Play interactive tour

Edit tour

Analysis Report T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Overview

General Information

Sample Name:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Analysis ID:	411744
MD5:	306237cff93b7d61b1f72c400a9522e1
SHA1:	aa8942a24452ac6e95feb05f1a5038d006f08c4d
SHA256:	4ffd8307eca6e6b382c035cb0ad32e52f37f9180e092764d6224d97557ef8ec9
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (double extension)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe' MD5: 306237CFF93B7D61B1F72C400A9522E1)

T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe (PID: 4164 cmdline: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe MD5: 306237CFF93B7D61B1F72C400A9522E1)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9a1d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9a572:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc15f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xc1992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa6285:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xcd6a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xa5d71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xcd191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xa6387:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xcd7a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xa64ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xcd91f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9af8a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xc23aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xa4fec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xcc40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bd02:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xc3122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xab377:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xd2797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac41a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xa82a9:$sqlite3step: 68 34 1C 7B E1 0xa83bc:$sqlite3step: 68 34 1C 7B E1 0xcf6c9:$sqlite3step: 68 34 1C 7B E1 0xcf7dc:$sqlite3step: 68 34 1C 7B E1 0xa82d8:$sqlite3text: 68 38 2A 90 C5 0xa83fd:$sqlite3text: 68 38 2A 90 C5 0xcf6f8:$sqlite3text: 68 38 2A 90 C5 0xcf81d:$sqlite3text: 68 38 2A 90 C5 0xa82eb:$sqlite3blob: 68 53 D8 7F 8C 0xa8413:$sqlite3blob: 68 53 D8 7F 8C 0xcf70b:$sqlite3blob: 68 53 D8 7F 8C 0xcf833:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 7028	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, CommandLine: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, NewProcessName: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, OriginalFileName: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe' , ParentImage: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, ParentProcessId: 7028, ProcessCommandLine: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, ProcessId: 4164

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Virustotal: Detection: 34%	Perma Link
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Metadefender: Detection: 38%	Perma Link
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Code function: 4x nop then pop ebx

4_2_00406A9A

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.rogegalmish.com/a8si/

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657480728.00000000058CB000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680325425.00000000025B1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660140019.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660140019.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comV
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comtigK&
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662560278.00000000058E5000.00000004.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663739401.00000000058E5000.00000004.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662263041.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663430742.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers1
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662560278.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersV0
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663769723.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.669067713.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersz0
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680256955.0000000000D07000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comgritan
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657228680.00000000058B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657286654.00000000058CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659151965.00000000058B5000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.658694270.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnTCV
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.664941588.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmn6
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659049481.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.658694270.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr.TTF
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.668655621.00000000058E5000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotT.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660255920.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comY
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660255920.00000000058B2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlicB
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657480728.00000000058CB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	String found in binary or memory: http://www.webstarmax.com/
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	String found in binary or memory: http://www.webstarmax.com/9mailto:office
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004181C0 NtCreateFile,	4_2_004181C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00418270 NtReadFile,	4_2_00418270
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004182F0 NtClose,	4_2_004182F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004183A0 NtAllocateVirtualMemory,	4_2_004183A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041826A NtReadFile,	4_2_0041826A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041839A NtAllocateVirtualMemory,	4_2_0041839A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9860 NtQuerySystemInformation,LdrInitializeThunk,	4_2_010D9860
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9660 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_010D9660
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D96E0 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_010D96E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9910 NtAdjustPrivilegesToken,	4_2_010D9910
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9950 NtQueueApcThread,	4_2_010D9950
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D99A0 NtCreateSection,	4_2_010D99A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D99D0 NtCreateProcessEx,	4_2_010D99D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9820 NtEnumerateKey,	4_2_010D9820
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DB040 NtSuspendThread,	4_2_010DB040
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9840 NtDelayExecution,	4_2_010D9840
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D98A0 NtWriteVirtualMemory,	4_2_010D98A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D98F0 NtReadVirtualMemory,	4_2_010D98F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9B00 NtSetValueKey,	4_2_010D9B00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DA3B0 NtGetContextThread,	4_2_010DA3B0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A00 NtProtectVirtualMemory,	4_2_010D9A00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A10 NtQuerySection,	4_2_010D9A10
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A20 NtResumeThread,	4_2_010D9A20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A50 NtCreateFile,	4_2_010D9A50
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9A80 NtOpenDirectoryObject,	4_2_010D9A80
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9520 NtWaitForSingleObject,	4_2_010D9520
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DAD30 NtSetContextThread,	4_2_010DAD30
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9540 NtReadFile,	4_2_010D9540
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9560 NtWriteFile,	4_2_010D9560
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D95D0 NtClose,	4_2_010D95D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D95F0 NtQueryInformationFile,	4_2_010D95F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9710 NtQueryInformationToken,	4_2_010D9710
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DA710 NtOpenProcessToken,	4_2_010DA710
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9730 NtQueryVirtualMemory,	4_2_010D9730
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9760 NtOpenProcess,	4_2_010D9760
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010DA770 NtOpenThread,	4_2_010DA770
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9770 NtSetInformationFile,	4_2_010D9770
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9780 NtMapViewOfSection,	4_2_010D9780
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D97A0 NtUnmapViewOfSection,	4_2_010D97A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9FE0 NtCreateMutant,	4_2_010D9FE0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D9610 NtEnumerateValueKey,	4_2_010D9610

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_001E2C24	0_2_001E2C24
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CBA10C	0_2_00CBA10C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CBD4E8	0_2_00CBD4E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07388717	0_2_07388717
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07388965	0_2_07388965
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384668	0_2_07384668
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384657	0_2_07384657
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383337	0_2_07383337
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_073883A0	0_2_073883A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07385BC0	0_2_07385BC0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07386210	0_2_07386210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383210	0_2_07383210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0738620D	0_2_0738620D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_073832F9	0_2_073832F9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0738893E	0_2_0738893E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384955	0_2_07384955
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384148	0_2_07384148
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07384142	0_2_07384142
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_073889F3	0_2_073889F3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383838	0_2_07383838
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0738001F	0_2_0738001F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07383808	0_2_07383808
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07380040	0_2_07380040
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07780610	0_2_07780610
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778A6F1	0_2_0778A6F1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07785EB0	0_2_07785EB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07780D78	0_2_07780D78
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07789568	0_2_07789568
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07789D61	0_2_07789D61
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07783D30	0_2_07783D30
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B5C8	0_2_0778B5C8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778DD88	0_2_0778DD88
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_077863F4	0_2_077863F4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07786AD0	0_2_07786AD0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_077861C1	0_2_077861C1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B754	0_2_0778B754
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B7D5	0_2_0778B7D5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778D790	0_2_0778D790
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778D782	0_2_0778D782
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_0778B6E6	0_2_0778B6E6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07785EA1	0_2_07785EA1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041C273	4_2_0041C273
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BAA2	4_2_0041BAA2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00408C5B	4_2_00408C5B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00408C60	4_2_00408C60
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BC22	4_2_0041BC22
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041CC24	4_2_0041CC24
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B4A6	4_2_0041B4A6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BD4F	4_2_0041BD4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041C501	4_2_0041C501
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BDBD	4_2_0041BDBD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041BF3C	4_2_0041BF3C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041C7A5	4_2_0041C7A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00622C24	4_2_00622C24
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109F900	4_2_0109F900
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B4120	4_2_010B4120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2990	4_2_010B2990
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AC1C0	4_2_010AC1C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01096800	4_2_01096800
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151002	4_2_01151002
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116E824	4_2_0116E824
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA830	4_2_010BA830
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB090	4_2_010AB090
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011620A8	4_2_011620A8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011560F5	4_2_011560F5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011628EC	4_2_011628EC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115231B	4_2_0115231B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01162B28	4_2_01162B28
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BAB40	4_2_010BAB40
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113CB4F	4_2_0113CB4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B3360	4_2_010B3360
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C138B	4_2_010C138B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BEB9A	4_2_010BEB9A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113EB8A	4_2_0113EB8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CEBB0	4_2_010CEBB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115DBD2	4_2_0115DBD2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011503DA	4_2_011503DA
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CABD8	4_2_010CABD8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010E8BE8	4_2_010E8BE8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011423E3	4_2_011423E3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0114FA2B	4_2_0114FA2B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01155A4F	4_2_01155A4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011622AE	4_2_011622AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011632A9	4_2_011632A9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115E2C5	4_2_0115E2C5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01162D07	4_2_01162D07
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01090D20	4_2_01090D20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01161D55	4_2_01161D55
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2D50	4_2_010B2D50
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2581	4_2_010C2581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C65A0	4_2_010C65A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011625DD	4_2_011625DD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AD5E0	4_2_010AD5E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A841F	4_2_010A841F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2430	4_2_010B2430
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115CC77	4_2_0115CC77
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115D466	4_2_0115D466
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB477	4_2_010BB477
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154496	4_2_01154496
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4CD4	4_2_010C4CD4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116DFCE	4_2_0116DFCE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01161FF1	4_2_01161FF1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011567E2	4_2_011567E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115D616	4_2_0115D616
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B5600	4_2_010B5600
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B6E30	4_2_010B6E30

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 010ED08C appears 44 times
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 01125720 appears 84 times
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: String function: 0109B150 appears 174 times

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.691734327.0000000006F80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.692438491.00000000076D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.679185423.00000000002BA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMemberFilter.exe< vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000004.00000002.682772982.000000000131F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000004.00000000.678183557.00000000006FA000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMemberFilter.exe< vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Binary or memory string: OriginalFilenameMemberFilter.exe< vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@0/0

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.log

Jump to behavior

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Virustotal: Detection: 34%
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Metadefender: Detection: 38%
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe 'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe'
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CB0438 pushad ; iretd	0_2_00CB043A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CB043F pushad ; iretd	0_2_00CB0442
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_00CBCB98 pushfd ; ret	0_2_00CBCB99
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07388AEE push esi; iretd	0_2_07388AF0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 0_2_07783652 push eax; retf	0_2_07783679
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004161E7 push edi; retf	4_2_004161E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_004151B4 pushfd ; ret	4_2_004151D9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B3B5 push eax; ret	4_2_0041B408
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B46C push eax; ret	4_2_0041B472
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B402 push eax; ret	4_2_0041B408
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041B40B push eax; ret	4_2_0041B472
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0041543B pushfd ; iretd	4_2_0041543E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_00415485 push edx; ret	4_2_00415496
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ED0D1 push ecx; ret	4_2_010ED0E4

Source: initial sample

Static PE information: section name: .text entropy: 7.60293411131

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 7028, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 7072	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 7032	Thread sleep time: -103866s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 103866	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.685991033.00000000055F0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Code function: 4_2_010D9860 NtQuerySystemInformation,LdrInitializeThunk,

