID: 38eb1fa55e8530308352bdb9206220d25100bd77707cf3ff27a969891916a1f2
                                              • Opcode Fuzzy Hash: c4b2e41c6d6c2d953410f89041e447a6462f36a8d63f662cd0b3062136f4caeb
                                              • Instruction Fuzzy Hash: 5C717031E0031A8BDB19DFA5D4406AEBBB3FFC9304F209529E509AB354DB749946CB90
                                              Function 06E24628 Relevance: .2, Instructions: 210COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0cc38f5e3be17fd55ca1396cd4fb301f24cce2cd01031034207a5c32c30a85d9
                                              • Instruction ID: a4a98f32d05eb2cb68e6251a4819151dd32a5457c86992d376fe0fc06b4de878
                                              • Opcode Fuzzy Hash: 0cc38f5e3be17fd55ca1396cd4fb301f24cce2cd01031034207a5c32c30a85d9
                                              • Instruction Fuzzy Hash: FD913030E1061ACBDF64DF64C840B9DB7B2FF89314F208599D549BB285DB71AA85CF90
                                              Function 06E2EB48 Relevance: .2, Instructions: 206COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8a164e154e1b659a9242b2b55ea178fbc7fb5a669cf69c20d5ba686b6477da0
                                              • Instruction ID: 8143075c6583ba0378fb8381ef7f77a5f11a12e17f9a8d3f52d1a0b876faca99
                                              • Opcode Fuzzy Hash: f8a164e154e1b659a9242b2b55ea178fbc7fb5a669cf69c20d5ba686b6477da0
                                              • Instruction Fuzzy Hash: 39713B30A0022A9FDB54DFA9C980A9DBBF6FF88304F149429D406EB359DB74ED46CB50
                                              Function 06E2AEE5 Relevance: .2, Instructions: 204COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4e772336e4e3441c056891c7a0cdaf16ed2042f6b7eb977e23276c2fadbdec6b
                                              • Instruction ID: f37005912f39dc3b7440b12f274a3f944653aa73a876985c9c53f58d77ab3203
                                              • Opcode Fuzzy Hash: 4e772336e4e3441c056891c7a0cdaf16ed2042f6b7eb977e23276c2fadbdec6b
                                              • Instruction Fuzzy Hash: 6B61A030F1031A8FEB65DB6CD8806AEB7B7EB85314F20553AE446D7245DA38DC82CB91
                                              Function 06E2EB58 Relevance: .2, Instructions: 201COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a1b5b78edd9679e2a635a98bd0bb67f54db0c6ffc9702ea4e519e1439b3fb81
                                              • Instruction ID: 3bad1928d9716513bf2f5beda9796394828b1947c66b310ec9ad08f1d9a824a5
                                              • Opcode Fuzzy Hash: 7a1b5b78edd9679e2a635a98bd0bb67f54db0c6ffc9702ea4e519e1439b3fb81
                                              • Instruction Fuzzy Hash: 5E713C30A0026A9FDB54DBA9D980A9DBBF7FF88304F149429D406EB358DB74ED42CB50
                                              Function 06E24BC0 Relevance: .2, Instructions: 186COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8ea0ae06e4047bb80ebf8305555b2cae63d35d1d0c5074479e5786e26ea13aa1
                                              • Instruction ID: 27fabd17ac949deb12d8c9408846ed7be7198ffe9f7a6e82b0eaf7de75f724c0
                                              • Opcode Fuzzy Hash: 8ea0ae06e4047bb80ebf8305555b2cae63d35d1d0c5074479e5786e26ea13aa1
                                              • Instruction Fuzzy Hash: B7616F70F00219DFEB54DBA5D8547AEBBF7FB88300F24842AE50AAB395DB754C458B90
                                              Function 06E2FCB8 Relevance: .2, Instructions: 177COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5953ad8bc340f30b28eac88d1bdf0dfb715838a0c29f8271efc3e547f99796c8
                                              • Instruction ID: f60b37b3b38167e145d7146014a7eb942d538d42fb623ea6e46b49319bfba88e
                                              • Opcode Fuzzy Hash: 5953ad8bc340f30b28eac88d1bdf0dfb715838a0c29f8271efc3e547f99796c8
                                              • Instruction Fuzzy Hash: AB51F131E0121ADFDF24AB79E4546ADB7B3FF84325F208869D106D7255DB358C55CB80