4_2_010D9860

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099100 mov eax, dword ptr fs:[00000030h]	4_2_01099100
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099100 mov eax, dword ptr fs:[00000030h]	4_2_01099100
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099100 mov eax, dword ptr fs:[00000030h]	4_2_01099100
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A0100 mov eax, dword ptr fs:[00000030h]	4_2_010A0100
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A0100 mov eax, dword ptr fs:[00000030h]	4_2_010A0100
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A0100 mov eax, dword ptr fs:[00000030h]	4_2_010A0100
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B4120 mov eax, dword ptr fs:[00000030h]	4_2_010B4120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B4120 mov eax, dword ptr fs:[00000030h]	4_2_010B4120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B4120 mov eax, dword ptr fs:[00000030h]	4_2_010B4120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B4120 mov eax, dword ptr fs:[00000030h]	4_2_010B4120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B4120 mov ecx, dword ptr fs:[00000030h]	4_2_010B4120
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01093138 mov ecx, dword ptr fs:[00000030h]	4_2_01093138
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C513A mov eax, dword ptr fs:[00000030h]	4_2_010C513A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C513A mov eax, dword ptr fs:[00000030h]	4_2_010C513A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151951 mov eax, dword ptr fs:[00000030h]	4_2_01151951
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB944 mov eax, dword ptr fs:[00000030h]	4_2_010BB944
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB944 mov eax, dword ptr fs:[00000030h]	4_2_010BB944
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109395E mov eax, dword ptr fs:[00000030h]	4_2_0109395E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109395E mov eax, dword ptr fs:[00000030h]	4_2_0109395E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109C962 mov eax, dword ptr fs:[00000030h]	4_2_0109C962
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168966 mov eax, dword ptr fs:[00000030h]	4_2_01168966
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115E962 mov eax, dword ptr fs:[00000030h]	4_2_0115E962
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109B171 mov eax, dword ptr fs:[00000030h]	4_2_0109B171
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109B171 mov eax, dword ptr fs:[00000030h]	4_2_0109B171
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BC182 mov eax, dword ptr fs:[00000030h]	4_2_010BC182
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CA185 mov eax, dword ptr fs:[00000030h]	4_2_010CA185
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109519E mov eax, dword ptr fs:[00000030h]	4_2_0109519E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109519E mov ecx, dword ptr fs:[00000030h]	4_2_0109519E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01098190 mov ecx, dword ptr fs:[00000030h]	4_2_01098190
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2990 mov eax, dword ptr fs:[00000030h]	4_2_010C2990
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4190 mov eax, dword ptr fs:[00000030h]	4_2_010C4190
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115A189 mov eax, dword ptr fs:[00000030h]	4_2_0115A189
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115A189 mov ecx, dword ptr fs:[00000030h]	4_2_0115A189
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0116F1B5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116F1B5 mov eax, dword ptr fs:[00000030h]	4_2_0116F1B5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C61A0 mov eax, dword ptr fs:[00000030h]	4_2_010C61A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C61A0 mov eax, dword ptr fs:[00000030h]	4_2_010C61A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011151BE mov eax, dword ptr fs:[00000030h]	4_2_011151BE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011151BE mov eax, dword ptr fs:[00000030h]	4_2_011151BE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011151BE mov eax, dword ptr fs:[00000030h]	4_2_011151BE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011151BE mov eax, dword ptr fs:[00000030h]	4_2_011151BE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C99BC mov eax, dword ptr fs:[00000030h]	4_2_010C99BC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011549A4 mov eax, dword ptr fs:[00000030h]	4_2_011549A4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011549A4 mov eax, dword ptr fs:[00000030h]	4_2_011549A4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011549A4 mov eax, dword ptr fs:[00000030h]	4_2_011549A4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011549A4 mov eax, dword ptr fs:[00000030h]	4_2_011549A4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CC9BF mov eax, dword ptr fs:[00000030h]	4_2_010CC9BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CC9BF mov eax, dword ptr fs:[00000030h]	4_2_010CC9BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov eax, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov eax, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov eax, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov ecx, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B99BF mov eax, dword ptr fs:[00000030h]	4_2_010B99BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011169A6 mov eax, dword ptr fs:[00000030h]	4_2_011169A6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov ecx, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov ecx, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011531DC mov eax, dword ptr fs:[00000030h]	4_2_011531DC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AC1C0 mov eax, dword ptr fs:[00000030h]	4_2_010AC1C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011519D8 mov eax, dword ptr fs:[00000030h]	4_2_011519D8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BD1EF mov eax, dword ptr fs:[00000030h]	4_2_010BD1EF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0109B1E1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0109B1E1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109B1E1 mov eax, dword ptr fs:[00000030h]	4_2_0109B1E1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010931E0 mov eax, dword ptr fs:[00000030h]	4_2_010931E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011689E7 mov eax, dword ptr fs:[00000030h]	4_2_011689E7
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011241E8 mov eax, dword ptr fs:[00000030h]	4_2_011241E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01164015 mov eax, dword ptr fs:[00000030h]	4_2_01164015
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01164015 mov eax, dword ptr fs:[00000030h]	4_2_01164015
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01117016 mov eax, dword ptr fs:[00000030h]	4_2_01117016
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01117016 mov eax, dword ptr fs:[00000030h]	4_2_01117016
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01117016 mov eax, dword ptr fs:[00000030h]	4_2_01117016
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01096800 mov eax, dword ptr fs:[00000030h]	4_2_01096800
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01096800 mov eax, dword ptr fs:[00000030h]	4_2_01096800
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01096800 mov eax, dword ptr fs:[00000030h]	4_2_01096800
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB02A mov eax, dword ptr fs:[00000030h]	4_2_010AB02A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB02A mov eax, dword ptr fs:[00000030h]	4_2_010AB02A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB02A mov eax, dword ptr fs:[00000030h]	4_2_010AB02A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB02A mov eax, dword ptr fs:[00000030h]	4_2_010AB02A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C002D mov eax, dword ptr fs:[00000030h]	4_2_010C002D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C002D mov eax, dword ptr fs:[00000030h]	4_2_010C002D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C002D mov eax, dword ptr fs:[00000030h]	4_2_010C002D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C002D mov eax, dword ptr fs:[00000030h]	4_2_010C002D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C002D mov eax, dword ptr fs:[00000030h]	4_2_010C002D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4020 mov edi, dword ptr fs:[00000030h]	4_2_010C4020
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA830 mov eax, dword ptr fs:[00000030h]	4_2_010BA830
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA830 mov eax, dword ptr fs:[00000030h]	4_2_010BA830
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA830 mov eax, dword ptr fs:[00000030h]	4_2_010BA830
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA830 mov eax, dword ptr fs:[00000030h]	4_2_010BA830
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151843 mov eax, dword ptr fs:[00000030h]	4_2_01151843
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095050 mov eax, dword ptr fs:[00000030h]	4_2_01095050
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095050 mov eax, dword ptr fs:[00000030h]	4_2_01095050
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095050 mov eax, dword ptr fs:[00000030h]	4_2_01095050
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B0050 mov eax, dword ptr fs:[00000030h]	4_2_010B0050
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B0050 mov eax, dword ptr fs:[00000030h]	4_2_010B0050
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01097057 mov eax, dword ptr fs:[00000030h]	4_2_01097057
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01161074 mov eax, dword ptr fs:[00000030h]	4_2_01161074
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152073 mov eax, dword ptr fs:[00000030h]	4_2_01152073
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BF86D mov eax, dword ptr fs:[00000030h]	4_2_010BF86D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099080 mov eax, dword ptr fs:[00000030h]	4_2_01099080
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01093880 mov eax, dword ptr fs:[00000030h]	4_2_01093880
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01093880 mov eax, dword ptr fs:[00000030h]	4_2_01093880
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01113884 mov eax, dword ptr fs:[00000030h]	4_2_01113884
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01113884 mov eax, dword ptr fs:[00000030h]	4_2_01113884
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D90AF mov eax, dword ptr fs:[00000030h]	4_2_010D90AF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28AE mov eax, dword ptr fs:[00000030h]	4_2_010A28AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28AE mov eax, dword ptr fs:[00000030h]	4_2_010A28AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28AE mov eax, dword ptr fs:[00000030h]	4_2_010A28AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28AE mov ecx, dword ptr fs:[00000030h]	4_2_010A28AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28AE mov eax, dword ptr fs:[00000030h]	4_2_010A28AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28AE mov eax, dword ptr fs:[00000030h]	4_2_010A28AE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0 mov eax, dword ptr fs:[00000030h]	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0 mov eax, dword ptr fs:[00000030h]	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0 mov eax, dword ptr fs:[00000030h]	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0 mov eax, dword ptr fs:[00000030h]	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0 mov eax, dword ptr fs:[00000030h]	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C20A0 mov eax, dword ptr fs:[00000030h]	4_2_010C20A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CF0BF mov ecx, dword ptr fs:[00000030h]	4_2_010CF0BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CF0BF mov eax, dword ptr fs:[00000030h]	4_2_010CF0BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CF0BF mov eax, dword ptr fs:[00000030h]	4_2_010CF0BF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0112B8D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112B8D0 mov ecx, dword ptr fs:[00000030h]	4_2_0112B8D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0112B8D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0112B8D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0112B8D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112B8D0 mov eax, dword ptr fs:[00000030h]	4_2_0112B8D0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010970C0 mov eax, dword ptr fs:[00000030h]	4_2_010970C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010970C0 mov eax, dword ptr fs:[00000030h]	4_2_010970C0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B0C7 mov eax, dword ptr fs:[00000030h]	4_2_0115B0C7
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B0C7 mov eax, dword ptr fs:[00000030h]	4_2_0115B0C7
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011518CA mov eax, dword ptr fs:[00000030h]	4_2_011518CA
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010978D6 mov eax, dword ptr fs:[00000030h]	4_2_010978D6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010978D6 mov eax, dword ptr fs:[00000030h]	4_2_010978D6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010978D6 mov ecx, dword ptr fs:[00000030h]	4_2_010978D6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011560F5 mov eax, dword ptr fs:[00000030h]	4_2_011560F5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011560F5 mov eax, dword ptr fs:[00000030h]	4_2_011560F5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011560F5 mov eax, dword ptr fs:[00000030h]	4_2_011560F5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011560F5 mov eax, dword ptr fs:[00000030h]	4_2_011560F5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010958EC mov eax, dword ptr fs:[00000030h]	4_2_010958EC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010940E1 mov eax, dword ptr fs:[00000030h]	4_2_010940E1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010940E1 mov eax, dword ptr fs:[00000030h]	4_2_010940E1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010940E1 mov eax, dword ptr fs:[00000030h]	4_2_010940E1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB8E4 mov eax, dword ptr fs:[00000030h]	4_2_010BB8E4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB8E4 mov eax, dword ptr fs:[00000030h]	4_2_010BB8E4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28FD mov eax, dword ptr fs:[00000030h]	4_2_010A28FD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28FD mov eax, dword ptr fs:[00000030h]	4_2_010A28FD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A28FD mov eax, dword ptr fs:[00000030h]	4_2_010A28FD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA309 mov eax, dword ptr fs:[00000030h]	4_2_010BA309
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115131B mov eax, dword ptr fs:[00000030h]	4_2_0115131B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109DB40 mov eax, dword ptr fs:[00000030h]	4_2_0109DB40
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168B58 mov eax, dword ptr fs:[00000030h]	4_2_01168B58
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109F358 mov eax, dword ptr fs:[00000030h]	4_2_0109F358
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3B5A mov eax, dword ptr fs:[00000030h]	4_2_010C3B5A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3B5A mov eax, dword ptr fs:[00000030h]	4_2_010C3B5A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3B5A mov eax, dword ptr fs:[00000030h]	4_2_010C3B5A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3B5A mov eax, dword ptr fs:[00000030h]	4_2_010C3B5A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109DB60 mov ecx, dword ptr fs:[00000030h]	4_2_0109DB60
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3B7A mov eax, dword ptr fs:[00000030h]	4_2_010C3B7A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3B7A mov eax, dword ptr fs:[00000030h]	4_2_010C3B7A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01126365 mov eax, dword ptr fs:[00000030h]	4_2_01126365
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01126365 mov eax, dword ptr fs:[00000030h]	4_2_01126365
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01126365 mov eax, dword ptr fs:[00000030h]	4_2_01126365
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01097B70 mov eax, dword ptr fs:[00000030h]	4_2_01097B70
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AF370 mov eax, dword ptr fs:[00000030h]	4_2_010AF370
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AF370 mov eax, dword ptr fs:[00000030h]	4_2_010AF370
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AF370 mov eax, dword ptr fs:[00000030h]	4_2_010AF370
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A1B8F mov eax, dword ptr fs:[00000030h]	4_2_010A1B8F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A1B8F mov eax, dword ptr fs:[00000030h]	4_2_010A1B8F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C138B mov eax, dword ptr fs:[00000030h]	4_2_010C138B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C138B mov eax, dword ptr fs:[00000030h]	4_2_010C138B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C138B mov eax, dword ptr fs:[00000030h]	4_2_010C138B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BEB9A mov eax, dword ptr fs:[00000030h]	4_2_010BEB9A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BEB9A mov eax, dword ptr fs:[00000030h]	4_2_010BEB9A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0114D380 mov ecx, dword ptr fs:[00000030h]	4_2_0114D380
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113EB8A mov ecx, dword ptr fs:[00000030h]	4_2_0113EB8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113EB8A mov eax, dword ptr fs:[00000030h]	4_2_0113EB8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113EB8A mov eax, dword ptr fs:[00000030h]	4_2_0113EB8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113EB8A mov eax, dword ptr fs:[00000030h]	4_2_0113EB8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2397 mov eax, dword ptr fs:[00000030h]	4_2_010C2397
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CB390 mov eax, dword ptr fs:[00000030h]	4_2_010CB390
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01094B94 mov edi, dword ptr fs:[00000030h]	4_2_01094B94
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115138A mov eax, dword ptr fs:[00000030h]	4_2_0115138A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168BB6 mov eax, dword ptr fs:[00000030h]	4_2_01168BB6
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4BAD mov eax, dword ptr fs:[00000030h]	4_2_010C4BAD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4BAD mov eax, dword ptr fs:[00000030h]	4_2_010C4BAD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4BAD mov eax, dword ptr fs:[00000030h]	4_2_010C4BAD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01169BBE mov eax, dword ptr fs:[00000030h]	4_2_01169BBE
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01165BA5 mov eax, dword ptr fs:[00000030h]	4_2_01165BA5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151BA8 mov eax, dword ptr fs:[00000030h]	4_2_01151BA8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C53C5 mov eax, dword ptr fs:[00000030h]	4_2_010C53C5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011153CA mov eax, dword ptr fs:[00000030h]	4_2_011153CA
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011153CA mov eax, dword ptr fs:[00000030h]	4_2_011153CA
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01091BE9 mov eax, dword ptr fs:[00000030h]	4_2_01091BE9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BDBE9 mov eax, dword ptr fs:[00000030h]	4_2_010BDBE9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C03E2 mov eax, dword ptr fs:[00000030h]	4_2_010C03E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C03E2 mov eax, dword ptr fs:[00000030h]	4_2_010C03E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C03E2 mov eax, dword ptr fs:[00000030h]	4_2_010C03E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C03E2 mov eax, dword ptr fs:[00000030h]	4_2_010C03E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C03E2 mov eax, dword ptr fs:[00000030h]	4_2_010C03E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C03E2 mov eax, dword ptr fs:[00000030h]	4_2_010C03E2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011423E3 mov ecx, dword ptr fs:[00000030h]	4_2_011423E3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011423E3 mov ecx, dword ptr fs:[00000030h]	4_2_011423E3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011423E3 mov eax, dword ptr fs:[00000030h]	4_2_011423E3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A8A0A mov eax, dword ptr fs:[00000030h]	4_2_010A8A0A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115AA16 mov eax, dword ptr fs:[00000030h]	4_2_0115AA16
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115AA16 mov eax, dword ptr fs:[00000030h]	4_2_0115AA16
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov ecx, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010ABA00 mov eax, dword ptr fs:[00000030h]	4_2_010ABA00
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B3A1C mov eax, dword ptr fs:[00000030h]	4_2_010B3A1C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095210 mov eax, dword ptr fs:[00000030h]	4_2_01095210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095210 mov ecx, dword ptr fs:[00000030h]	4_2_01095210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095210 mov eax, dword ptr fs:[00000030h]	4_2_01095210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095210 mov eax, dword ptr fs:[00000030h]	4_2_01095210
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109AA16 mov eax, dword ptr fs:[00000030h]	4_2_0109AA16
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109AA16 mov eax, dword ptr fs:[00000030h]	4_2_0109AA16
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D4A2C mov eax, dword ptr fs:[00000030h]	4_2_010D4A2C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D4A2C mov eax, dword ptr fs:[00000030h]	4_2_010D4A2C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BA229 mov eax, dword ptr fs:[00000030h]	4_2_010BA229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01094A20 mov eax, dword ptr fs:[00000030h]	4_2_01094A20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01094A20 mov eax, dword ptr fs:[00000030h]	4_2_01094A20
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01098239 mov eax, dword ptr fs:[00000030h]	4_2_01098239
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01098239 mov eax, dword ptr fs:[00000030h]	4_2_01098239
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01098239 mov eax, dword ptr fs:[00000030h]	4_2_01098239
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151229 mov eax, dword ptr fs:[00000030h]	4_2_01151229
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236 mov eax, dword ptr fs:[00000030h]	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236 mov eax, dword ptr fs:[00000030h]	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236 mov eax, dword ptr fs:[00000030h]	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236 mov eax, dword ptr fs:[00000030h]	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236 mov eax, dword ptr fs:[00000030h]	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB236 mov eax, dword ptr fs:[00000030h]	4_2_010BB236
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115EA55 mov eax, dword ptr fs:[00000030h]	4_2_0115EA55
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01124257 mov eax, dword ptr fs:[00000030h]	4_2_01124257
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099240 mov eax, dword ptr fs:[00000030h]	4_2_01099240
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099240 mov eax, dword ptr fs:[00000030h]	4_2_01099240
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099240 mov eax, dword ptr fs:[00000030h]	4_2_01099240
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01099240 mov eax, dword ptr fs:[00000030h]	4_2_01099240
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151A5F mov eax, dword ptr fs:[00000030h]	4_2_01151A5F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01155A4F mov eax, dword ptr fs:[00000030h]	4_2_01155A4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01155A4F mov eax, dword ptr fs:[00000030h]	4_2_01155A4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01155A4F mov eax, dword ptr fs:[00000030h]	4_2_01155A4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01155A4F mov eax, dword ptr fs:[00000030h]	4_2_01155A4F
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D5A69 mov eax, dword ptr fs:[00000030h]	4_2_010D5A69
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D5A69 mov eax, dword ptr fs:[00000030h]	4_2_010D5A69
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D5A69 mov eax, dword ptr fs:[00000030h]	4_2_010D5A69
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0114B260 mov eax, dword ptr fs:[00000030h]	4_2_0114B260
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0114B260 mov eax, dword ptr fs:[00000030h]	4_2_0114B260
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168A62 mov eax, dword ptr fs:[00000030h]	4_2_01168A62
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D927A mov eax, dword ptr fs:[00000030h]	4_2_010D927A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CDA88 mov eax, dword ptr fs:[00000030h]	4_2_010CDA88
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CDA88 mov eax, dword ptr fs:[00000030h]	4_2_010CDA88
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115129A mov eax, dword ptr fs:[00000030h]	4_2_0115129A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CD294 mov eax, dword ptr fs:[00000030h]	4_2_010CD294
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CD294 mov eax, dword ptr fs:[00000030h]	4_2_010CD294
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01091AA0 mov eax, dword ptr fs:[00000030h]	4_2_01091AA0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010952A5 mov eax, dword ptr fs:[00000030h]	4_2_010952A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010952A5 mov eax, dword ptr fs:[00000030h]	4_2_010952A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010952A5 mov eax, dword ptr fs:[00000030h]	4_2_010952A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010952A5 mov eax, dword ptr fs:[00000030h]	4_2_010952A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010952A5 mov eax, dword ptr fs:[00000030h]	4_2_010952A5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C5AA0 mov eax, dword ptr fs:[00000030h]	4_2_010C5AA0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C5AA0 mov eax, dword ptr fs:[00000030h]	4_2_010C5AA0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C12BD mov esi, dword ptr fs:[00000030h]	4_2_010C12BD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C12BD mov eax, dword ptr fs:[00000030h]	4_2_010C12BD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C12BD mov eax, dword ptr fs:[00000030h]	4_2_010C12BD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AAAB0 mov eax, dword ptr fs:[00000030h]	4_2_010AAAB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AAAB0 mov eax, dword ptr fs:[00000030h]	4_2_010AAAB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CFAB0 mov eax, dword ptr fs:[00000030h]	4_2_010CFAB0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01093ACA mov eax, dword ptr fs:[00000030h]	4_2_01093ACA
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2ACB mov eax, dword ptr fs:[00000030h]	4_2_010C2ACB
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095AC0 mov eax, dword ptr fs:[00000030h]	4_2_01095AC0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095AC0 mov eax, dword ptr fs:[00000030h]	4_2_01095AC0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01095AC0 mov eax, dword ptr fs:[00000030h]	4_2_01095AC0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168ADD mov eax, dword ptr fs:[00000030h]	4_2_01168ADD
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010912D4 mov eax, dword ptr fs:[00000030h]	4_2_010912D4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2AE4 mov eax, dword ptr fs:[00000030h]	4_2_010C2AE4
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01154AEF mov eax, dword ptr fs:[00000030h]	4_2_01154AEF
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B2E8 mov eax, dword ptr fs:[00000030h]	4_2_0115B2E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B2E8 mov eax, dword ptr fs:[00000030h]	4_2_0115B2E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B2E8 mov eax, dword ptr fs:[00000030h]	4_2_0115B2E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B2E8 mov eax, dword ptr fs:[00000030h]	4_2_0115B2E8
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01153518 mov eax, dword ptr fs:[00000030h]	4_2_01153518
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01153518 mov eax, dword ptr fs:[00000030h]	4_2_01153518
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01153518 mov eax, dword ptr fs:[00000030h]	4_2_01153518
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109751A mov eax, dword ptr fs:[00000030h]	4_2_0109751A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109751A mov eax, dword ptr fs:[00000030h]	4_2_0109751A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109751A mov eax, dword ptr fs:[00000030h]	4_2_0109751A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109751A mov eax, dword ptr fs:[00000030h]	4_2_0109751A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0113CD04 mov eax, dword ptr fs:[00000030h]	4_2_0113CD04
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168D34 mov eax, dword ptr fs:[00000030h]	4_2_01168D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0111A537 mov eax, dword ptr fs:[00000030h]	4_2_0111A537
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CF527 mov eax, dword ptr fs:[00000030h]	4_2_010CF527
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CF527 mov eax, dword ptr fs:[00000030h]	4_2_010CF527
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CF527 mov eax, dword ptr fs:[00000030h]	4_2_010CF527
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115E539 mov eax, dword ptr fs:[00000030h]	4_2_0115E539
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4D3B mov eax, dword ptr fs:[00000030h]	4_2_010C4D3B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4D3B mov eax, dword ptr fs:[00000030h]	4_2_010C4D3B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C4D3B mov eax, dword ptr fs:[00000030h]	4_2_010C4D3B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109AD30 mov eax, dword ptr fs:[00000030h]	4_2_0109AD30
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010A3D34 mov eax, dword ptr fs:[00000030h]	4_2_010A3D34
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109354C mov eax, dword ptr fs:[00000030h]	4_2_0109354C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0109354C mov eax, dword ptr fs:[00000030h]	4_2_0109354C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0114FD52 mov eax, dword ptr fs:[00000030h]	4_2_0114FD52
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D3D43 mov eax, dword ptr fs:[00000030h]	4_2_010D3D43
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01113540 mov eax, dword ptr fs:[00000030h]	4_2_01113540
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01148D47 mov eax, dword ptr fs:[00000030h]	4_2_01148D47
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01143D40 mov eax, dword ptr fs:[00000030h]	4_2_01143D40
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B7D50 mov eax, dword ptr fs:[00000030h]	4_2_010B7D50
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D4D51 mov eax, dword ptr fs:[00000030h]	4_2_010D4D51
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010D4D51 mov eax, dword ptr fs:[00000030h]	4_2_010D4D51
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BC577 mov eax, dword ptr fs:[00000030h]	4_2_010BC577
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BC577 mov eax, dword ptr fs:[00000030h]	4_2_010BC577
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B8D76 mov eax, dword ptr fs:[00000030h]	4_2_010B8D76
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B8D76 mov eax, dword ptr fs:[00000030h]	4_2_010B8D76
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B8D76 mov eax, dword ptr fs:[00000030h]	4_2_010B8D76
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B8D76 mov eax, dword ptr fs:[00000030h]	4_2_010B8D76
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B8D76 mov eax, dword ptr fs:[00000030h]	4_2_010B8D76
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01092D8A mov eax, dword ptr fs:[00000030h]	4_2_01092D8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01092D8A mov eax, dword ptr fs:[00000030h]	4_2_01092D8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01092D8A mov eax, dword ptr fs:[00000030h]	4_2_01092D8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01092D8A mov eax, dword ptr fs:[00000030h]	4_2_01092D8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01092D8A mov eax, dword ptr fs:[00000030h]	4_2_01092D8A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2581 mov eax, dword ptr fs:[00000030h]	4_2_010C2581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2581 mov eax, dword ptr fs:[00000030h]	4_2_010C2581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2581 mov eax, dword ptr fs:[00000030h]	4_2_010C2581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C2581 mov eax, dword ptr fs:[00000030h]	4_2_010C2581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B581 mov eax, dword ptr fs:[00000030h]	4_2_0115B581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B581 mov eax, dword ptr fs:[00000030h]	4_2_0115B581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B581 mov eax, dword ptr fs:[00000030h]	4_2_0115B581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115B581 mov eax, dword ptr fs:[00000030h]	4_2_0115B581
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CFD9B mov eax, dword ptr fs:[00000030h]	4_2_010CFD9B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CFD9B mov eax, dword ptr fs:[00000030h]	4_2_010CFD9B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82 mov eax, dword ptr fs:[00000030h]	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82 mov eax, dword ptr fs:[00000030h]	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82 mov eax, dword ptr fs:[00000030h]	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82 mov eax, dword ptr fs:[00000030h]	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82 mov eax, dword ptr fs:[00000030h]	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82 mov eax, dword ptr fs:[00000030h]	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01152D82 mov eax, dword ptr fs:[00000030h]	4_2_01152D82
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01093591 mov eax, dword ptr fs:[00000030h]	4_2_01093591
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C65A0 mov eax, dword ptr fs:[00000030h]	4_2_010C65A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C65A0 mov eax, dword ptr fs:[00000030h]	4_2_010C65A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C65A0 mov eax, dword ptr fs:[00000030h]	4_2_010C65A0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C35A1 mov eax, dword ptr fs:[00000030h]	4_2_010C35A1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C1DB5 mov eax, dword ptr fs:[00000030h]	4_2_010C1DB5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C1DB5 mov eax, dword ptr fs:[00000030h]	4_2_010C1DB5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C1DB5 mov eax, dword ptr fs:[00000030h]	4_2_010C1DB5
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011605AC mov eax, dword ptr fs:[00000030h]	4_2_011605AC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_011605AC mov eax, dword ptr fs:[00000030h]	4_2_011605AC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0114FDD3 mov eax, dword ptr fs:[00000030h]	4_2_0114FDD3
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010915C1 mov eax, dword ptr fs:[00000030h]	4_2_010915C1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116DC9 mov eax, dword ptr fs:[00000030h]	4_2_01116DC9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116DC9 mov eax, dword ptr fs:[00000030h]	4_2_01116DC9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116DC9 mov eax, dword ptr fs:[00000030h]	4_2_01116DC9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116DC9 mov ecx, dword ptr fs:[00000030h]	4_2_01116DC9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116DC9 mov eax, dword ptr fs:[00000030h]	4_2_01116DC9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116DC9 mov eax, dword ptr fs:[00000030h]	4_2_01116DC9
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C95EC mov eax, dword ptr fs:[00000030h]	4_2_010C95EC
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01148DF1 mov eax, dword ptr fs:[00000030h]	4_2_01148DF1
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AD5E0 mov eax, dword ptr fs:[00000030h]	4_2_010AD5E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AD5E0 mov eax, dword ptr fs:[00000030h]	4_2_010AD5E0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0115FDE2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0115FDE2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0115FDE2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0115FDE2 mov eax, dword ptr fs:[00000030h]	4_2_0115FDE2
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010995F0 mov eax, dword ptr fs:[00000030h]	4_2_010995F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010995F0 mov ecx, dword ptr fs:[00000030h]	4_2_010995F0
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168C14 mov eax, dword ptr fs:[00000030h]	4_2_01168C14
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01151C06 mov eax, dword ptr fs:[00000030h]	4_2_01151C06
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01098410 mov eax, dword ptr fs:[00000030h]	4_2_01098410
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116740D mov eax, dword ptr fs:[00000030h]	4_2_0116740D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116740D mov eax, dword ptr fs:[00000030h]	4_2_0116740D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0116740D mov eax, dword ptr fs:[00000030h]	4_2_0116740D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116C0A mov eax, dword ptr fs:[00000030h]	4_2_01116C0A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116C0A mov eax, dword ptr fs:[00000030h]	4_2_01116C0A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116C0A mov eax, dword ptr fs:[00000030h]	4_2_01116C0A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01116C0A mov eax, dword ptr fs:[00000030h]	4_2_01116C0A
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CBC2C mov eax, dword ptr fs:[00000030h]	4_2_010CBC2C
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01094439 mov eax, dword ptr fs:[00000030h]	4_2_01094439
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3C3E mov eax, dword ptr fs:[00000030h]	4_2_010C3C3E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3C3E mov eax, dword ptr fs:[00000030h]	4_2_010C3C3E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010C3C3E mov eax, dword ptr fs:[00000030h]	4_2_010C3C3E
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB433 mov eax, dword ptr fs:[00000030h]	4_2_010AB433
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB433 mov eax, dword ptr fs:[00000030h]	4_2_010AB433
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010AB433 mov eax, dword ptr fs:[00000030h]	4_2_010AB433
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2430 mov eax, dword ptr fs:[00000030h]	4_2_010B2430
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B2430 mov eax, dword ptr fs:[00000030h]	4_2_010B2430
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112C450 mov eax, dword ptr fs:[00000030h]	4_2_0112C450
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_0112C450 mov eax, dword ptr fs:[00000030h]	4_2_0112C450
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168450 mov eax, dword ptr fs:[00000030h]	4_2_01168450
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CA44B mov eax, dword ptr fs:[00000030h]	4_2_010CA44B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_01168C75 mov eax, dword ptr fs:[00000030h]	4_2_01168C75
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010B746D mov eax, dword ptr fs:[00000030h]	4_2_010B746D
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010CAC7B mov eax, dword ptr fs:[00000030h]	4_2_010CAC7B
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB477 mov eax, dword ptr fs:[00000030h]	4_2_010BB477
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB477 mov eax, dword ptr fs:[00000030h]	4_2_010BB477
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Code function: 4_2_010BB477 mov eax, dword ptr fs:[00000030h]	4_2_010BB477

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Memory written: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Process created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection111	Masquerading11	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection111	NTDS	System Information Discovery112	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information14	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	34%	Virustotal		Browse
T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	44%	Metadefender		Browse
T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.rogegalmish.com/a8si/	3%	Virustotal		Browse
www.rogegalmish.com/a8si/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htmn6	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr.TTF	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.carterandcone.com.	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cnTCV	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.fontbureau.comgritan	0%	Avira URL Cloud	safe
http://www.tiro.comlicB	0%	Avira URL Cloud	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.fonts.comn	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.carterandcone.comV	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.webstarmax.com/	0%	Avira URL Cloud	safe
http://www.monotT.	0%	Avira URL Cloud	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.carterandcone.comTC	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.webstarmax.com/9mailto:office	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.goodfont.	0%	Avira URL Cloud	safe
http://www.tiro.comY	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.carterandcone.comtigK&	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.rogegalmish.com/a8si/	true	3%, Virustotal, Browse Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htmn6	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.664941588.00000000058E5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662560278.00000000058E5000.00000004.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663739401.00000000058E5000.00000004.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662263041.00000000058E5000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr.TTF	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.658694270.00000000058B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.com	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660140019.00000000058B2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp	false		high
http://www.carterandcone.com.	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660140019.00000000058B2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersz0	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.669067713.00000000058E5000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.com	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cnTCV	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.658694270.00000000058B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657480728.00000000058CB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.comgritan	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680256955.0000000000D07000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comlicB	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660255920.00000000058B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comn	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657286654.00000000058CB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.comV	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657228680.00000000058B5000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.680325425.00000000025B1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designersn	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663769723.00000000058E5000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.webstarmax.com/	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	false	Avira URL Cloud: safe	unknown
http://www.monotT.	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.668655621.00000000058E5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comTC	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comn	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.657480728.00000000058CB000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.webstarmax.com/9mailto:office	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp, T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659151965.00000000058B5000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.goodfont.	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659049481.00000000058B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.comY	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.660255920.00000000058B2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.687314996.00000000059A0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersV0	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.662560278.00000000058E5000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers1	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.663430742.00000000058E5000.00000004.00000001.sdmp	false		high
http://www.carterandcone.comtigK&	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000003.659592367.00000000058ED000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411744
Start date:	12.05.2021
Start time:	06:07:19
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.6% (good quality ratio 2.5%) Quality average: 73.9% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 97% Number of executed functions: 102 Number of non-executed functions: 248
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:08:20	API Interceptor	1x Sleep call for process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.log Download File
Process:	C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3164209557831335
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
File size:	982016
MD5:	306237cff93b7d61b1f72c400a9522e1
SHA1:	aa8942a24452ac6e95feb05f1a5038d006f08c4d
SHA256:	4ffd8307eca6e6b382c035cb0ad32e52f37f9180e092764d6224d97557ef8ec9
SHA512:	407a56139ff82ba27560dbbd4db76f0a80061f727ca5cb9e12febe25d2a1f246fd6b24ce13b051f975b6a37eb6d24a275d4663abc50df2b47221ae2d8fe4b73d
SSDEEP:	12288:HDoTjD7wGGPBVw9hhhxCg7OlOAiSyHesKvOFfYTFEwPAI9S93hwC3yezPcvFXXZH:jIzq2hhhxCHlOA6+s2Ti3hfL2FXXZH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..`..............P..\...........{... ........@.. .......................@............@................................

File Icon


Icon Hash:	d4e8e8f8bcacd2cc

Static PE Info

General
Entrypoint:	0x4c7b8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6098C267 [Mon May 10 05:19:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc7b40	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x29c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xf2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xc5b94	0xc5c00	False	0.737166413164	data	7.60293411131	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xc8000	0x29c00	0x29c00	False	0.0827271238772	data	4.20827824934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xf2000	0xc	0x200	False	0.044921875	data	0.0980041756627	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xc82e0	0x10d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xc93b4	0x10828	dBase III DBT, version number 0, next free block index 40
RT_ICON	0xd9bdc	0x94a8	data
RT_ICON	0xe3084	0x5488	data
RT_ICON	0xe850c	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4278648832
RT_ICON	0xec734	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
RT_ICON	0xeecdc	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
RT_ICON	0xefd84	0x988	data
RT_ICON	0xf070c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xf0b74	0x84	data
RT_GROUP_ICON	0xf0bf8	0x14	data
RT_VERSION	0xf0c0c	0x3b4	data
RT_MANIFEST	0xf0fc0	0xc02	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2015
Assembly Version	1.1.755.0
InternalName	MemberFilter.exe
FileVersion	1.1.655.0
CompanyName	Nsoft Programming
LegalTrademarks	Nsoft Programming by Webstar Max
Comments
ProductName	File Executor
ProductVersion	1.1.655.0
FileDescription	File Executor
OriginalFilename	MemberFilter.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 7028 Parent PID: 6128

General

Start time:	06:08:10
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe'
Imagebase:	0x1e0000
File size:	982016 bytes
MD5 hash:	306237CFF93B7D61B1F72C400A9522E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.680894456.00000000035B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.680382775.00000000025C3000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 4164 Parent PID: 7028

General

Start time:	06:08:21
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Imagebase:	0x620000
File size:	982016 bytes
MD5 hash:	306237CFF93B7D61B1F72C400A9522E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 7028 Parent PID: 6128 T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCOMMON

Executed Functions

Function 07780610, Relevance: 4.3, Strings: 3, Instructions: 571COMMON

Download Yara Rule

Strings

D0*l, xrefs: 07780BE5
D0*l, xrefs: 07780A58
D0*l, xrefs: 07780AE5

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID: D0*l$D0*l$D0*l
API String ID: 0-1574081070
Opcode ID: 7f8f60466edf1cad52d3fb3989896a0d009e2b4ee6ede15bba9f5daa48f684c9
Instruction ID: 34d87085bd11854f15b7a9c87019be788c167fb73f5a5d30fd534c5f6ae18482
Opcode Fuzzy Hash: 7f8f60466edf1cad52d3fb3989896a0d009e2b4ee6ede15bba9f5daa48f684c9
Instruction Fuzzy Hash: 6722AFB0B002198FDB54EF64C854BAEBBF2EF89344F148469E906DB391DB349D46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 073883A0, Relevance: 2.7, Strings: 2, Instructions: 246COMMON

Download Yara Rule

Strings

z.B, xrefs: 07388454
*Xo, xrefs: 07388626

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: z.B$*Xo
API String ID: 0-3622222807
Opcode ID: 1bf0c7b47fa7e01617beea3401fbf8cc54a58943a11dd2bee900819b0e0a6b6d
Instruction ID: 40f12a9a51e5de9255dcebfa6657588412e2cc2e40ce7f2ebecb40823e77a57a
Opcode Fuzzy Hash: 1bf0c7b47fa7e01617beea3401fbf8cc54a58943a11dd2bee900819b0e0a6b6d
Instruction Fuzzy Hash: 3AA115B4E24219DFDB84DFA9D5814EEBBB2EF8A300F64842AD409BB754D7349902CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0778B5C8, Relevance: 2.7, Strings: 2, Instructions: 233COMMON

Download Yara Rule

Strings

a4, xrefs: 0778B699
a4, xrefs: 0778B6A0

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID: a4$a4
API String ID: 0-2133821049
Opcode ID: 657e68eaf4ab512c5c58cf1db1e56fc60ed27619355cf4c719265b9883b73936
Instruction ID: 67bd6d6fe5f4fe95a30879a1a24e17923366d56b874c89c172b8569c87a42a60
Opcode Fuzzy Hash: 657e68eaf4ab512c5c58cf1db1e56fc60ed27619355cf4c719265b9883b73936
Instruction Fuzzy Hash: 7AA148B0E1420ACFDB44DF95D5818AEFBB2FF89384F20D555C515AB224D734AA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07785EA1, Relevance: 2.7, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

$,*l, xrefs: 07785FA2
u7@-, xrefs: 07786167

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID: $,*l$u7@-
API String ID: 0-2132025572
Opcode ID: da1df5078683e5513b6200a0500ad057e734cfe749ddf99ce5322e349fbb1a13
Instruction ID: 1153d742655bda993e498253dcc01c6038dedb75dcafa07551ab052b317a6472
Opcode Fuzzy Hash: da1df5078683e5513b6200a0500ad057e734cfe749ddf99ce5322e349fbb1a13
Instruction Fuzzy Hash: 269113B4E14219DFCB48DFA9D88499EFBB2FF89340F24842AE415AB365DB349901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07785EB0, Relevance: 2.7, Strings: 2, Instructions: 214COMMON

Download Yara Rule

Strings

$,*l, xrefs: 07785FA2
u7@-, xrefs: 07786167

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID: $,*l$u7@-
API String ID: 0-2132025572
Opcode ID: bede225ae70126e4736e8b41fd02ac1c411e77089529ad43c585d94d6cb877ee
Instruction ID: 6070877b561a7ab98dd1f40d40fcd7a4f0dd0f45ea475ec0046e0c837249b459
Opcode Fuzzy Hash: bede225ae70126e4736e8b41fd02ac1c411e77089529ad43c585d94d6cb877ee
Instruction Fuzzy Hash: C091E3B4E14219DFCB48DFA9D88499EFBB2FF89344F20942AD415AB365DB349901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07388717, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

T#, xrefs: 0738890A

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: T#
API String ID: 0-319260668
Opcode ID: 8597e51e408968efddee065aaa03ab529ff557cd4e9a4056314df1330e944a66
Instruction ID: 3ad142f83edffa7bdae0d7c0cdb7e036d40c643131268d231a231fa6dda10f4b
Opcode Fuzzy Hash: 8597e51e408968efddee065aaa03ab529ff557cd4e9a4056314df1330e944a66
Instruction Fuzzy Hash: F07169B1E14629CBEB64CF66CC40BEDB7BABBC9301F10C5AAD50DA6254E7745A85CF00

Uniqueness

Uniqueness Score: -1.00%

Function 07388965, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

T#, xrefs: 0738890A

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: T#
API String ID: 0-319260668
Opcode ID: c80b0bdfef06c6f6d46d35f52b484001c23bd17b48d731ba85bb316a26cd504a
Instruction ID: 83ee4a8c8b9fe683ea41de9472ee5fa96e049dcb92393c687a57f2b91940c9ba
Opcode Fuzzy Hash: c80b0bdfef06c6f6d46d35f52b484001c23bd17b48d731ba85bb316a26cd504a
Instruction Fuzzy Hash: 1D7136B491022ACFEB64CF65CC40BE9B7B6BB89301F1085EAD50DB7254E774AA85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0738893E, Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

T#, xrefs: 0738890A

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: T#
API String ID: 0-319260668
Opcode ID: 88b33938ce2cf0b6b07706381d79c7d2e8a64c58b5637619a9fd96f16c8c3eb6
Instruction ID: 6b9f12e708ed7cdc85a50b5370dc46a915e4c1fce590213bfde0036be2c0759f
Opcode Fuzzy Hash: 88b33938ce2cf0b6b07706381d79c7d2e8a64c58b5637619a9fd96f16c8c3eb6
Instruction Fuzzy Hash: B05168B0A1025ACFDB64CF65CC40BEDB7B6BB89301F1085E6D10DA7250E774AAC58F40

Uniqueness

Uniqueness Score: -1.00%

Function 073889F3, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

T#, xrefs: 0738890A

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: T#
API String ID: 0-319260668
Opcode ID: 057887b4f8f746c2c4a46b0f1b6ef332bf46f81da09b462ff1f3fbff10412c28
Instruction ID: 27bc7795d749abb0f0acfcad20778cfd9b59542976ba8bedab397d95fa0f67d3
Opcode Fuzzy Hash: 057887b4f8f746c2c4a46b0f1b6ef332bf46f81da09b462ff1f3fbff10412c28
Instruction Fuzzy Hash: A45148B0A1066ACFDB64CF65CC40BE9B7B6BB89301F1086EAD109A6244E7746A858F50

Uniqueness

Uniqueness Score: -1.00%

Function 0778DD88, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

%.&O, xrefs: 0778DF6B

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID: %.&O
API String ID: 0-2714121439
Opcode ID: 4c347370e33fe7453d9b5179303749b249f8392b039834f03dbba89a4a193a18
Instruction ID: 6e4d7a7e63deb544dfe6e0121b40c43952b6589e7bb5cc65dba49f694c9c026a
Opcode Fuzzy Hash: 4c347370e33fe7453d9b5179303749b249f8392b039834f03dbba89a4a193a18
Instruction Fuzzy Hash: 3E512CB0E052199FEB58DF66D840B9EFBF3AFC9344F05C0A6D508AB264DB305A418F51

Uniqueness

Uniqueness Score: -1.00%

Function 07783D30, Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2ce5a6f11ae33c932c1a535e35beec31d856d79afebb0abc5881069b61a7e
Instruction ID: 51cabe8878d7da459116826e0f02b34bfde1c89c9e2442ad89cc634f0e837407
Opcode Fuzzy Hash: 19c2ce5a6f11ae33c932c1a535e35beec31d856d79afebb0abc5881069b61a7e
Instruction Fuzzy Hash: CD82AEB4A4024ADFCB54DF68C884AAEBBF2FF89384F158569E405DB361D770E851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 077863F4, Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f726109e66fe2300c67ad36c74d7dff5a1242fd75fb705549f2ec71b46b3a0d3
Instruction ID: e33f4e84db9673f0be41c439573ed0573e68850a37ca47b0552844ecfd5708e5
Opcode Fuzzy Hash: f726109e66fe2300c67ad36c74d7dff5a1242fd75fb705549f2ec71b46b3a0d3
Instruction Fuzzy Hash: 8D22BBB0E04259DFCB44DFA9C8416AEBBB2FF89344F24C469D509EB359DB309A02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07780D78, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dcf7260cdee0aebd5c28d4da198f5d5e3171fbd38928ffbb0aa92f39ee5cb18
Instruction ID: 328744d0f717dfd82a7c9c49a2a17d7bf324b26d64a1dbe29fdeedeef2ee954b
Opcode Fuzzy Hash: 5dcf7260cdee0aebd5c28d4da198f5d5e3171fbd38928ffbb0aa92f39ee5cb18
Instruction Fuzzy Hash: 6AD150B0A40109CFCB94EFA9C984AAEBBB2FF49380F558469E415AB361D731DC52CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07786AD0, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22274f07c913adb28c442c0524a9a53371e62300e3355072144f2e5cfa5f84f
Instruction ID: 443f79e5e99e2639b6a359dbb3616728861f78c3fe5e38ebf0a8d3fe76097dbb
Opcode Fuzzy Hash: d22274f07c913adb28c442c0524a9a53371e62300e3355072144f2e5cfa5f84f
Instruction Fuzzy Hash: B4C158B4E042499BCF48DFA9C44059EFFB2EF8A354F24D529C418EB35AE73099428F64

Uniqueness

Uniqueness Score: -1.00%

Function 0778B754, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7413117dd9a95d36d6ad20f1ad8cacc029b796ff83f19f86c4baceab744fcfc1
Instruction ID: f1b479ceeac5aef94583b6b5143e93dd7f3f3761683b81a80c5acf378328b5af
Opcode Fuzzy Hash: 7413117dd9a95d36d6ad20f1ad8cacc029b796ff83f19f86c4baceab744fcfc1
Instruction Fuzzy Hash: 3DA158B0E1424ACFDB44DF95C4854AEFBB1FB8A384F20D555C015AB225D334EA42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0778B6E6, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35ce4e6d025129f9c01446a3d250bfd75b01e0fd17f7d803904d70b82d1607b
Instruction ID: 8e3a360eb85a874e5de48e90e63e48a3d098cd5d601d81bd7d124d503976560e
Opcode Fuzzy Hash: b35ce4e6d025129f9c01446a3d250bfd75b01e0fd17f7d803904d70b82d1607b
Instruction Fuzzy Hash: CD9137B0E1420ACFDB44DF95D5858AEFBB2FB8A384F20D555C415AB224D334EA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0778B7D5, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d3c878b25cf08884cad00e0ac56cf9dbe76010f97c936f7ad828fd9d26eaf3
Instruction ID: 4971989e6b31982e1c732c4c2a78381b233df987c1a2fca43996cbf502361015
Opcode Fuzzy Hash: a9d3c878b25cf08884cad00e0ac56cf9dbe76010f97c936f7ad828fd9d26eaf3
Instruction Fuzzy Hash: 529147B0E1420ACFDB44DF95D5818AEFBB2FB8A384F20D555C415AB225D334EA82CF95