                                              Function 06E29190 Relevance: .2, Instructions: 175COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a08726f04fefd70f2f216a90a5105707df3f26296b29e0c97da7f2c0d86fe74b
                                              • Instruction ID: 9cacdc839826290eb358e22ba29494fc120712610e152b33d95dbaf74fc5f9d4
                                              • Opcode Fuzzy Hash: a08726f04fefd70f2f216a90a5105707df3f26296b29e0c97da7f2c0d86fe74b
                                              • Instruction Fuzzy Hash: 66516F30B012579FDB54DB6AE890B6EB3F6FF88210F149469D90ADB345EA34AC418B90
                                              Function 06E2FA69 Relevance: .2, Instructions: 169COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0b1c989add8ef27c66db5ac23642c5c10abe70cd730c9e843ad4346001e54a9a
                                              • Instruction ID: 256128e2a6ffa506e824e3e09754d99c8c1b39a8fb9f54ae4163b9e272384b32
                                              • Opcode Fuzzy Hash: 0b1c989add8ef27c66db5ac23642c5c10abe70cd730c9e843ad4346001e54a9a
                                              • Instruction Fuzzy Hash: 2751F770F602269BEF7456BCD95476F3AABE7C9300F20142AE50AC7386CD6DCD818392
                                              Function 06E2FA78 Relevance: .2, Instructions: 163COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5a4baa09254cbb2357cc9194175c977d149576421599db0e5691983bb6a97fdb
                                              • Instruction ID: da1f103b6a076f55b69e930651ad2718648c8b97ca42fafc8446bf33bca6948f
                                              • Opcode Fuzzy Hash: 5a4baa09254cbb2357cc9194175c977d149576421599db0e5691983bb6a97fdb
                                              • Instruction Fuzzy Hash: 9951C570F602269BEF6456FCD95476F3AABE7C9710F205426E50AC7386CD6DCC8143A2
                                              Function 06E24B8C Relevance: .2, Instructions: 162COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 947098b6bf2701306a367906d4c1e6cd13cc64c4db1bf2427747749724938847
                                              • Instruction ID: c6dfab1b502c8c87233ac399b68f57d3f0d7060210b5a7d27aa880b4fc0b494f
                                              • Opcode Fuzzy Hash: 947098b6bf2701306a367906d4c1e6cd13cc64c4db1bf2427747749724938847
                                              • Instruction Fuzzy Hash: AF519330B002699FEB559FA5C8547AEBBF7FF88310F20852AE505EB395DA758C05CB90
                                              Function 06E25468 Relevance: .1, Instructions: 137COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e254b724ccf297a3d4b4bdc1ecc42b95027dfdc72d5e33bce43b48cd87edf3ca
                                              • Instruction ID: 34a037b40a31565652136061aeda3fa658bfcad2c4378f5ce145f551c6367cff
                                              • Opcode Fuzzy Hash: e254b724ccf297a3d4b4bdc1ecc42b95027dfdc72d5e33bce43b48cd87edf3ca
                                              • Instruction Fuzzy Hash: 70418E71E0071A9FDB70CF99D980AAFFBB3FB85314F10492AE216D7650D230E9558B91
                                              Function 06E2DAFD Relevance: .1, Instructions: 127COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ae0355097ec59bde87af3ed2b96ac819e2ae7a3cf02327bbc1c629ea0d2e1baa
                                              • Instruction ID: 428f647821459f532a73238141218019b4878a0f8229562f0a555ccddf88554d
                                              • Opcode Fuzzy Hash: ae0355097ec59bde87af3ed2b96ac819e2ae7a3cf02327bbc1c629ea0d2e1baa
                                              • Instruction Fuzzy Hash: 49419030E0032ADFDB64DF65C85469EBBB3EF85604F14952AE505DB244DB749846CB90
                                              Function 06E22210 Relevance: .1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9d65bea3e2ce4c35e244feed6a582ab16da4b32b2802d7245c9ad49811b70c79