Uniqueness

Uniqueness Score: -1.00%

Function 07789568, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629e70899c4677a4aa7733a497af4861b23a3b00631627f5200c81aade716c04
Instruction ID: cb74356113f5fc6b1645d384028dd94c9c91762d7958db1fa9d09fcda7689e62
Opcode Fuzzy Hash: 629e70899c4677a4aa7733a497af4861b23a3b00631627f5200c81aade716c04
Instruction Fuzzy Hash: 7271D3B4E112588FDB48CFE9C984AAEBBB2FF89344F10812AD919BB354D7346901CF50

Uniqueness

Uniqueness Score: -1.00%

Function 077861C1, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9265b68c124565ed3437bbcd051becc948419d37d6c5026d90281aceca5523ee
Instruction ID: 4f45713c3787d66c65ecf73024c5e56c71283fa58f04fb9bb6a1f3b892308c8e
Opcode Fuzzy Hash: 9265b68c124565ed3437bbcd051becc948419d37d6c5026d90281aceca5523ee
Instruction Fuzzy Hash: 0E5169B4E05209EFCB48DFA9D5416AEBBB2FF89304F208469D405FB351DB309942CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07789D61, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3c70f8e1fbb7329a9e30054aa4a0fd751b5bf41c17acb278ffeb7d308b7fcc1
Instruction ID: e533369b81ea223899724b28bb0e60e34ff9cb8dbca8c0cb76384cca1ba2942b
Opcode Fuzzy Hash: b3c70f8e1fbb7329a9e30054aa4a0fd751b5bf41c17acb278ffeb7d308b7fcc1
Instruction Fuzzy Hash: EB5146B1E04209CFDB48DFAAC8446AEFBF2AF89340F15C16AD519B7251D7349941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0778A6F1, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa2df5c665150d99db752c057e7e4a18fafc0e3a62702f558238a169b67575c
Instruction ID: ef8a4add039138c104edfb54d68c52355d90180ed807d0d95b8283c400bbe3f0
Opcode Fuzzy Hash: 4aa2df5c665150d99db752c057e7e4a18fafc0e3a62702f558238a169b67575c
Instruction Fuzzy Hash: B03128B1E006588BDB18CFAAC8446DEFBF7AFC9340F14C06AD408AA264DB351A55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CB80BA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CB8147

Strings

u~, xrefs: 00CB808A

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: u~
API String ID: 3793708945-586763898
Opcode ID: 94646e03bbc2fd105dec917ce377396a715d43fe177482ede3d5000249f7e5f5
Instruction ID: 4e2eb3fa086164eb5be0b2e1da8dc4efb6d453fad4cc7d9dda6d9f1ae1b1c239
Opcode Fuzzy Hash: 94646e03bbc2fd105dec917ce377396a715d43fe177482ede3d5000249f7e5f5
Instruction Fuzzy Hash: F7318BB59012589FCB10CFA9D884ADEBFF5EB88360F14802AE914A7351C7749A15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 077800F8, Relevance: 2.7, Strings: 2, Instructions: 237COMMON

Download Yara Rule

Strings

Xc*l, xrefs: 07780273
Xc*l, xrefs: 07780269

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID: Xc*l$Xc*l
API String ID: 0-1041941440
Opcode ID: 61384e7e3355056192515367bcb0bb2af1ed9c3ca80eae3e12d56a1aeda0ae8f
Instruction ID: 75e641ad6ba9e0bb3687816970620f92696aeaef5d685d62429806aa2851aeed
Opcode Fuzzy Hash: 61384e7e3355056192515367bcb0bb2af1ed9c3ca80eae3e12d56a1aeda0ae8f
Instruction Fuzzy Hash: DB91E4B0B80206CFCB94EF69C488A6DB7F2BF8A290F158569D405DB761D730EC49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07387114, Relevance: 1.8, APIs: 1, Instructions: 255processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07387356

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 13fb2193b94bcfd9bdc4c055b4c3fd2edb802b1cfaf7688857e61e5b281892cc
Instruction ID: d39a739701fb289fd103dd0a68b46b18c18856121963e49796b3e0cf2defa8ba
Opcode Fuzzy Hash: 13fb2193b94bcfd9bdc4c055b4c3fd2edb802b1cfaf7688857e61e5b281892cc
Instruction Fuzzy Hash: EFA15BB1D00329CFEB50DFA4C881BEEBBB2BF48314F148569E818A7250D7749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 07387120, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07387356

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ffa4aedbdf1d7f60da5ba3b597b1873952bd4f530bbc0105a68e40361e30029d
Instruction ID: a4b6bc428f06a94cf48431d5face07761a57b3bf983f5efadf7c36b4390e9d43
Opcode Fuzzy Hash: ffa4aedbdf1d7f60da5ba3b597b1873952bd4f530bbc0105a68e40361e30029d
Instruction Fuzzy Hash: 65914AB1D10329CFEB54DFA4C881BEEBBB2BB48314F148569E818A7250D7749985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCB9A, Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBCDEE

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a27c085b1f454cbe0bd3a0d9ffb58870be74d06e95c10f6d53c50cd633a429bd
Instruction ID: 6fcc68a1c2d216e9e1e2124606d4553ecc61db34ebc8b0bdf75bffb6a11cccbe
Opcode Fuzzy Hash: a27c085b1f454cbe0bd3a0d9ffb58870be74d06e95c10f6d53c50cd633a429bd
Instruction Fuzzy Hash: 8F813470A00B058FDB24DF2AD49579ABBF1BF88304F008A2ED49AD7A40D775E906CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00CBC0FC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00CBED6A

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4c389469aec55bc04f7ec977eb1f3e0c3a2fd5910e7f2631569b39399b6a2e20
Instruction ID: 9929101be15a242cbde7fe0f52ef26b296befea1914a8cdfea82b78b755e536f
Opcode Fuzzy Hash: 4c389469aec55bc04f7ec977eb1f3e0c3a2fd5910e7f2631569b39399b6a2e20
Instruction Fuzzy Hash: 9951C0B1D00359DFDB14CFA9C884ADEBBB5BF48714F24822AE819AB210D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00CBEC4C, Relevance: 1.6, APIs: 1, Instructions: 115COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00CBED6A

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 626301b206a8c928e13eb23f80105126a1c0085a28aa2dec2e5e4cf1f3ef9f0a
Instruction ID: 5a30eec6797df46ed458a6350986ad80e2f0eeabfa3436e7e3c1bdab2479a3a8
Opcode Fuzzy Hash: 626301b206a8c928e13eb23f80105126a1c0085a28aa2dec2e5e4cf1f3ef9f0a
Instruction Fuzzy Hash: 8851C0B1D00259DFDF14CFA9C884ADEFBB1BF48714F24862AE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 07386E90, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07386F28

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0e3248c0aca8771a42155144d93e664f27a7df9cfa7a9e22344e95440d5f6537
Instruction ID: ca6ee3326d2685a2e4e15ce4522b72d54f555f2a576764f08e93d82ad7d3d2bd
Opcode Fuzzy Hash: 0e3248c0aca8771a42155144d93e664f27a7df9cfa7a9e22344e95440d5f6537
Instruction Fuzzy Hash: 6C2135B5900349DFDB10CFA9C984BDEBBF5FF88314F00842AE918A7241D778A954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386E98, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07386F28

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8ac0a18d1c2ea4581015120377f9f5e00cfecda68ed29786f853e90f5e713a80
Instruction ID: 100e6dcfe7bcd9e5ce96fd05d2714d5cf800903241fe8de66e2d756a446cf142
Opcode Fuzzy Hash: 8ac0a18d1c2ea4581015120377f9f5e00cfecda68ed29786f853e90f5e713a80
Instruction Fuzzy Hash: 5E2146B1900349DFDB10CFA9C884BDEBBF5FF48314F00842AE918A7241D7789954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386F81, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07387008

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: d6f39c2563dac75a2936c1973ff1eb6880fc05914f33a81f3fd3a02f08ae7e48
Instruction ID: bfe802a09f664ff2cb7a753d0153be32bd3e679238e8cdb07cb594ef5d916fe2
Opcode Fuzzy Hash: d6f39c2563dac75a2936c1973ff1eb6880fc05914f33a81f3fd3a02f08ae7e48
Instruction Fuzzy Hash: 2D2139B18003499FCB10CFAAC884ADEFBF5FF48320F108429E528A7240D774A550DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386CFF, Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07386D7E

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 8005b8ad3a2af0d1511b970847a2fc8ab9ebdd1f884918bbee846fcd756706fd
Instruction ID: efa0dc77ba3fcdcf5ac3077788e34cd8913e9ac1bebcc5fb81890cd6ae700d6c
Opcode Fuzzy Hash: 8005b8ad3a2af0d1511b970847a2fc8ab9ebdd1f884918bbee846fcd756706fd
Instruction Fuzzy Hash: 192138B19003099FDB50DFAAC4857EEBBF4EF48214F14842AD519A7641CB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386D00, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 07386D7E

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: ae728ac01f35d1d4e81fd07cc9060f28d6ea414c513af88d0e3f8ac9ee9eac96
Instruction ID: d2cc33cb0e072646d77f052c3ef99d32dd51bb16466266601553b9d183e68f53
Opcode Fuzzy Hash: ae728ac01f35d1d4e81fd07cc9060f28d6ea414c513af88d0e3f8ac9ee9eac96
Instruction Fuzzy Hash: 4E2138B19003098FDB50DFAAC4857EEBBF4EF48214F148429D519A7241CB78A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386F88, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07387008

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: da76839e726472b59c2510ba08fee6df13dd17ba9c21712e4248308edb424ad0
Instruction ID: 49c047e6bca7a2b66bbc185a94d7ef768c230ea9c2e0bc2b38d72ebfd41a802a
Opcode Fuzzy Hash: da76839e726472b59c2510ba08fee6df13dd17ba9c21712e4248308edb424ad0
Instruction Fuzzy Hash: 482128B18003599FDB10DFAAC884BDEFBF5FF48314F10842AE518A7240D7749954DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CB80C0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CB8147

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ae651fc755b8b649aba4dc45bfa627bbba7c73f31f25825cc2f9a163e7697717
Instruction ID: c88d781d22ba61c93939f23ec1b0731ea5a19caddb16cbfe586253463266ec61
Opcode Fuzzy Hash: ae651fc755b8b649aba4dc45bfa627bbba7c73f31f25825cc2f9a163e7697717
Instruction Fuzzy Hash: B821D5B5901258DFDB10CF9AD884ADEFBF8FB48324F14842AE914A3350D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 073827D0, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0738284B

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 16891ecde537e8ae0b641457967e8b70a90c91126bc2cbd9906c744d3766819c
Instruction ID: b49ab58ae3b7a185d994833102559b17d1d16fb1f1819e181bafb303eaa7e6fd
Opcode Fuzzy Hash: 16891ecde537e8ae0b641457967e8b70a90c91126bc2cbd9906c744d3766819c
Instruction Fuzzy Hash: 8D2106B59002499FDB10DF9AC884BDEFBF4FB48320F10842AE968A7650D374A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBBFC0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBCE69,00000800,00000000,00000000), ref: 00CBD07A

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3f590bee73b5990c0d90cd7eab089e843449c8f502fe1d33004039a3e4d638d4
Instruction ID: 8dd0cb9685bd0c36452015e240b8923468eb7bf8e27dfae7111fa8483f244267
Opcode Fuzzy Hash: 3f590bee73b5990c0d90cd7eab089e843449c8f502fe1d33004039a3e4d638d4
Instruction Fuzzy Hash: 851117B59002489FDB10DF9AD484BDEFBF4EB48314F14842ED916A7200D375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 073827D8, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0738284B

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ee603927b7056161427bc42a32476f274bb43fa31bcf3433a9c4ef74473ca68c
Instruction ID: bfe076fce46b89251eec36f91e880981d74e3b74670e2628c15dc7150a88a483
Opcode Fuzzy Hash: ee603927b7056161427bc42a32476f274bb43fa31bcf3433a9c4ef74473ca68c
Instruction Fuzzy Hash: 4921E4B59002499FDB10DF9AC484BDEFBF4FB48320F108429E968A7250D378A644CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD008, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBCE69,00000800,00000000,00000000), ref: 00CBD07A

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 91d0a44bef6aefb89f61d201e4f0de3b173c5882bfc84c612d9b8c1aa4b37e29
Instruction ID: 9e0c010ec5759120699449d0343e8e0934ebf6305fe40604fad576ecced692b7
Opcode Fuzzy Hash: 91d0a44bef6aefb89f61d201e4f0de3b173c5882bfc84c612d9b8c1aa4b37e29
Instruction Fuzzy Hash: 4E1117B6D002498FDB14CFAAD484BDEFBF4EB48354F10852ED425A7610C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386DD7, Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07386E46

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 85e47792d753229bd960b2001f3e2aa3b40ffae168c8ddabf077350188da4b7e
Instruction ID: 31ce166eb98570fc466822a3e7bd3056a6e27680b8c6f395f79751d4ffa9deed
Opcode Fuzzy Hash: 85e47792d753229bd960b2001f3e2aa3b40ffae168c8ddabf077350188da4b7e
Instruction Fuzzy Hash: 5A1159718002489BDB10DFAAC844BDFBBF5AF48314F10841AD515A7210C775A550CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386DD8, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07386E46

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7d8666d314ab9477b883cbfdfda750bbccf7a4781e079f27018a203c1525a36f
Instruction ID: 0d2b3ad94be415cb47ae9683b273fc41cec1ba3af1548454befc6b898bf2c58b
Opcode Fuzzy Hash: 7d8666d314ab9477b883cbfdfda750bbccf7a4781e079f27018a203c1525a36f
Instruction Fuzzy Hash: 381129719002499BDB10DFAAC844BDFBBF5AF48314F148419D515A7250C775A554CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 07386C48, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07386CB2

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fc36f5f8719479d617f74bdb5141433634eacf0395f16484d6c015e37a7f507a
Instruction ID: 7d3b39830ca8397e8a23f991992f81eefd0a7af824937c6caa790cbf045f5209
Opcode Fuzzy Hash: fc36f5f8719479d617f74bdb5141433634eacf0395f16484d6c015e37a7f507a
Instruction Fuzzy Hash: 201155B1D002488BDB20DFAAC4847EFFBF5EF88224F108829C559A7740D778A944CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 07386C50, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07386CB2

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9d4418ae811a851de689617180740429527060fa52da172fb2dc3d792a2fba14
Instruction ID: af2e715c9b6251f9389dd55ee1d0c374a7c574cb9d1bd1ffdcdea15fc37054e0
Opcode Fuzzy Hash: 9d4418ae811a851de689617180740429527060fa52da172fb2dc3d792a2fba14
Instruction Fuzzy Hash: D51125B19043488BDB10DFAAC4847DFFBF4AB88224F148829C559A7340C778A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBCD88, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBCDEE

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 482ac8e300831eb1a2ba007757c6cc6afd0617e4d94062362c370f920c7dd8a8
Instruction ID: be598e88e6e710d24ef91585d27f903557db808fe027e524170e5529233a5c75
Opcode Fuzzy Hash: 482ac8e300831eb1a2ba007757c6cc6afd0617e4d94062362c370f920c7dd8a8
Instruction Fuzzy Hash: 6D11E0B5C002498FDB20CF9AC484BDEFBF4AF88324F14852AD829A7600C374A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBEE9A, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CBEEFD

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 443f1d992f5e520dacb11ce1205013b4f715dd6a0bec3d986816b916058c2140
Instruction ID: 9cefb1547d47362cfe3fef0db41e6725ccc28e3391a9549c7ff6fc176c907be9
Opcode Fuzzy Hash: 443f1d992f5e520dacb11ce1205013b4f715dd6a0bec3d986816b916058c2140
Instruction Fuzzy Hash: 771115B5800249CFDB20CF99D484BDFFBF4EB88320F10855AD814A7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00CBEEA0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CBEEFD

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 34b8c5f49024045f6db8941e3e14874f59feaf6140e7e2e2e897d47ab5ef070a
Instruction ID: f9b79dd1b7dd11f63c295c1b4888a4c2c9679cfb02322a66ef70d3c60de217bd
Opcode Fuzzy Hash: 34b8c5f49024045f6db8941e3e14874f59feaf6140e7e2e2e897d47ab5ef070a
Instruction Fuzzy Hash: C811E2B58002499FDB20CF9AD488BDEFBF8EB88724F10851AD915A7740C374A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0738A020, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 0738A07D

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 6886c6bda1cd707ddc5f146a1785fe86b8711f81f42706635aa130b8a1cf8c86
Instruction ID: 4042ee891da0e91b6ae67a70e7dff9b51f4f951c450f73164249d162a83bf0b7
Opcode Fuzzy Hash: 6886c6bda1cd707ddc5f146a1785fe86b8711f81f42706635aa130b8a1cf8c86
Instruction Fuzzy Hash: 8211E5B58003499FDB20DF99D484BDEFBF8FB48324F14841AD918A7600C375A544CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 0778CD4F, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

nY/, xrefs: 0778CE0A

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID: nY/
API String ID: 0-211511260
Opcode ID: cb28a76bc67a79b6307725a9304fcdaf95f5d04e24315fd94126d1d21e790582
Instruction ID: 0c9aecf8e8aac691fcd5287f43295956824a1dd56288d634ecc73be4ce2e414b
Opcode Fuzzy Hash: cb28a76bc67a79b6307725a9304fcdaf95f5d04e24315fd94126d1d21e790582
Instruction Fuzzy Hash: 504166B4E1120ADFCB44EF98D8805DDFBB1FF49350F2086AAD415AB211D730AA55CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 077820F0, Relevance: .7, Instructions: 689COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa67bef79f7a0a2c9d2f0e465e4c970469bbdd700fcb4e6201f9e3d7867d2cf1
Instruction ID: e7b3aa67a175bc67f4d7fe61f95973ec562fcdf56a1eedaf3843b7edb8d85369
Opcode Fuzzy Hash: fa67bef79f7a0a2c9d2f0e465e4c970469bbdd700fcb4e6201f9e3d7867d2cf1
Instruction Fuzzy Hash: F4525F74A0821D9FEB149BA0C850FAE7B72AF88348F11C0B9C61AAB391DF355D46DF51

Uniqueness

Uniqueness Score: -1.00%

Function 07781351, Relevance: .5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc5bce1d875e9b6f4b522a8d179d73d50bba2b55c7afb869ff891b773d070d5f
Instruction ID: 543ba63cf7a796ed111234e33463c4c0a9a3aa5a14ac95d4795bf6842277c9c5
Opcode Fuzzy Hash: dc5bce1d875e9b6f4b522a8d179d73d50bba2b55c7afb869ff891b773d070d5f
Instruction Fuzzy Hash: 55228EB0A402098FCB54DF69D484AAEBBF1FF49364F55896DE849DB261DB30EC42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 07782CEB, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1409cea30b7c9690d5b2d4963990c0aa93c2a1f008e60701506edf6e434956cb
Instruction ID: b40e9bed759610e54a5226d6ff3eb2f57764fb874c8b15f1395b69e2e37d5516
Opcode Fuzzy Hash: 1409cea30b7c9690d5b2d4963990c0aa93c2a1f008e60701506edf6e434956cb
Instruction Fuzzy Hash: F5B1D3B07A41068FDB95BB2DC558B3D37A6EF81A85F04447AE012CF3B2EA29CC41C752

Uniqueness

Uniqueness Score: -1.00%

Function 077897DF, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fcdf08612fda829d7292181f682dfa82317e7439d54638714a00c65d4cccdd3
Instruction ID: d6b7d62973b77dbdafedfc82182740f8a1f1565b67290d3d8038eb1a3162fd98
Opcode Fuzzy Hash: 1fcdf08612fda829d7292181f682dfa82317e7439d54638714a00c65d4cccdd3
Instruction Fuzzy Hash: 71A11974E1121ADFDB44DFA4D881A9EBBB2FF89304F20C625E515AB354DB30A946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 07781930, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826e06d6091dfd172ee1dfb3bd8914fb890fea00ed26e0d2f6a0d1cebf3085a6
Instruction ID: c41de4f55654c7bfb2f76288dc717a15616087c3aa00d3bf486ebb718ec2271e
Opcode Fuzzy Hash: 826e06d6091dfd172ee1dfb3bd8914fb890fea00ed26e0d2f6a0d1cebf3085a6
Instruction Fuzzy Hash: 32714DB474024A8FCB94EF28C498A6E7BF5AF4A285F5544ADE806CB371DB70DC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07784FB8, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3528f42d802657e42456e3754e78602ea06ea30c6b77c7c61eea80259122d1a
Instruction ID: 3b70edea30dd2f3fcd5c21b03518c6fddd18289a8b4977d620059e5128e0dba0
Opcode Fuzzy Hash: d3528f42d802657e42456e3754e78602ea06ea30c6b77c7c61eea80259122d1a
Instruction Fuzzy Hash: 4941DE717002048FCB58AB78D864AAE7BA6EBCD750F10846EE516DB790DF349C12CB91

Uniqueness

Uniqueness Score: -1.00%

Function 07783FAB, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d910408757fefdd654449d29bcab98cd6f770679d0daf9ef2dedab7134835cc3
Instruction ID: c383eb940e9dfc4a8089cc673df030cfe0702e2da90074579cb531e9b0d66de0
Opcode Fuzzy Hash: d910408757fefdd654449d29bcab98cd6f770679d0daf9ef2dedab7134835cc3
Instruction Fuzzy Hash: C641F3B1A4428ADFCF51DFA4C844A9EBFB2FF49394F048955E8159B251E3B5E810CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07781BD8, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df9984f7b2c6928897bb6b13a7e29cfff039fa8a79f357381bfa505a6a2957d
Instruction ID: b3f8450b3436736fa3a33f13755fcbe3e33eca0757dd95599cea93e0fc98ae94
Opcode Fuzzy Hash: 9df9984f7b2c6928897bb6b13a7e29cfff039fa8a79f357381bfa505a6a2957d
Instruction Fuzzy Hash: 2621BE7038430E4BDB657736D49477A228BAFC5699F94883CE902CB794EA29CC53E341

Uniqueness

Uniqueness Score: -1.00%

Function 07785A58, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889dc176d56e62da31c0c223be3c87a0334f5d96c5cd09d721f80ca9373fffec
Instruction ID: c289b5f62180b50c2fd62dfe0d6c9dd4237d0535795dabcebbb120bc6fd08342
Opcode Fuzzy Hash: 889dc176d56e62da31c0c223be3c87a0334f5d96c5cd09d721f80ca9373fffec
Instruction Fuzzy Hash: 8F21F6703442146BE76876358CA6F7F2A97DBC9795F248029F60ADF3C0CE759C024395

Uniqueness

Uniqueness Score: -1.00%

Function 07789F20, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6203f2efb78ebf987ec2aa7a19625745170a2fb726c770c5b5a35e74e58a7655
Instruction ID: c7ba835b26a036e3a2ff0d02e5dc311d66912f803ab4df97c9224514a4c06938
Opcode Fuzzy Hash: 6203f2efb78ebf987ec2aa7a19625745170a2fb726c770c5b5a35e74e58a7655
Instruction Fuzzy Hash: E931F9B4E042099FCB84DFA9C4809AEBBF1EF89340F10C56AD415E7755D774AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 07784FA8, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c95e3968688210c5c21af4674c48f2c9e1bb3eccddb06c84ff17c2f3d9d89a
Instruction ID: 58e14195d5f3b1486083d210c47dc0b5d885826b053c99c3ad397279b77879c0
Opcode Fuzzy Hash: 17c95e3968688210c5c21af4674c48f2c9e1bb3eccddb06c84ff17c2f3d9d89a
Instruction Fuzzy Hash: 4321DEB2B402059FCB149F68D888B9EBBB5FB8C350F148529E916D7241DB71AC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0778A041, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762b63d78dec56ff0cb3265cfc641dbb388939d33d0968a70fb6967ca2497fb5
Instruction ID: ccad0923c45e28af4551cfe3808024ef9d6f1b42333ce680fcd2db286a2c63c5
Opcode Fuzzy Hash: 762b63d78dec56ff0cb3265cfc641dbb388939d33d0968a70fb6967ca2497fb5
Instruction Fuzzy Hash: 25315CB0E0420ADFCB44DFA9C8409AEBBF2EF89340F11C5A6D514EB355E3349A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 07789F30, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97266aeb37e4a9baccb01b2b32e336642d09c8a57076bb56b9ee43361785c1b1
Instruction ID: b5fb3cdc1f0e88a4f8181d54abcf84c444226dabead1f9278597fe036d8bb5bb
Opcode Fuzzy Hash: 97266aeb37e4a9baccb01b2b32e336642d09c8a57076bb56b9ee43361785c1b1
Instruction Fuzzy Hash: E531B5B4E142099FCB88DFA9C4819AEFBF2EB88340F10D46AD819A7754D774AA41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0094D4D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679844251.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a57bee4fb1b1abd439aba4510e327fb6232c13588d266d3bce493e2038b87b9
Instruction ID: 6dfc89088a58e5a4f959dda13e72b8c2e6e25acd1a6c063a258ad2fb9f3cd974
Opcode Fuzzy Hash: 7a57bee4fb1b1abd439aba4510e327fb6232c13588d266d3bce493e2038b87b9
Instruction Fuzzy Hash: 2B213AB5504204DFDB05CF10D9C0F16BBA5FB88328F24856DF9054B24AC73AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0094D3EC, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679844251.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f347be84166012e8a7d6dca602f9d38799fee0eaeae8a75bf41ba3ad1ed09cd5
Instruction ID: fa0c9709277771d8209cae96d50c8f55d0b903b7e30124f6377fc7526cc7348a
Opcode Fuzzy Hash: f347be84166012e8a7d6dca602f9d38799fee0eaeae8a75bf41ba3ad1ed09cd5
Instruction Fuzzy Hash: DA213AB5505204EFDB05DF10D9C0F26BB65FB94324F24C9B9D9094B296C33AE856C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0095D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679876074.000000000095D000.00000040.00000001.sdmp, Offset: 0095D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941ceb47ff58f98d89ca9e4a4514d21b7216095e5dfc189f8695f1b226f4cfc0
Instruction ID: 6a04e843990ac3f852baa8f6b85b9f8af1d9a79b20122e5d4db93bb42ffa5003
Opcode Fuzzy Hash: 941ceb47ff58f98d89ca9e4a4514d21b7216095e5dfc189f8695f1b226f4cfc0
Instruction Fuzzy Hash: 762107B1505204EFDB25CF11D5C0B26BBA5FB84319F24C9ADDD094B246C37AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0095D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679876074.000000000095D000.00000040.00000001.sdmp, Offset: 0095D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074b195cf06917fb343f6557a85aaccf468c8584fac392b605c48f1d1730da7b
Instruction ID: 832806a1af41f5af6f264cdaaa374df114aae41891adde75ccd1d057302818e3
Opcode Fuzzy Hash: 074b195cf06917fb343f6557a85aaccf468c8584fac392b605c48f1d1730da7b
Instruction Fuzzy Hash: F621F5B1504244DFDB24DF20D5C4B26BBA5FB84315F24C969DD094B286C33AD84BCB61

Uniqueness

Uniqueness Score: -1.00%

Function 0778BC68, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ff8652a321a7b89444e82aee8aa7d658444506c597f331916306ed0ba4f5e6
Instruction ID: 5ece4f3b9a2a63e99f2e089cb06378b72e6b343f9a8967f93a4bb34264a80c91
Opcode Fuzzy Hash: 60ff8652a321a7b89444e82aee8aa7d658444506c597f331916306ed0ba4f5e6
Instruction Fuzzy Hash: F82148B0E15209DFCB48DFAAC5815AEFBF1EF89340F14C4AA8405AB224DB349B51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0778BD69, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb0dfc9b733aa3b81af44156b14c18dc23958db811555226c78bf9ba9c84d80
Instruction ID: 2dff7cebf26afda5d947fc4116b2a4fff68bb4ff8602937f577aee49b618b4c5
Opcode Fuzzy Hash: 7eb0dfc9b733aa3b81af44156b14c18dc23958db811555226c78bf9ba9c84d80
Instruction Fuzzy Hash: BE2159B4E14108EFDB44DFA9C585A5EFBF2EFC8340F14C4A69419AB365DB309A11CB44

Uniqueness

Uniqueness Score: -1.00%

Function 077833C1, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67947eda9fa4c31835eb67e327ebe6d2b5578ae8fb6d5bc88297024ae17dc81c
Instruction ID: bf5fb763e666886af899a74d4dc2f0aaea70000556fe59ba49cb9c54bf16d3b9
Opcode Fuzzy Hash: 67947eda9fa4c31835eb67e327ebe6d2b5578ae8fb6d5bc88297024ae17dc81c
Instruction Fuzzy Hash: D021ADB0E001099FCB56DFA5D850EEDBBB2AF88245F28842AE804F7260DB309945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0095D005, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679876074.000000000095D000.00000040.00000001.sdmp, Offset: 0095D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57791a432e9558f9d3e637db3c722bdb660ec32916d75003935f4dc2e5fce1e
Instruction ID: cc3c54ec12e2adac857c2773f05f031fe78dd8300e46bb6a12709a831b268c4a
Opcode Fuzzy Hash: c57791a432e9558f9d3e637db3c722bdb660ec32916d75003935f4dc2e5fce1e
Instruction Fuzzy Hash: 7B215E755093808FDB12CF20D994B15BF71EB46314F28C6EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 077887F8, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2499185adbb29578fa5044fed4018db24bfbab96b998a5009f5496a5d8ed945
Instruction ID: c81f36375daf3c1ca8b9de1afd7f7a2e2a4a99eaa522e3fe593956c7ac7ba3ad
Opcode Fuzzy Hash: e2499185adbb29578fa5044fed4018db24bfbab96b998a5009f5496a5d8ed945
Instruction Fuzzy Hash: 571132B1A7A2859FE746EBB4E8510CEBFBAEF87294B15C4F3C105D7101E6348A148352

Uniqueness

Uniqueness Score: -1.00%

Function 0094D4D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679844251.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction ID: b868b9dd2a78a489244e9886c50ca0d999e44b438ce1727a08330662f0d7e063
Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction Fuzzy Hash: 3E11D376404280CFCB11CF10D5C4B16BF71FB98324F2486A9E8054B65AC33AD856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0094D3E7, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679844251.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction ID: cd8f58b3b9473a87eb91594c7ecdf8da1c0d6eb326f254103d0d3731e2418089
Opcode Fuzzy Hash: 2330691ba4d7911e2eb2ecb7cf07cc4824dc234649578f840251faf07cc16324
Instruction Fuzzy Hash: F711D376405280DFCB11CF10D5C4B16BF72FB94320F24C6A9D8080B666C33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0095D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679876074.000000000095D000.00000040.00000001.sdmp, Offset: 0095D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
Instruction ID: 609a8c9b844a39a993ce04f6254c3fce09841c7de45117a3f8ca9f3826297804
Opcode Fuzzy Hash: bbf2c8cf6e9aa963d3f8e87034f12a02946631990a170d17c82b680eb3c0f293
Instruction Fuzzy Hash: E1118B75905280DFDB21CF10D5C4B15BBB1FB84324F28C6ADDC494B656C33AD84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0778A9D2, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be05d23edc487e2eadc253a854e977033aa94d6db586f9491d1778298d17b6b7
Instruction ID: 7c34f5577bc9633aca1aabf8dcdce0ece6bb54e5a21eb7a5ad66945f02103447
Opcode Fuzzy Hash: be05d23edc487e2eadc253a854e977033aa94d6db586f9491d1778298d17b6b7
Instruction Fuzzy Hash: 5521E278906358CFCBA4CF69C980A99BBB1FF49311F2195DAE449AB394D7349E80CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0094D7E9, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679844251.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a10c44ddb477edfd42d450d4d25178e7e32d64762b8bef95f40dc7c77573ea6f
Instruction ID: 62deb1d2f79379b03cdb79d9070a24b65d61e1f663a7c2ef141fe49d08c8a7c9
Opcode Fuzzy Hash: a10c44ddb477edfd42d450d4d25178e7e32d64762b8bef95f40dc7c77573ea6f
Instruction Fuzzy Hash: 1D01F77540A3449AE7208B16CCC4F76FB9CDF81724F18C45AED045A346D3789C44C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 07788858, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df526a1273a8548bd9577392fbc2fc948447ca9915af4b86d5d4e9c44e4a1db
Instruction ID: ec67cdb35e7a746c981993300deeceb72a7a90a082e1e93079b9bfedc9a672b9
Opcode Fuzzy Hash: 4df526a1273a8548bd9577392fbc2fc948447ca9915af4b86d5d4e9c44e4a1db
Instruction Fuzzy Hash: 7B01D470A75205EFDB88EFB4D54914EBAFAEF8A381F60C075C409E3204E7349A61DB56

Uniqueness

Uniqueness Score: -1.00%

Function 0094D7E8, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.679844251.000000000094D000.00000040.00000001.sdmp, Offset: 0094D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d3eaf2cef7e427b7d682d8c54488f3d209d7506b0adbfacb43a11bfd619ca2
Instruction ID: 4b238d8d1303bce60176e96501f40cdde01a98ab1ffb6b491599f3789afe3a60
Opcode Fuzzy Hash: a1d3eaf2cef7e427b7d682d8c54488f3d209d7506b0adbfacb43a11bfd619ca2
Instruction Fuzzy Hash: EEF06D75409284AAEB208B16DCC4B62FFACEB81734F18C55AED085B286D3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0778C908, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ef50402af84fd6e165e0b0ea99561c3344137bd76b74f50bc2bb3207b000685
Instruction ID: 81245c4ce4ad2ae11a82a4ee8378aef3fba62a5a9c4f77c78d4a9ff23acf3b52
Opcode Fuzzy Hash: 7ef50402af84fd6e165e0b0ea99561c3344137bd76b74f50bc2bb3207b000685
Instruction Fuzzy Hash: E201C4B4D002499FCB40DFA8D4856AEBFF4FB48341F2181AAD958E7341E7349A90DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0778A158, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dca9fe337cf458ea230eff9747aa22d9d405872ef6483d0e479b5a24a10cfd3
Instruction ID: 5931818c78fb30f1393e79f2de6c4ae6b6c6577f0ca0df268368d3eb3d8f5342
Opcode Fuzzy Hash: 6dca9fe337cf458ea230eff9747aa22d9d405872ef6483d0e479b5a24a10cfd3
Instruction Fuzzy Hash: FAF039B0D00208EFCB04EFA8D841AAEBBB0FB09305F1085AAD814A7300D7319A61DF80

Uniqueness

Uniqueness Score: -1.00%

Function 077890E0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a41d42aa837aa9734a47b626b6f56576ec5272731073c6590e2e7066440c60
Instruction ID: 68ab2fc52faf768e927c04267b190f8c49f480f7661933e80c00ff471d5b2881
Opcode Fuzzy Hash: f1a41d42aa837aa9734a47b626b6f56576ec5272731073c6590e2e7066440c60
Instruction Fuzzy Hash: 0AE03070D081198FDB14DBA1C840B9DB7B2EB89344F00C0A6D245B7214DF3059418F21

Uniqueness

Uniqueness Score: -1.00%

Function 0778ACD1, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8af3fc382a483d46aff0ebaeecbf1c0f6f2ace61eb853867a4f598a58836959
Instruction ID: 36f728981a279f79d945b1faf328f7a5874e29ff77fa07842b07ebeed2301507
Opcode Fuzzy Hash: a8af3fc382a483d46aff0ebaeecbf1c0f6f2ace61eb853867a4f598a58836959
Instruction Fuzzy Hash: 38F02278911268CFDBA0DF55C980AD9BBB1EB1A315F1091D9E849A7314D631AEC1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07788ABD, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434c720d57a2878a764008bb51cb6863881f1bdfe286542aaa308d9ca6370296
Instruction ID: cdc9a9f6c6191b88202e76bc2a819421c67b4d6495cbf125ee3a06620da04d5a
Opcode Fuzzy Hash: 434c720d57a2878a764008bb51cb6863881f1bdfe286542aaa308d9ca6370296
Instruction Fuzzy Hash: 13F0C9B0D152299BDB94DB68C851B9AB7B2BB85344F0082E5D119AB384D7309A85CF02

Uniqueness

Uniqueness Score: -1.00%

Function 0778B90A, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 446f71a569a921254d5f217a3da4a2f44ff2f9928fdebbeace9d334b5800f165
Instruction ID: 9a8e03025b4ed96fefc1f228f358d67325dcfd59436e454b0394d4bb53b2155a
Opcode Fuzzy Hash: 446f71a569a921254d5f217a3da4a2f44ff2f9928fdebbeace9d334b5800f165
Instruction Fuzzy Hash: 1CE04674A00219CFCB40CFA4C5818AEBFF1FF4A240F154024E409E7220D339D942CF40

Uniqueness

Uniqueness Score: -1.00%

Function 07788FB6, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66d94ace98509fa639280b17354dadee32327559562b1331844f4c89ce21857
Instruction ID: a6b00a8a23017de7d9d47e27d4689b62c553350d53f66a35b4bac9e3cde5aec5
Opcode Fuzzy Hash: e66d94ace98509fa639280b17354dadee32327559562b1331844f4c89ce21857
Instruction Fuzzy Hash: 12E0127091026A8FDBA4DF64CC40B9CB7B2FB88244F5089AAC40DA7264EB305A85CF20

Uniqueness

Uniqueness Score: -1.00%

Function 07788F97, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe1593e7ade142a2a325aa32b3a3137ba79e896fee930f1e77591bbd352e7b3
Instruction ID: a8aa7774a49f88f8733336b4e00d0e040386e9b99f4cf2fe7e57ad8e03959f61
Opcode Fuzzy Hash: 0fe1593e7ade142a2a325aa32b3a3137ba79e896fee930f1e77591bbd352e7b3
Instruction Fuzzy Hash: 97D05EB09A02298FCB84EFA5C8447DDF3B1FB95348F948D65D418E7624E7309A068F21

Uniqueness

Uniqueness Score: -1.00%

Function 077803A8, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434cbf4ee8463d09a6a53e2bac73382984b2eb877ec36972f737108053cd59ae
Instruction ID: 4a6199a33447f9008253f843ed4222b47fdfe87ec4a6c9ab73d5f3b3c15f3274
Opcode Fuzzy Hash: 434cbf4ee8463d09a6a53e2bac73382984b2eb877ec36972f737108053cd59ae
Instruction Fuzzy Hash: D3C012340982084BD584FB70E452919771AE6C0169740C870D6084A029EF745609DA85