                                              • Instruction ID: 2df5df79fe08d55a11e00c6409d45df83d82ecedbf1dc3bf9e307bc38838c41b
                                              • Opcode Fuzzy Hash: 9d65bea3e2ce4c35e244feed6a582ab16da4b32b2802d7245c9ad49811b70c79
                                              • Instruction Fuzzy Hash: 84311E31B102168FDB589B35C41466E7BA7BF89214F20942CD506DB394EF3ADD42C7D4
                                              Function 06E22208 Relevance: .1, Instructions: 104COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 467b5731c6507cb3af74d8ee4cbd2d5c17e3b37fb8e8592d1ffa0e0c36c36fe1
                                              • Instruction ID: c09df5bbb7cd3d4bc855795df6e3138b9c7243c52809b41396d6226e6c4c3ee1
                                              • Opcode Fuzzy Hash: 467b5731c6507cb3af74d8ee4cbd2d5c17e3b37fb8e8592d1ffa0e0c36c36fe1
                                              • Instruction Fuzzy Hash: 6D312231B102128FDB599B34C4146AE7BA3BF89214F10942CD506DB394EF3ADD42C7D0
                                              Function 06E220C0 Relevance: .1, Instructions: 98COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2d6f560d9bff17afc8020c01021b0cc761f474c4796f61b3f4d72fa45c2adb1
                                              • Instruction ID: 0950c3e96152dfdd0e3a263d8ceb2a60e7e4d79dac261831d53c58cfa6567e56
                                              • Opcode Fuzzy Hash: d2d6f560d9bff17afc8020c01021b0cc761f474c4796f61b3f4d72fa45c2adb1
                                              • Instruction Fuzzy Hash: 51317034E003569FCB15CF65C894A9EBBB2FF89300F148519EA16EB350DB759D86CB90
                                              Function 06E220D0 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d969014af980367d9bb47b063fe3171a4055b114ab1f520a3cbfc297e994a52b
                                              • Instruction ID: 89513802d6656fa212af4d0a91fdbb82b6ef61071bf078fc8479d88344779e61
                                              • Opcode Fuzzy Hash: d969014af980367d9bb47b063fe3171a4055b114ab1f520a3cbfc297e994a52b
                                              • Instruction Fuzzy Hash: B0316234E1021A9FCB55DF65C854A9EB7B3FF89300F108519EA16E7350DB71AD85CB50
                                              Function 06E23AF0 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f2a1b95928580cd2a8ba8dafd0d7832f5bffcea7e366248a05b307fb70c441d5
                                              • Instruction ID: 0905cb713ca0c428d63aee38bf3ccd7cbd4b04cb881bc43b9bfd336572884ba1
                                              • Opcode Fuzzy Hash: f2a1b95928580cd2a8ba8dafd0d7832f5bffcea7e366248a05b307fb70c441d5
                                              • Instruction Fuzzy Hash: D0215C75E116169FDB50CF69E980AEEB7F6EB48310F108029E945E7340EB38EC45CB90
                                              Function 06E23B00 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f9cd209d9a76ff84cc1bc09f5c7698c32433efaf7b19cf197c056e776417ec5
                                              • Instruction ID: 38315943d85eeb8ac442aed18dd248f7eb4e293475701ffa425b6eb7498f62c0
                                              • Opcode Fuzzy Hash: 0f9cd209d9a76ff84cc1bc09f5c7698c32433efaf7b19cf197c056e776417ec5
                                              • Instruction Fuzzy Hash: 30213B75E016269FDB50CF69D980AAEB7F6EB48610F149069E905E7344E738ED40CF90
                                              Function 0173D044 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3500371851.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_173d000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: faab34e2310019869362b7b34e0c9358941e4978724189156b8794fb2f92de1a
                                              • Instruction ID: 47b24e824157336a0bdcc199c79777252307a32d77326081c8d19c8f93c50c1a
                                              • Opcode Fuzzy Hash: faab34e2310019869362b7b34e0c9358941e4978724189156b8794fb2f92de1a