Uniqueness

Uniqueness Score: -1.00%

Function 0778AED1, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286950fad91fdcae4a6d1fb827f0f6079a6ef9e352b7b903e4f4d5e79a01ccb3
Instruction ID: ebd8ae862fcfb91b9f78a8ceb0d83b14c352789f12ba2ab9dc56e87fb452e817
Opcode Fuzzy Hash: 286950fad91fdcae4a6d1fb827f0f6079a6ef9e352b7b903e4f4d5e79a01ccb3
Instruction Fuzzy Hash: 54D0C970552395CFC784CBA4D644858BBB6BB89351F618499E006DA228C739DA80CE00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 073832F9, Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

~"Q, xrefs: 07383658

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: ~"Q
API String ID: 0-422021585
Opcode ID: 93a6daf66c2b32b3fecad7db697961721af220ae8d9584d74778d61284511441
Instruction ID: a99283d66dedb4e37f8d613e85c9e600768c74b36ba55e5c2dd9adf47c11ea18
Opcode Fuzzy Hash: 93a6daf66c2b32b3fecad7db697961721af220ae8d9584d74778d61284511441
Instruction Fuzzy Hash: 4AD147B4E14259CFDB54DFA8C980AADFBB2BF89304F24815AD809AB355D7309D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07383337, Relevance: 1.5, Strings: 1, Instructions: 277COMMON

Download Yara Rule

Strings

~"Q, xrefs: 07383658

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: ~"Q
API String ID: 0-422021585
Opcode ID: 0492bafe8ff5d3e63a661779689417b822643b2d65e7a0f6a06bd3c9dfbe8835
Instruction ID: 7e80336c43d0187b5a8047d2653ac35a508d5538ec55c0dc27c6cefadb28c4fc
Opcode Fuzzy Hash: 0492bafe8ff5d3e63a661779689417b822643b2d65e7a0f6a06bd3c9dfbe8835
Instruction Fuzzy Hash: AED139B4E142598FDB50DFA8C980AADFBB2FF89304F25925AD409AB355D7309D41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 07386210, Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

.7, xrefs: 07386276

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: .7
API String ID: 0-1633134665
Opcode ID: 0aa8368feb2cf037df864d7e5ccdf242e7ffa92471739b543e74cba0f7614b94
Instruction ID: ac9701a629e3a04a492dac58ba137e0e99c1286a43f72d58f232666afaf193e1
Opcode Fuzzy Hash: 0aa8368feb2cf037df864d7e5ccdf242e7ffa92471739b543e74cba0f7614b94
Instruction Fuzzy Hash: 22812AB4E14229CFDB54DF65C9819ADFBB2BF89344F24C1AAD408A7216D7309E41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0738620D, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

.7, xrefs: 07386276

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: .7
API String ID: 0-1633134665
Opcode ID: 38f8e0bacc71934b2190b7410b6316bbe667898e588be93f77d8265299a979eb
Instruction ID: f166c9b78ab3c3e10b25d63f4ce0461dd19bf5fe4cd362632aa77235031a7930
Opcode Fuzzy Hash: 38f8e0bacc71934b2190b7410b6316bbe667898e588be93f77d8265299a979eb
Instruction Fuzzy Hash: 5D8139B4E14269CBDB54DF65C9819ADFBB2BF89304F24C1AAD408A7216D7309E41CF61

Uniqueness

Uniqueness Score: -1.00%

Function 07384955, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

%AG~, xrefs: 073849BE

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID: %AG~
API String ID: 0-3480609310
Opcode ID: 8d6dd9dc7f36158de7c643a92e64043409e22385c8519a14e0c4069846e583ae
Instruction ID: d4a7b4da1eb81e67ec5ea3a3266b7e8c73b8ab4fd241736d5b5a030a2befb4e4
Opcode Fuzzy Hash: 8d6dd9dc7f36158de7c643a92e64043409e22385c8519a14e0c4069846e583ae
Instruction Fuzzy Hash: 8E4129B0E152199FDB58CFAAD981BAEFBF6EB89300F10C06AD50CA7754DB305A418F50

Uniqueness

Uniqueness Score: -1.00%

Function 001E2C24, Relevance: .5, Instructions: 456
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E001E2C24() {
				void* _t57;
				intOrPtr* _t59;
				void* _t186;
				intOrPtr* _t187;
				void* _t188;
				intOrPtr* _t192;
				void* _t197;
				void* _t198;
				intOrPtr* _t206;
				void* _t211;

				_push(es);
				_t187 = _t186 -  *((intOrPtr*)(_t192 + 0x2b));
				_push(ss);
				_t59 = _t57 +  *_t206 +  *_t192;
				if(_t59 == 0) {
					 *_t59 =  *_t59 + _t59;
					_t59 = _t59 + 0x28 +  *((intOrPtr*)(_t59 + 0x28));
					 *_t187 =  *_t187 + _t188;
				}
				_t198 = _t197 -  *((intOrPtr*)(_t211 + 7));
			}

0x001e2c24
0x001e2c25
0x001e2c2a
0x001e2c2b
0x001e2c2d
0x001e2c2f
0x001e2c33
0x001e2c35
0x001e2c35
0x001e2c36

Memory Dump Source

Source File: 00000000.00000002.679050024.00000000001E2000.00000002.00020000.sdmp, Offset: 001E0000, based on PE: true

Associated: 00000000.00000002.679039860.00000000001E0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.679185423.00000000002BA000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182d7e10b48f7d934b5c7415660b4e631ee497013a0af1571f19b6b85cc43790
Instruction ID: 19fc69bf649d45f22f4a9ab35cb3fc1d2402be8fdadfa18331f5d7a02bf301bd
Opcode Fuzzy Hash: 182d7e10b48f7d934b5c7415660b4e631ee497013a0af1571f19b6b85cc43790
Instruction Fuzzy Hash: 6002CB6640E3D28FC7178F788DA96D47FB0EE6721031E46C7D4C08F0A7E628A55ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 07384148, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9d5c10f24edf452bef545de06767b66b18deb78e9d2cb4793326169ef4f2c4
Instruction ID: e78fc011e6692bf8e56e55f7211d4aaca0f2357588e1623bfde3de46d1d063d9
Opcode Fuzzy Hash: ae9d5c10f24edf452bef545de06767b66b18deb78e9d2cb4793326169ef4f2c4
Instruction Fuzzy Hash: E1B159B0E1529ACBEF44DFA9C98059EFBF2BF99300F24C125C409ABB14D73499428B64

Uniqueness

Uniqueness Score: -1.00%

Function 00CBA10C, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48df6790bb15d5cd4d80d83cbf4dc97dfc3484830a3bb190a83d9f1d6af01341
Instruction ID: d32f97a86928b96799aa6d357400148fd8016ec40054f090e4296be91ab2030a
Opcode Fuzzy Hash: 48df6790bb15d5cd4d80d83cbf4dc97dfc3484830a3bb190a83d9f1d6af01341
Instruction Fuzzy Hash: 9EA14A32E0061A8FCF15DFA5C8845DEB7B2FF85300F15816AE916AB221EB71EE15DB40

Uniqueness

Uniqueness Score: -1.00%

Function 07384142, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f163a50e98a5a012cbdac6d96601ee1587f7bb10b033ee76bfedf22be015a2ac
Instruction ID: 68972db89531dc545011d2b4132b055785b77bb3b1c14f145225322a84960d3d
Opcode Fuzzy Hash: f163a50e98a5a012cbdac6d96601ee1587f7bb10b033ee76bfedf22be015a2ac
Instruction Fuzzy Hash: B7B149B0E1529ACBEB44DFA9C98059EFBF2BF99300F24C525C409ABB54D73499428B64

Uniqueness

Uniqueness Score: -1.00%

Function 00CBD4E8, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.680126958.0000000000CB0000.00000040.00000001.sdmp, Offset: 00CB0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae4698df2518330a31b98aedfd57eff46d46061cebb7b340f26c21debfa04041
Instruction ID: d45fea3b397efde07c17dc053ea231726e18405a77bc7f170f38868b29bf9454
Opcode Fuzzy Hash: ae4698df2518330a31b98aedfd57eff46d46061cebb7b340f26c21debfa04041
Instruction Fuzzy Hash: F3C127B1912F668BD710CF65EC983AD7BA1BB85328F51430BD2652BAF0D7B4104ADF84

Uniqueness

Uniqueness Score: -1.00%

Function 07384657, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28973a489b25ee1fe85845f4879ba992e372a5a747251ae27c734f73e8eb459
Instruction ID: 2ae1f635e651f5e1e3e0e7c50b866988dc9cb37752de97ee54eef2211c06f4f8
Opcode Fuzzy Hash: c28973a489b25ee1fe85845f4879ba992e372a5a747251ae27c734f73e8eb459
Instruction Fuzzy Hash: 0A718CB0E0528ACBDB44DFAAD4805AEFBF6FF89310F14C429D519AB654D7349A418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 07384668, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12b77748bbba2a015a7e3aeda8988164f381085eaf3e3068cb1797f9732e285
Instruction ID: 8a3414b7d120ca72814c3ec499558aaa9db92dd4fc45a56e2ab2c79d5d965c22
Opcode Fuzzy Hash: f12b77748bbba2a015a7e3aeda8988164f381085eaf3e3068cb1797f9732e285
Instruction Fuzzy Hash: FF617AB0E0024ACBDB44DFAAC4805AEFBF6EF89314F14D429D519AB754E7349A418FA0

Uniqueness

Uniqueness Score: -1.00%

Function 0738001F, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618ce70c447c238f5f9f3314f58a0f945ff50e4947ddca32069d268824e55d3e
Instruction ID: 0af2151c17de04ccfb56c7e45a59e06a0202f7f1c8560e6c282dba9366a1eb93
Opcode Fuzzy Hash: 618ce70c447c238f5f9f3314f58a0f945ff50e4947ddca32069d268824e55d3e
Instruction Fuzzy Hash: 48518BB1E056598FEB58CF6B8C4578AFBF3AFC9200F14C1BA850CA6265DB340A85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0778D782, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5887f966838c43f9cc1d846e17431cd2251c5cb9e4bbc0b70cbc6a01b014ca31
Instruction ID: 3c5b988c613ac1ea71bcba4e26c980998227e131dba4b7a74dacf899b28cb643
Opcode Fuzzy Hash: 5887f966838c43f9cc1d846e17431cd2251c5cb9e4bbc0b70cbc6a01b014ca31
Instruction Fuzzy Hash: EA4129B0E1460A9FDB54DFAAC4805AEFBF2BF8D350F24C46AC415A7294D3349642CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07380040, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3136a977024a9c5c2eeef83055ea38a30ac1dbaaefaf59b52b5d6f6063fda7ca
Instruction ID: 5e1257703d846d91d650ad0eb5059c021ce7a997a3058c203b7746a6529076d6
Opcode Fuzzy Hash: 3136a977024a9c5c2eeef83055ea38a30ac1dbaaefaf59b52b5d6f6063fda7ca
Instruction Fuzzy Hash: 8D515AB1E006198BEB68CF6BC94579EFAF3BFC9304F14C1BA850CA6214DB300A958F11

Uniqueness

Uniqueness Score: -1.00%

Function 0778D790, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.692512379.0000000007780000.00000040.00000001.sdmp, Offset: 07780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceadc5beab9ceaadd4102e0e663e65d907c9b8c7dffb54200b7e168d90971e1a
Instruction ID: fdc3d2f5ffe7e62ae0a7b8ff622d08763fa059367fbfc12645958b36e481cf12
Opcode Fuzzy Hash: ceadc5beab9ceaadd4102e0e663e65d907c9b8c7dffb54200b7e168d90971e1a
Instruction Fuzzy Hash: E441E5B0E1460A9BDB48DFAAC5815AEFBF2FB8D350F24D42AC415B7254E3349A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07383808, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f12daf454a7232f45f6e2db8b139a5490f5db4eef983ab4bee31efb663f5e69
Instruction ID: 777a6776dfc08261962e420d86d2849ddc314fa090756c35e850404d21969de7
Opcode Fuzzy Hash: 9f12daf454a7232f45f6e2db8b139a5490f5db4eef983ab4bee31efb663f5e69
Instruction Fuzzy Hash: C331ADB1E1A2959FDB09CF66D8406DEFFB6AFCA200F14C0A7D448AB222D7304A15CB51

Uniqueness

Uniqueness Score: -1.00%

Function 07385BC0, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e524aad51c61664ed7a0d991189b105cbcf588df386d5b3a71a02af5e12ad7d
Instruction ID: 5d2d63362e29d5373ed3903535924ebcaecb8c4fb0964865f013a57d4c33d91a
Opcode Fuzzy Hash: 5e524aad51c61664ed7a0d991189b105cbcf588df386d5b3a71a02af5e12ad7d
Instruction Fuzzy Hash: 0E3168B0E222199BEB48CFAAD9815AEFBF7BBC9210F14C12AD409B7254D7304A018F50

Uniqueness

Uniqueness Score: -1.00%

Function 07383838, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6de1f684808ccb0b59ae1cb7c156078174ef13b126650c6401a61ab23e964
Instruction ID: f8afef851ee8ed9cc18fba1214fef0b4ee63b3231b8af4e3d9b99a36f8fef86c
Opcode Fuzzy Hash: 0ec6de1f684808ccb0b59ae1cb7c156078174ef13b126650c6401a61ab23e964
Instruction Fuzzy Hash: 3F214AB1E152199BEB48CFAAD94569EFBF7AFC8300F14C03AD408AB364DB305A45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 07383210, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.691935129.0000000007380000.00000040.00000001.sdmp, Offset: 07380000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded635a6766c4ce7d4a566a0a0858139a84ef825d4229cc1152b2da74b921764
Instruction ID: eaf81143efd9e1cf17d7ac34d5a9dad909d41fba2df8263e9249d34ab48c04bc
Opcode Fuzzy Hash: ded635a6766c4ce7d4a566a0a0858139a84ef825d4229cc1152b2da74b921764
Instruction Fuzzy Hash: 70112CB1E112199BEB48CFAAD94169EFBF7EBC9600F14C03AD408A7314DB305A518B50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 4164 Parent PID: 7028 T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCOMMON

Executed Functions

Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0041826A(void* __eax, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t20;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				asm("movsd");
				_t15 = _a4;
				_t32 = _a4 + 0xc48;
				E00418DC0(__edi, _a4, _t32,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t20 =  *((intOrPtr*)( *_t32))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t31, _t34); // executed
				return _t20;
			}

0x0041826e
0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 004182AD, 004182B4
R=A, xrefs: 00418292, 004182A0

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: e4d14842bb087fc98d619dea8e6f7a977b267004ade3294232af9d8594a33d30
Instruction ID: e9e0998607bea7e7cc0b8a1f29ca1e73b5fed5e855c2cf8eead2bcebcb3dc59e
Opcode Fuzzy Hash: e4d14842bb087fc98d619dea8e6f7a977b267004ade3294232af9d8594a33d30
Instruction Fuzzy Hash: 3BF01DB6210045ABCB04DF98D890DEB77ADFF8C354B15864DFE5D97202C634E855CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}

0x00418273
0x0041827f
0x00418287
0x00418292
0x004182ad
0x004182b5
0x004182b9

APIs

NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5

Strings

R=A, xrefs: 004182AD, 004182B4
R=A, xrefs: 00418292, 004182A0

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: R=A$R=A
API String ID: 2738559852-3742021989
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041839A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041839A(signed int __eax, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {

				if ((__eax & 0x276678a0) >= 0) goto L3;
			}

0x0041839f

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Strings

)zA, xrefs: 004183FF, 0041840C

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: )zA
API String ID: 2167126740-483804167
Opcode ID: 402d84d8e7c438e1ba9ce69849eabaa5df1aa3944c7e5ad4102d93dbc5c78b6f
Instruction ID: ce0d02a3d783eeb29b2ccfa86ec0c49f2f78b9eeb23b083cb934913116641df3
Opcode Fuzzy Hash: 402d84d8e7c438e1ba9ce69849eabaa5df1aa3944c7e5ad4102d93dbc5c78b6f
Instruction Fuzzy Hash: 140116B2200209AFCB04DF99DC81EEB73ADEF88714F10850DFE1997241DA34E820CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0

Uniqueness

Uniqueness Score: -1.00%

Function 010D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010D986A

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c9be0bcbb45b78ff0e2b5289938954362063f9f3d8e704af24dd00adfb7245a2
Instruction ID: 09b2316b3d24269e109c10f68dd279f59ffa22bb0f8cdb93005821d0aaec2e94
Opcode Fuzzy Hash: c9be0bcbb45b78ff0e2b5289938954362063f9f3d8e704af24dd00adfb7245a2
Instruction Fuzzy Hash: 2790027120100917D111619A85087170149E7D02C1F91C412A4814558DD6968962B261

Uniqueness

Uniqueness Score: -1.00%

Function 010D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010D966A

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c946b5df03977c7352cf7dca229a7fd9ee92c6566c2ae8a3cd402507bc12dc04
Instruction ID: 72ea6a4300fd50ceea27f99581153f772c3a6ff8f934798a3a0a169165d3e4cf
Opcode Fuzzy Hash: c946b5df03977c7352cf7dca229a7fd9ee92c6566c2ae8a3cd402507bc12dc04
Instruction Fuzzy Hash: 6F90027120100D06D180719A840865A0145E7D1381F91C015A4415654DCA558A6977E1

Uniqueness

Uniqueness Score: -1.00%

Function 010D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010D96EA

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98ed3176b20d8331d02f61ea8b5c6365b6f866a779b040018a82c3d2f63af7e3
Instruction ID: a41f7e53e82acfa6aeec5a071e796384dec51f16c7cd2edea3be5a9c2f9f27ae
Opcode Fuzzy Hash: 98ed3176b20d8331d02f61ea8b5c6365b6f866a779b040018a82c3d2f63af7e3
Instruction Fuzzy Hash: 1E90027120108D06D110619AC40875A0145E7D0381F55C411A8814658DC6D588A17261

Uniqueness

Uniqueness Score: -1.00%

Function 004088B0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6

Uniqueness

Uniqueness Score: -1.00%

Function 004184C3, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d4bf495cb6b2f7158607f587fc980670498cb54fb4976acfd9385afcc1eddcb9
Instruction ID: 8d1bc7d2bb9a21ab2fec779cdc8dbcd83cdd7f5ea9abd3e72fdc322e110b62bd
Opcode Fuzzy Hash: d4bf495cb6b2f7158607f587fc980670498cb54fb4976acfd9385afcc1eddcb9
Instruction Fuzzy Hash: A3F06DB22002147BCB14EFA9DC85DE77769EF84320F11859AFD589B242DA30ED508BF0

Uniqueness

Uniqueness Score: -1.00%

Function 00418456, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9166814a1b9337c75d0b10b6963e62a533780551f2b3932bf76439c922d6724e
Instruction ID: f19b84f3fb4b98287ed207175da4bbbd0e4a5beff73ed650df0103b647d0ac5a
Opcode Fuzzy Hash: 9166814a1b9337c75d0b10b6963e62a533780551f2b3932bf76439c922d6724e
Instruction Fuzzy Hash: E8F0A072204314ABD728EF84EC85EE7776DEF84350F01849DFA485B251DA36EA14C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 010D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010D9694

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0eb81ac12257fa55b5b505d9fa9522ac7c75c9b37e5a3361e5ad8702436937d8
Instruction ID: d08e5f96a35dcef0a29cfa6a6df89c15eac906ceaad90fc7e21433f6cc1821cf
Opcode Fuzzy Hash: 0eb81ac12257fa55b5b505d9fa9522ac7c75c9b37e5a3361e5ad8702436937d8
Instruction Fuzzy Hash: E1B09B719015C5C9D651D7B5460C7277A40B7D4745F16C051D1420645B4778C491F7B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0114B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0114B314
The resource is owned exclusively by thread %p, xrefs: 0114B374
The critical section is owned by thread %p., xrefs: 0114B3B9
an invalid address, %p, xrefs: 0114B4CF
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0114B305
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0114B476
The instruction at %p referenced memory at %p., xrefs: 0114B432
Go determine why that thread has not released the critical section., xrefs: 0114B3C5
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0114B2DC
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0114B39B
*** Resource timeout (%p) in %ws:%s, xrefs: 0114B352
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0114B38F
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0114B484
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0114B53F
*** then kb to get the faulting stack, xrefs: 0114B51C
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0114B323
*** enter .cxr %p for the context, xrefs: 0114B50D
The resource is owned shared by %d threads, xrefs: 0114B37E
*** enter .exr %p for the exception record, xrefs: 0114B4F1
read from, xrefs: 0114B4AD, 0114B4B2
*** An Access Violation occurred in %ws:%s, xrefs: 0114B48F
<unknown>, xrefs: 0114B27E, 0114B2D1, 0114B350, 0114B399, 0114B417, 0114B48E
The instruction at %p tried to %s , xrefs: 0114B4B6
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0114B3D6
This failed because of error %Ix., xrefs: 0114B446
a NULL pointer, xrefs: 0114B4E0
write to, xrefs: 0114B4A6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0114B2F3
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0114B47D
*** Inpage error in %ws:%s, xrefs: 0114B418

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: e57130bb476e4b9f55ea0c4a8eaf252435d801e20ac0a155371e946491c96d3f
Instruction ID: 6624d8a159faecc6e984463aa32e3c9978ad3b67dcab390527ca9c3977cfbc87
Opcode Fuzzy Hash: e57130bb476e4b9f55ea0c4a8eaf252435d801e20ac0a155371e946491c96d3f
Instruction Fuzzy Hash: 73812231A4C220FFDB2D7A4ACC85EBB3B26AF56EA5F450048F5846F152D361C421DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 01151C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON

Download Yara Rule

Strings

heap_failure_multiple_entries_corruption, xrefs: 01151C8A
HEAP[%wZ]: , xrefs: 01151C30, 01151CF7, 01151D42, 01151D8B, 01151DD4, 01151E25, 01151E6D
Parameter3: %p, xrefs: 01151DEE
heap_failure_entry_corruption, xrefs: 01151C83
HEAP: , xrefs: 01151C16, 01151C3D, 01151D04, 01151D4F, 01151D98, 01151DE1, 01151E32, 01151E7A
heap_failure_block_not_busy, xrefs: 01151CA6
Heap error detected at %p (heap handle %p), xrefs: 01151C50
heap_failure_invalid_argument, xrefs: 01151CAD
heap_failure_buffer_overrun, xrefs: 01151C98
heap_failure_cross_heap_operation, xrefs: 01151CC2
Parameter2: %p, xrefs: 01151DA5
heap_failure_usage_after_free, xrefs: 01151CBB
Parameter1: %p, xrefs: 01151D5C
heap_failure_generic, xrefs: 01151C7C
heap_failure_lfh_bitmap_mismatch, xrefs: 01151CD7
Last known valid blocks: before - %p, after - %p, xrefs: 01151E45
heap_failure_buffer_underrun, xrefs: 01151C9F
Error code: %d - %s, xrefs: 01151D12
heap_failure_virtual_block_corruption, xrefs: 01151C91
heap_failure_unknown, xrefs: 01151C75
heap_failure_listentry_corruption, xrefs: 01151CD0
heap_failure_internal, xrefs: 01151C6E
heap_failure_invalid_allocation_type, xrefs: 01151CB4
heap_failure_freelists_corruption, xrefs: 01151CC9
Stack trace available at %p, xrefs: 01151E86

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: f7fe7ab6865943dbf4b4d0154c9b487a4320dc46bf312c311ee66502c8d2c781
Instruction ID: 8025b455f56f7cf06738b97bc10e0b061a31759b62e6586a20c6ad4472d35d90
Opcode Fuzzy Hash: f7fe7ab6865943dbf4b4d0154c9b487a4320dc46bf312c311ee66502c8d2c781
Instruction Fuzzy Hash: 7F610732524141FFD7AFB74AE494F2873A5EB05D3074A803AFC995F311D76598808B1B

Uniqueness

Uniqueness Score: -1.00%

Function 010CC9BF, Relevance: 14.2, Strings: 11, Instructions: 412COMMON

Download Yara Rule

Strings

SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 0110AB0E
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 0110AC0A
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 0110AAC8
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 0110ABF3
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 0110AC2C
@, xrefs: 0110ABA3
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 0110AAA0
RtlpResolveAssemblyStorageMapEntry, xrefs: 0110AC27
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 0110AA1A
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 0110AA11
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 0110A8EC

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 697b961d89b1e4eef72c5cf5a80906fc7cb47b829de711ccf6bebf14df620c1e
Instruction ID: a0e221e26d24173043216a65868ecc6450fb76947caa91a152a5305cbeff48aa
Opcode Fuzzy Hash: 697b961d89b1e4eef72c5cf5a80906fc7cb47b829de711ccf6bebf14df620c1e
Instruction Fuzzy Hash: 0D028FB1D002299FEB25DB14CD80BEEB7B8AF54704F4141DAE64DA7281EB709E84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 01154AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMON

Download Yara Rule

Strings

Heap block at %p is not last block in segment (%p), xrefs: 01154FD6
HEAP[%wZ]: , xrefs: 01154EE1, 01154F0D, 01154F5D, 01154FBA, 0115501D, 01155061, 011550FA
Free Heap block %p modified at %p after it was freed, xrefs: 01154F2F
HEAP: , xrefs: 01154F1A, 01154F6A, 01154FC7, 0115502A, 0115506E, 011550B6, 01155107
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 011550C6
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 0115508C
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 01155119
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 01154F81
Heap block at %p has incorrect segment offset (%x), xrefs: 0115503B

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: 7b6fb1dd6764259483ed2cf9175af7beb2f9d9c5cc53d4750ffdc2b25fef78e9
Instruction ID: d96c7a141b0b87416cf6d9b95eaed1d9c284147360a1fd0fe368ad58b0643468
Opcode Fuzzy Hash: 7b6fb1dd6764259483ed2cf9175af7beb2f9d9c5cc53d4750ffdc2b25fef78e9
Instruction Fuzzy Hash: 5312D130600642DFEB6DDF2DC494BBABBF1EF45710F158459E8A68BA41E774E880CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011531DC, Relevance: 10.2, Strings: 8, Instructions: 190COMMON

Download Yara Rule

Strings

Invalid ReserveSize parameter - %Ix, xrefs: 0115322C
Invalid CommitSize parameter - %Ix, xrefs: 01153295
Specified HeapBase (%p) is free or not writable, xrefs: 011533D8
HEAP[%wZ]: , xrefs: 01153213, 0115327A, 011532C3, 01153328, 01153376, 011533BD
May not specify Lock parameter with HEAP_NO_SERIALIZE, xrefs: 011532DB
HEAP: , xrefs: 01153220, 01153287, 011532D0, 01153335, 01153383, 011533CA
Specified HeapBase (%p) invalid, Status = %lx, xrefs: 01153344
Specified HeapBase (%p) != to BaseAddress (%p), xrefs: 01153392

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
API String ID: 0-2224505338
Opcode ID: d174c3ca4b0c681b4567e067e0741753f6928dc6b20b0d8c21df0fa1c5b3a8d5
Instruction ID: 833bc2d4547a4ea57bacd3d5c4f4ee22f94e11fa87a490bb8ee7acc350c4fb8d
Opcode Fuzzy Hash: d174c3ca4b0c681b4567e067e0741753f6928dc6b20b0d8c21df0fa1c5b3a8d5
Instruction Fuzzy Hash: AD516C32220645EFD769EB99D854EAA77A4FB04FB0F048429FC669B311C7B1D840CB11

Uniqueness

Uniqueness Score: -1.00%

Function 010BA309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON

Download Yara Rule

Strings

(LONG)FreeEntry->Size > 1, xrefs: 0110213C
HEAP[%wZ]: , xrefs: 01101E88, 01101F71, 01102124, 0110225C
(!TrailingUCR), xrefs: 01102274
((LONG)FreeEntry->Size > 1), xrefs: 01101F89
HEAP: , xrefs: 01101E95, 01101F7E, 01102131, 01102269
(UCRBlock != NULL), xrefs: 01101EA0

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: d5902e7eb783ae186baca9563a3945d1629aa0d197f1846d3a6c161d96ba3470
Instruction ID: 94c68021a6ab76b47ef66e1f3467cbc14344ccedc7a03cf1a8899df16f2db8b8
Opcode Fuzzy Hash: d5902e7eb783ae186baca9563a3945d1629aa0d197f1846d3a6c161d96ba3470
Instruction Fuzzy Hash: 1142EE31A08741DFD71ADF28C884AAABBE5FF98604F04896DF4C68B391D774D981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01152D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMON

Download Yara Rule

Strings

Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 01153015
HEAP[%wZ]: , xrefs: 01152F3E, 01152FEB, 01153042
Just allocated block at %p for %Ix bytes, xrefs: 01152F5F
HEAP: , xrefs: 01152F4B, 01152FF8, 0115304F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0115305E
RtlAllocateHeap, xrefs: 01152DCA

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: dc1314b66a7347b058df8bc6284b5feb881a09a5b119f5beec85751b67a5488d
Instruction ID: 33c074fa5e2c630ada89685c506330db06f61f2cb99807dec756b22a83ad02f0
Opcode Fuzzy Hash: dc1314b66a7347b058df8bc6284b5feb881a09a5b119f5beec85751b67a5488d
Instruction Fuzzy Hash: 0C912432A10741DFDB6ADF68D450AEDBBF2FF49710F18801DE9A69B251C7729882DB01

Uniqueness

Uniqueness Score: -1.00%

Function 010B2430, Relevance: 6.7, Strings: 5, Instructions: 461COMMON

Download Yara Rule

Strings

Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 010FD3CC
, xrefs: 010B24C0
minkernel\ntdll\sxsisol.cpp, xrefs: 010FD3D6
Internal error check failed, xrefs: 010FD3DB
, xrefs: 010B24E4

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 53b8f8f87625967483f183073170b4844f13522f9242126499bec596b255f55a
Instruction ID: 8721dc7927f9db37593a56b2177415ff1618da1f9ba51356626bbd2fc18739f4
Opcode Fuzzy Hash: 53b8f8f87625967483f183073170b4844f13522f9242126499bec596b255f55a
Instruction Fuzzy Hash: 91029B759083428BD761DF68C080BEFBBE0BF98714F04496EEAD997250E774E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010A3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Allowed, xrefs: 010A3DC0
WindowsExcludedProcs, xrefs: 010A3D6F
Kernel-MUI-Number-Allowed, xrefs: 010A3D8C
Kernel-MUI-Language-SKU, xrefs: 010A3F70
Kernel-MUI-Language-Disallowed, xrefs: 010A3E97

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 753e5213a74e56d18428d00b5fc272d1f55bac121d3b11268086d9bf9699c75a
Instruction ID: eae03ec3e1ee054530741147d11a65ef38d5cdec66a892f4c84fd0b518fd2eef
Opcode Fuzzy Hash: 753e5213a74e56d18428d00b5fc272d1f55bac121d3b11268086d9bf9699c75a
Instruction Fuzzy Hash: F6F13976D40619EBCB11DFD8C980AEEBBF9FF48650F15406AE685EB250D7709A01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010940E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON

Download Yara Rule

Strings

, passed to %s, xrefs: 010F0469
Invalid heap signature for heap at %p, xrefs: 010F0458
HEAP[%wZ]: , xrefs: 010F043F
HEAP: , xrefs: 010F044C
RtlAllocateHeap, xrefs: 010F0468

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 5ced88f71992a32df759050cb33af9004fb25600bdebf08f18d5291e183afc99
Instruction ID: 57d1287bb19c216d04205dafd8d38701dcb1b91569ffb483ee9d6012036b4d9f
Opcode Fuzzy Hash: 5ced88f71992a32df759050cb33af9004fb25600bdebf08f18d5291e183afc99
Instruction Fuzzy Hash: 5F019072504641AEE3399769F41EFE677E4DB42F30F18807DF1894FA52CEE5A480D514

Uniqueness

Uniqueness Score: -1.00%

Function 010BA830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 011022D7, 011023E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 011022F3
HEAP: , xrefs: 011022E6, 011023F6
ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01102403

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 90273830c5f503f14cf5a86c0911e67bf4d356e93c8b9fa4c9bde9d0642910e9
Instruction ID: eb0d4f9ee7066916a8ac8ca5a60fa6d74d221a3b8de81026cbde7a0cc616dfe9
Opcode Fuzzy Hash: 90273830c5f503f14cf5a86c0911e67bf4d356e93c8b9fa4c9bde9d0642910e9
Instruction Fuzzy Hash: 84D1B074B04205DFDB29CF68C490BEAB7F1FF48300F158569D99A9B782E334A841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010BD1EF, Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01103513
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 0110344A
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 011034D0
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 0110348D

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 648611c1a7811c92c6cd2cd1c4264bd37663843e821603b702811c5d275cb0c4
Instruction ID: 746a0fead73f7772cb0e02b35775ccc04f0441d4caf35dab0c111d6e59405a80
Opcode Fuzzy Hash: 648611c1a7811c92c6cd2cd1c4264bd37663843e821603b702811c5d275cb0c4
Instruction Fuzzy Hash: 187101B19043459FCB11DF98C8C4BDBBBA8EF65768F444468F9898B282D734D588CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 010BA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON

Download Yara Rule

Strings

`, xrefs: 01101C8D
HEAP[%wZ]: , xrefs: 01101DD7
HEAP: , xrefs: 01101DE4
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01101DF9

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: ddcd48f927eefced1dc7af6321d3c7100b051621497fe07b89b85c2f82d8b3cb
Instruction ID: f1fab62a94c129b41da81dff224d325d5094319e5d239d42440bc1afeba8fb9c
Opcode Fuzzy Hash: ddcd48f927eefced1dc7af6321d3c7100b051621497fe07b89b85c2f82d8b3cb
Instruction Fuzzy Hash: 7851F632605681AFE726EB6CC888FAB77E8FB80B50F040468F9918B2D1D765D800CB61

Uniqueness

Uniqueness Score: -1.00%

Function 011549A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01154A3D, 01154AB7
HEAP: , xrefs: 01154A4A, 01154A5D, 01154A5F, 01154AC4
This is located in the %s field of the heap header., xrefs: 01154AD6
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01154A61

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: acca9fae5828034f5fc8fcfbcc440a631a8c0224411a6c948eb0214a53c7879b
Instruction ID: e06ff15592b4d4e42e1a8a353b1d0473ea4dd96e08a665b5eb3b2ce8a93789dd
Opcode Fuzzy Hash: acca9fae5828034f5fc8fcfbcc440a631a8c0224411a6c948eb0214a53c7879b
Instruction Fuzzy Hash: 6F316631600104EFD7A8DB99C889FA773E8EF05A20F154069F8A7CB690F771E880CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0109751A, Relevance: 5.1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

Strings

VirtualProtect Failed 0x%p %x, xrefs: 010F2811
HEAP[%wZ]: , xrefs: 010F27F7, 010F2834
VirtualQuery Failed 0x%p %x, xrefs: 010F284E
HEAP: , xrefs: 010F2804, 010F2841

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: 1860d09e9334fbefff19bb45ea3eb807ba542d02810a954f66bb69ad312b5765
Instruction ID: 946f8e9ef3841cf1c729eddc94c55781ead889efd488166ae378fbdd98d1ed3f
Opcode Fuzzy Hash: 1860d09e9334fbefff19bb45ea3eb807ba542d02810a954f66bb69ad312b5765
Instruction Fuzzy Hash: F4312632900244EFDB11DB49C895FEEBBB8EF44B30F144069F985AB250D7B0E840CE60

Uniqueness

Uniqueness Score: -1.00%

Function 01153518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01153548
HEAP: , xrefs: 01153555
May not destroy the process heap at %p, xrefs: 01153561
RtlDestroyHeap, xrefs: 01153571

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
API String ID: 0-4256168463
Opcode ID: 4f15616e2a78634bae3c12cbbcd2b99167a7fd83fe8b71b8a271732f02a7e893
Instruction ID: b9468e56bffbffb7f97088996272d8b00e61de5409c6b06c857fdbe8aa21f9e4
Opcode Fuzzy Hash: 4f15616e2a78634bae3c12cbbcd2b99167a7fd83fe8b71b8a271732f02a7e893
Instruction Fuzzy Hash: ED012632130601DFCB69EB699444FD677A8FB41B64F008459F8A69B241DBB1E840DA55

Uniqueness

Uniqueness Score: -1.00%

Function 010B99BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01101550, 01101617, 011017BC, 01101905
HEAP: , xrefs: 0110155D, 01101624, 011017C9, 01101912
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01101572, 01101639, 011017DE, 01101927

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 1814c17715c778a74684d77d49abbf5aa3eb0e3f97187aebfc0df3d8eaf59526
Instruction ID: 0ba1f901a57b1b961d27473b0909ef301c1bb4889bcf369f1c1b83579f1768e0
Opcode Fuzzy Hash: 1814c17715c778a74684d77d49abbf5aa3eb0e3f97187aebfc0df3d8eaf59526
Instruction Fuzzy Hash: 7C222870A00246EFEB2ACF1CC494BBABBF5EF45704F148569E5868B381D7B9D981CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010BB477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01102973
HEAP: , xrefs: 01102980
(UCRBlock->Size >= *Size), xrefs: 0110298B

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 34153d13625494ebd9b7ec0ab7f24ead0523c86108b10eb854860ca89ca6d0f2
Instruction ID: ce26baf64a53ee84a643be6f2446a74be5e268c1526662f48d91833c9a2e2a5d
Opcode Fuzzy Hash: 34153d13625494ebd9b7ec0ab7f24ead0523c86108b10eb854860ca89ca6d0f2
Instruction Fuzzy Hash: EFE1AD70A00605DFDB2ACF68C894BBEBBB5FF48304F1481A9E4569B391D774E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01098239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 01098263
FilterFullPath, xrefs: 010F2F2C
\??\, xrefs: 010F2E2A

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 522bc4886de1a93b3bb3f1b2c63f874205758d48b4009b5e756c5826582e6bc8
Instruction ID: 2f9614d8336f6dbeb0c6e793d9b4ca05ed67af13ac4af5a107567b59496c5361
Opcode Fuzzy Hash: 522bc4886de1a93b3bb3f1b2c63f874205758d48b4009b5e756c5826582e6bc8
Instruction Fuzzy Hash: D4A15B319116299BDB71DF68CC89BEDB7B8EF44710F1041EAEA48AB250D7359E84CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010CAC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON

Download Yara Rule

Strings

RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0110A0CD
HEAP[%wZ]: , xrefs: 0110A0AD
HEAP: , xrefs: 0110A0BA

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
API String ID: 0-1340214556
Opcode ID: 08c1c77bb2e0b9c4a4ffb22e714e4d27bd32f1a1f04ca051f6b87e2e5d90fc11
Instruction ID: a3b2bec7241da8d4cdb757abc6afbd538fbfa3f81a61b517b917080b742bba38
Opcode Fuzzy Hash: 08c1c77bb2e0b9c4a4ffb22e714e4d27bd32f1a1f04ca051f6b87e2e5d90fc11
Instruction Fuzzy Hash: A4810831704649EFD726DB68C894FADBBF4FF04B14F0441A9E59287292E774E940CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011423E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 0114254F
HEAP: , xrefs: 0114255C
Heap block at %p modified at %p past requested size of %Ix, xrefs: 0114256F