                                              • Instruction Fuzzy Hash: 732134B1504204EFDB25CF64C9C0B26FB65FBC4714F60C5ADE9490B253C77AD446CA61
                                              Function 06E23C10 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ae72d577f1fb2016c6c2427ebefaf3d19143bf1c7deb6ab489ca7b9f1398475
                                              • Instruction ID: 34f1a9ab8df9cebb1e819999d90eacab2601fe3434a9e1b26d055c03687364fb
                                              • Opcode Fuzzy Hash: 1ae72d577f1fb2016c6c2427ebefaf3d19143bf1c7deb6ab489ca7b9f1398475
                                              • Instruction Fuzzy Hash: 1C11A131B0523A4BDB54A668E8106EF73EBEBC8610F044539D506EB340EE28DC028BA0
                                              Function 06E2EDC9 Relevance: .1, Instructions: 58COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: afb6a95a528bf773110547382fd00f630cce25cb1d695c18e8bb87a33054e1ff
                                              • Instruction ID: 6f86d507adcb67fa919e5cb25f54a9cd344747ac8a18663f3a476d6b47428dc8
                                              • Opcode Fuzzy Hash: afb6a95a528bf773110547382fd00f630cce25cb1d695c18e8bb87a33054e1ff
                                              • Instruction Fuzzy Hash: 90012430B002321FEB229A7C9894B3BB7D7DBCA624F14883AF20ACB340DD59CC464390
                                              Function 06E24250 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dac7d29e30d0771eee48640b0110449c343902ab21a54a6f3c5ba46800048c74
                                              • Instruction ID: 235149eccd3e5b78cd8464645ac260e6d60803dfa37a94d3c99af713414a79ee
                                              • Opcode Fuzzy Hash: dac7d29e30d0771eee48640b0110449c343902ab21a54a6f3c5ba46800048c74
                                              • Instruction Fuzzy Hash: F001F535B042614FEB619AAEC45072AB7DBEBC9724F24883AE24EC7381DD65CC424395
                                              Function 06E2A350 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 636ff8e0d45386a39f45731e8ce893f10de65a246decd5778be782524de9cbcb
                                              • Instruction ID: 9d881ad1e9fd68a0b427324ec522059ee1001149e673cc2b553b6a4ed6ff1ca9
                                              • Opcode Fuzzy Hash: 636ff8e0d45386a39f45731e8ce893f10de65a246decd5778be782524de9cbcb
                                              • Instruction Fuzzy Hash: A701B1307043294FDB619A3DD85475E77E6FB89714F104839E24AC7341EA25DC428794
                                              Function 06E238C8 Relevance: .1, Instructions: 55COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 39fa91997c1b94dd866527e3bb94d4ec137850046ed6fa060278d40dc6ecb8a4
                                              • Instruction ID: ad1c6e32f8ab4f1751df209aaf523fa3ff8be694302cc7a967caa35a87e9cb81
                                              • Opcode Fuzzy Hash: 39fa91997c1b94dd866527e3bb94d4ec137850046ed6fa060278d40dc6ecb8a4
                                              • Instruction Fuzzy Hash: CF21F4B5D00259AFCB00CF9AD884ACEFBF4FF49714F10821AE918A7200C374A954CFA5
                                              Function 0173D03F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3500371851.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_173d000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction ID: fccb1bbed19d42e1dbb9438f2a7bee8c00c0ff6b571f229a2654be448a9e0c2a
                                              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction Fuzzy Hash: AF11BB75504284CFCB22CF54C9C4B15FBA2FB84314F24C6A9D8494B253C33AD44ACF62
                                              Function 06E238D0 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b1a457509c912bbb650fb8dba88c703d7c7b3346ea7c52f30d69d2ea8202bf4
                                              • Instruction ID: b450272d0f6261bf5d7c2208a71c3e43cef7c26bb62363a3d7fdadb277ff7d0d
                                              • Opcode Fuzzy Hash: 3b1a457509c912bbb650fb8dba88c703d7c7b3346ea7c52f30d69d2ea8202bf4
                                              • Instruction Fuzzy Hash: E711D3B5D0125AAFCB00CF9AD884ACEFFB4FF49720F10812AE518A7200C778A554CFA5
                                              Function 06E23C00 Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aaab9eb5966d4cb36ef80a6844d66965bc1826b399b9db98334c39a5790351d9
                                              • Instruction ID: 8e0c53ab775fa1a2782067569fd511d1c6cce5a6279ffd8db92ed10f7e6a312a
                                              • Opcode Fuzzy Hash: aaab9eb5966d4cb36ef80a6844d66965bc1826b399b9db98334c39a5790351d9
                                              • Instruction Fuzzy Hash: D101D435B152654BDB549A69E8116EF73A7EFC8710F044539D406E7380EE24CC028BA1
                                              Function 06E24260 Relevance: .1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e0511909a69afd73b977b3c4dc91351690b7f0904cc9d090980059d481b6d71
                                              • Instruction ID: 5ec716171183b43f0f8117509bd63d98e1e38d02cb2d5231b37fbb6a2efe00e1
                                              • Opcode Fuzzy Hash: 5e0511909a69afd73b977b3c4dc91351690b7f0904cc9d090980059d481b6d71
                                              • Instruction Fuzzy Hash: 5301D136B001224BEB64D6AFD45072BB3DBEBC8724F248839E20EC7380DD69DC424395
                                              Function 06E2EDD8 Relevance: .0, Instructions: 49COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 386116c00014edb2aef3578051290a32cba9a19ce437fa22f46e44bc5965ba21
                                              • Instruction ID: f3a473cd188bd511eeb644406929832cbf29fb3d365c431f0340d677403038a1
                                              • Opcode Fuzzy Hash: 386116c00014edb2aef3578051290a32cba9a19ce437fa22f46e44bc5965ba21
                                              • Instruction Fuzzy Hash: C501DC31B102320BDB65966D9454B3EA3D7DBC9624F149829E20AC7340EE69DC024384
                                              Function 06E2A360 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bfc776a75d42c4d4e7928892696df5ed491cface0231c75a1caca4c8ac0191d0
                                              • Instruction ID: 1b3d798b2350e904fdf4d48710b6c36270b46f4ec4716e97b8978eaf98c8318e
                                              • Opcode Fuzzy Hash: bfc776a75d42c4d4e7928892696df5ed491cface0231c75a1caca4c8ac0191d0
                                              • Instruction Fuzzy Hash: AF014F34B102264FDB65DA6DD854B2EB7E7FB89714F10983CE60BC7340EA25EC428794
                                              Function 06E2830F Relevance: .0, Instructions: 31COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83b12f516932ff69b22aed6ade4a18ea95bcc254418f00c655057940cc443594
                                              • Instruction ID: 66fc14bed70bd139eea68345fcebf580d60ef65308500593c9eef68da718c5af
                                              • Opcode Fuzzy Hash: 83b12f516932ff69b22aed6ade4a18ea95bcc254418f00c655057940cc443594
                                              • Instruction Fuzzy Hash: 5AF08C36E04336CFEB648A55E9492FE77B6FB04365F286062D802D3151C335999ECB90
                                              Function 06E264B8 Relevance: .0, Instructions: 28COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.3506038125.0000000006E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6e20000_HSBC Payment Advice_pdf.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a38484972928952ff973894427b12e3f641e53e905e461275303643a187838d7
                                              • Instruction ID: 5d5cc8a8a012b55d4ea1ac95f1b499e25b81353013bcd8277964e3ea38b01b58
                                              • Opcode Fuzzy Hash: a38484972928952ff973894427b12e3f641e53e905e461275303643a187838d7
                                              • Instruction Fuzzy Hash: 24E09B71E1D3696BDB60CAB49D1569B7B5EA702108F1045D5D444C7141E175CA05CB91