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 59efdb22152a508897ea64420033439e44ab639f8470fcad11972d41f5723d41
Instruction ID: f4bc1b0dc1e67ef6b3c62d585e1b4811caad1eadfd587e025f01dc73aac68543
Opcode Fuzzy Hash: 59efdb22152a508897ea64420033439e44ab639f8470fcad11972d41f5723d41
Instruction Fuzzy Hash: AC5103342002508BE33CDA2EE8547B27BF1DB45A44F5A8859F8C68F285D779D8C3DB61

Uniqueness

Uniqueness Score: -1.00%

Function 010BEB9A, Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 011042A2
HEAP: , xrefs: 011042AF
RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 011042BA

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
API String ID: 0-1596344177
Opcode ID: 50bfa018aa813ab3274c089ae8e6fffc95ef658df71aebe96ff5a17af0211e71
Instruction ID: c27e3a554bea79b79412a2c2b9197a2a7fae94b7886db13eab4169c028f6373c
Opcode Fuzzy Hash: 50bfa018aa813ab3274c089ae8e6fffc95ef658df71aebe96ff5a17af0211e71
Instruction Fuzzy Hash: 8051DE31A00519EFDB19DF58C4C4AEABBF1FF85310F2581A8E9859B342D771AC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010BB8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01102C8A
HEAP[%wZ]: , xrefs: 01102C72
HEAP: , xrefs: 01102C7F

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 404ea6d37a9420ffaccf1dd361afa99250710237b4037aaebd2cb7304b5bc85c
Instruction ID: 41293d1ce7461d6e212cc4416c64af3404589720b11f34e84991c241152722ae
Opcode Fuzzy Hash: 404ea6d37a9420ffaccf1dd361afa99250710237b4037aaebd2cb7304b5bc85c
Instruction Fuzzy Hash: 1711D331704502AFEB6DE619C4D4FB9B7A5EB80A20F148469E0C6CB251DB70D880D745

Uniqueness

Uniqueness Score: -1.00%

Function 010ABA00, Relevance: 3.1, Strings: 2, Instructions: 614COMMON

Download Yara Rule

Strings

.mui, xrefs: 010ABC37
$, xrefs: 010ABA68

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: $$.mui
API String ID: 0-2138749814
Opcode ID: 074b033624423172de34cc8523b3f562f7f8f98c05bcfb026967ef1bd78693a2
Instruction ID: ff9715b7ff4fde939429eed8de7e0d464346ff2f5cd909ba65c58b81377a56cd
Opcode Fuzzy Hash: 074b033624423172de34cc8523b3f562f7f8f98c05bcfb026967ef1bd78693a2
Instruction Fuzzy Hash: B9425C71A02669DFEB61DF98CC40BEAB7B8BB48310F4041DAE54DA7252DB319E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0115E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

`, xrefs: 0115E5D7
`, xrefs: 0115E670

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: b2cdeb8d5a8d46456bee372feb19d3934a43845a107953c339dd10765198fb64
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 1C9191716057429FE768CE29C840B57BBE5AF84714F14892DFAA5C7280E774EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011151BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON

Download Yara Rule

Strings

Legacy, xrefs: 01115226
UEFI, xrefs: 0111521D

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 22ec621408a7e48eabb91dc5a5d246f2e4cbff9234837efd4390287ae776b900
Instruction ID: 8943a7a3ea790fea6f37bffdd0ceaf41d735525d4d81cb915ac44dc11ee8ec1c
Opcode Fuzzy Hash: 22ec621408a7e48eabb91dc5a5d246f2e4cbff9234837efd4390287ae776b900
Instruction Fuzzy Hash: 92517C71E14609DFDB68DFA8C880AAEFBF9FB89700F14402DE649EB245D7709901CB10

Uniqueness

Uniqueness Score: -1.00%

Function 01094439, Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

Flst, xrefs: 01094476
0, xrefs: 010944A3

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 21b8545b287cb6f9489b194334113ef6638d9840319ed66929c85f775fcb128f
Instruction ID: d88c011e60d9f4d4a2e4c85d988c2edbc64997f91f89efefc8d6a7a0987770c2
Opcode Fuzzy Hash: 21b8545b287cb6f9489b194334113ef6638d9840319ed66929c85f775fcb128f
Instruction Fuzzy Hash: D04178B1A00248CFDF25CF99D6946AEFBF5EF84314F14806ED18ADB646DB319846CB80

Uniqueness

Uniqueness Score: -1.00%

Function 010AC1C0, Relevance: 2.1, Strings: 1, Instructions: 876COMMON

Download Yara Rule

Strings

MUI, xrefs: 010ACB6D, 010ACE47

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: ee7c40f13c96f3c15cfc8bd4dbfb2b2d01d036861046b83d2b9056a13b5c5941
Instruction ID: 9b5b91be38da76bd8c0053fc99f7c788134c7a47839733014a667df0f51b9cf7
Opcode Fuzzy Hash: ee7c40f13c96f3c15cfc8bd4dbfb2b2d01d036861046b83d2b9056a13b5c5941
Instruction Fuzzy Hash: AF72AD75E00219CFEB65CFA8CA807ADBBF1BF48310F5581AAD999AB341D7309985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0113EB8A, Relevance: 1.8, Strings: 1, Instructions: 599COMMON

Download Yara Rule

Strings

@, xrefs: 0113F10A

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: a3a5afa08e33b98011b5c73e0eda5a5366d4898130815006f71bdaffb3af54e7
Instruction ID: c22ddabc17cac72bb9b6c26728af37ab27bcfd6f06145060a5f31e26afe98a0e
Opcode Fuzzy Hash: a3a5afa08e33b98011b5c73e0eda5a5366d4898130815006f71bdaffb3af54e7
Instruction Fuzzy Hash: CF32C274605762DBEB2DCF2DC094376BBE1BF85300F08845AE9968B28DD335E456CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010BB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010BB9A5

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: b8298a7693aeade1e8c4a9976e3470be3fe803bcbc18864c2255a40d4b74115c
Instruction ID: cb746bc433c451334552403bce0b3b6da8d4d3933f657673d1e71464fad7ec28
Opcode Fuzzy Hash: b8298a7693aeade1e8c4a9976e3470be3fe803bcbc18864c2255a40d4b74115c
Instruction Fuzzy Hash: 63515771A08301CFC725DF2CC4C096ABBE9FB88604F6489AEEAD597355D771E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010C65A0, Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

;\[%, xrefs: 010C67FE, 010C6818, 010C6822, 010C6834, 01107D34, 01107DA2, 01107DB0, 01107E21

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: ;\[%
API String ID: 0-1904420784
Opcode ID: 9a7969ee519e5894c6a5d5341aececbc87de3a46c6f007bb0b90ca4637fed3fb
Instruction ID: 78a3322580ad38cabe6c46897b51bc4e055f717e5dabb6fcf8df22e25b697daa
Opcode Fuzzy Hash: 9a7969ee519e5894c6a5d5341aececbc87de3a46c6f007bb0b90ca4637fed3fb
Instruction Fuzzy Hash: 7CE17F75A00205CFDB19CF59C880AAEBBF1FF48310F54826DE995AB395D734E985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010C2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON

Download Yara Rule

Strings

PATH, xrefs: 010C2642, 010C2691

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 48c82bcc4cfdeff74b2336c2489300b81e3e805441f4fa9e04cbd93008c74359
Instruction ID: e1bcb371d1ecb3b9929ed267d6762de7f6aa5b058e203dde0959e3d7a9d0d43d
Opcode Fuzzy Hash: 48c82bcc4cfdeff74b2336c2489300b81e3e805441f4fa9e04cbd93008c74359
Instruction Fuzzy Hash: A8C17D71D10219DBDB29DF98D880BEEBBB1FF48B00F45812DE581AB690D774A941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 010CFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0110BE0F

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: 3a85fd5514cd015366b549222e9d95e4cd885f26129054b81bb35db68079fa95
Instruction ID: 3890288757db6f644265f3ecdf9c9b2b71a697f242aec1b745de8465d6322da9
Opcode Fuzzy Hash: 3a85fd5514cd015366b549222e9d95e4cd885f26129054b81bb35db68079fa95
Instruction Fuzzy Hash: 8FA10635B0060B8BEB2ADB68C4907BEB7A6AF44B10F04457DE996DB6C0DB70D841CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01092D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 010EFA4A

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 284cfda52c273a6cc62ab1823c045fb04a6ba02739d47831a2320d3f85395bef
Instruction ID: 5048c4a8aa739eb2237667ad8c23c0685053910cd4404b7b057900b718cb7f53
Opcode Fuzzy Hash: 284cfda52c273a6cc62ab1823c045fb04a6ba02739d47831a2320d3f85395bef
Instruction Fuzzy Hash: 51615571A01606AFEF32DF6DC898BBEBBE5EB40314F1842A9D9D19B2C1C7349940C781

Uniqueness

Uniqueness Score: -1.00%

Function 010CF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

@, xrefs: 010CF124

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: b965941025df521587b8a998d574da30b7e578c2a66dbc7be697cd15083159e9
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 89518D71504711AFC321DF59C840AABBBF9FF88B10F008A2DFA9587690E7B4E944CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01113540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 0111358F

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 9ee1f4dabc02d04065af961e9a8bd52852dc25d3b71b4341330e03c867ff3894
Instruction ID: f3c0be8a097c61f5a64e1ceb8553e8d3640d9787045aca9c01a60c08a289f958
Opcode Fuzzy Hash: 9ee1f4dabc02d04065af961e9a8bd52852dc25d3b71b4341330e03c867ff3894
Instruction Fuzzy Hash: FB4142F1D1062D9BDB25DA54CC80FEEB77CAB44728F0045A5EA59AB244DB309F88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 011605AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

`, xrefs: 01160633

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: d563d1555d603baebb18a071b3320ac4a6ef2319e9f11477949b6bd553f4c95c
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: 6331F332204306ABE714DE28CD84F977BDDABC8754F144229FA589B2C0D771ED24CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010C4020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 010C40E8

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
API String ID: 0-996340685
Opcode ID: ec5bac88e064ca8516fc50306bd34d9afe704338b53d8cd806f4c3082c15ee10
Instruction ID: 5a0c0e028bc7b182c522fb36ba227199130d1d5cac30a7b4f152ac66cd3ee2b8
Opcode Fuzzy Hash: ec5bac88e064ca8516fc50306bd34d9afe704338b53d8cd806f4c3082c15ee10
Instruction Fuzzy Hash: 08417F75A0074A9AD725DFA8C4506EEF7F4FF59700F10492EDAEAC7240E370A544CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01113884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 011138B4

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 3fdf02085358d3afbb02e6ebac1d69a3382288b185658a776fdfbedbbe5c4b27
Instruction ID: 5e5f68cdd9edc4c000da9c9bc25c95fd1fb3701e556e2fe167c4b34abc189998
Opcode Fuzzy Hash: 3fdf02085358d3afbb02e6ebac1d69a3382288b185658a776fdfbedbbe5c4b27
Instruction Fuzzy Hash: 9331F472D0050AAFEB19DA58C945EABFB75FB80730F024179E964A7288E7309E00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 010CD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 010CD303

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d4bcd0bafeec902af3435a7ca91e519a22ff4976c21bc32071b10e71617b01f0
Instruction ID: 6dc888924a31756ea3c8357f69e03e67ae8457d0d96239cd90f914da42c17c0d
Opcode Fuzzy Hash: d4bcd0bafeec902af3435a7ca91e519a22ff4976c21bc32071b10e71617b01f0
Instruction Fuzzy Hash: F0318BB1508305AFC361DF68C9809AFBBE8EB99A54F00492EF9D483250D634DD04CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 010A1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

WindowsExcludedProcs, xrefs: 010A1BC5

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 11caa669b1872d6b6881efbf28135de545bd5759633daefd2ec7eb8aace779df
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 4221073A60022DEBDB229A99C880F9FBBADEF55A50F454465FE848B200D630DD00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 01148DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Critical error detected %lx, xrefs: 01148E21

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 5e7a563fc0a9a6d8140a36f7454ae56a32e5c07223be287964c40210297f36c7
Instruction ID: 75e007fff2464f4efef59e386d47f9d7ac7ca523460c029389464fe240e530db
Opcode Fuzzy Hash: 5e7a563fc0a9a6d8140a36f7454ae56a32e5c07223be287964c40210297f36c7
Instruction Fuzzy Hash: F8112371D54348EBDB29DFE985097ECBBB0AB14B14F24426EE5A9AB282C3344602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01165BA5, Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fee454a81cd7ef1db76acf0c9e793a76fe5d08b876e758cd1ed9c8a3842371
Instruction ID: 4024f4447131f806c02a322911a3e07e2e02e0ee4d653f3ebefab4a23c00554f
Opcode Fuzzy Hash: 61fee454a81cd7ef1db76acf0c9e793a76fe5d08b876e758cd1ed9c8a3842371
Instruction Fuzzy Hash: C9426B71900229CFDB68CF68C880BA9BBB5FF49304F1581EAD94DEB242D7359995CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01155A4F, Relevance: .6, Instructions: 581COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ca3a619104585e836179e21b7cd3b58713aca807adf43c23b3b8c252c9e4b78
Instruction ID: a12725a02d55cb6cbd62080141eaaa8ab75e778311c19f6f3bc029185d058e63
Opcode Fuzzy Hash: 4ca3a619104585e836179e21b7cd3b58713aca807adf43c23b3b8c252c9e4b78
Instruction Fuzzy Hash: E1227035A00216CFDB9DCF5DC4906AEB7B2FF88314F29856DD961AB345DB30A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 011560F5, Relevance: .6, Instructions: 558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7820846bd10907b511efb6431a96e706c7b418292ad3bf68fe71dfd60c09c2fb
Instruction ID: 0009be0e86c3141fbb5969f81b1e8634b20e76e1c9ac46659023a53f0f126c4e
Opcode Fuzzy Hash: 7820846bd10907b511efb6431a96e706c7b418292ad3bf68fe71dfd60c09c2fb
Instruction Fuzzy Hash: 76228E75604211CFDB5DCF18C490A2AB7E2FF88314B548A6DE9A6CB395DB30E846CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 010B4120, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc08e32f6cb492313c3f68b4c0f1d516f973713022601875c9a8da69ea79a07
Instruction ID: 8ae4021dcb4d241deea2f08c05d86adbfee00327d169d3c06d7abfd206a2dc8c
Opcode Fuzzy Hash: dfc08e32f6cb492313c3f68b4c0f1d516f973713022601875c9a8da69ea79a07
Instruction Fuzzy Hash: C0F17D706082118FC764CF19C481ABAB7E1FF88714F45896EF5C6CB662E738D991CB52

Uniqueness

Uniqueness Score: -1.00%

Function 010C20A0, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a219b4d847f388c064ad1434e869520ea91984fb9781dd66218e4aeece68a534
Instruction ID: 133570c7bef88f14b1560dddb7db6587bda00389d5a2b87a2405e4f5baef1198
Opcode Fuzzy Hash: a219b4d847f388c064ad1434e869520ea91984fb9781dd66218e4aeece68a534
Instruction Fuzzy Hash: FBF1F131A083419FEB6ACB2CC84076E7BE2AFD5B24F04856DE9D59B681D774D841CF82

Uniqueness

Uniqueness Score: -1.00%

Function 01096800, Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57f66ebee07f727942950a47fc502bf2cf1384d6301e05889355384cbbc17b45
Instruction ID: 386a753b72fa0a65852c7fe23088045b91fc042e85a651a9a14acb5c2d1e1266
Opcode Fuzzy Hash: 57f66ebee07f727942950a47fc502bf2cf1384d6301e05889355384cbbc17b45
Instruction Fuzzy Hash: 6CD1A171A0020ADBCF14DF68C8A1AFEB7E4AF05314F04826DEA96DB690F735D985DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010AD5E0, Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2628d93e3447d5898f48a13d6f70b068dc532da9f5830ca535a08ed88c5b6b6
Instruction ID: d9f5e125ba370ba4293ef09683e6b40c9a5a45760b47527c9eabc063de6f430f
Opcode Fuzzy Hash: c2628d93e3447d5898f48a13d6f70b068dc532da9f5830ca535a08ed88c5b6b6
Instruction Fuzzy Hash: A8E1B330A003598FEB79DF98C944BADBBF2BF45304F4441E9DA895BA91DB30A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01093ACA, Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b0d7877be799e5165d148a99942b76681f940c2ff6123fdae1b3b9c451f94b
Instruction ID: 1993c6a91b70ebc0fec0a335f6173d47c64d6dbb370b719e511d090d18ad7b86
Opcode Fuzzy Hash: 26b0d7877be799e5165d148a99942b76681f940c2ff6123fdae1b3b9c451f94b
Instruction Fuzzy Hash: A7E10F70D01608DFCF65DFA9D9A4A9DFBF2BF48300F20456AE596AB661D730A841DF10

Uniqueness

Uniqueness Score: -1.00%

Function 010BB236, Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction ID: 055facd3320631afbb0ede74bd13645617a32467d8e4fc6867d302d1c20b38cb
Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
Instruction Fuzzy Hash: 7CB1D235B006069FDB2ADBA9C8D4BFEBBF5AF84604F144169E682D7381DB74DA01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010C513A, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88c7b79381b7b87e2d0237b906d9990a9ba2182e7a139b2ae65ffab5bf11f08
Instruction ID: 436dcd273ec324edc512ffc845387bffdad6559ff2e93b1b5a3673d38e20ec16
Opcode Fuzzy Hash: c88c7b79381b7b87e2d0237b906d9990a9ba2182e7a139b2ae65ffab5bf11f08
Instruction Fuzzy Hash: 0CC112756083818FD359CF28C480A5AFBE1BF89704F148A6EF9D98B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 010C03E2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8290f58eb81ae4b76385862be582cb8d9eae299cf0d41518b94d6f26a967780
Instruction ID: 6ed8a6335fd3a7d36a85cbee05f3d406b26ed431315a4ba4d066ee30eadf6fdf
Opcode Fuzzy Hash: f8290f58eb81ae4b76385862be582cb8d9eae299cf0d41518b94d6f26a967780
Instruction Fuzzy Hash: 28916C75E00215DFEF369B6CC884BAEBBE4AB11B24F050265FB90A72D5DB749D40CB81

Uniqueness

Uniqueness Score: -1.00%

Function 010CDA88, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6878e2138693174390eac24e5ca1958d7b893dd709b94c0c330e9e641367aab6
Instruction ID: ae8cb7c0dd3e3f42e7d0a027f986cccb7f10fca3bed4b4e60b6046060cd4161a
Opcode Fuzzy Hash: 6878e2138693174390eac24e5ca1958d7b893dd709b94c0c330e9e641367aab6
Instruction Fuzzy Hash: 1EA16B74A04206CFDB69DF98C4807ADBBE0BF48754F1485BDD9A19B292D771D882CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01095AC0, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff141f5ad7936c3fda699c2c650aed6b4aa32bbcc0d320827852ea6b1125e3d0
Instruction ID: d0710803121b8b00d282e1580f653f1a869fc92d5e18b7c6ff6c83e9674acbd0
Opcode Fuzzy Hash: ff141f5ad7936c3fda699c2c650aed6b4aa32bbcc0d320827852ea6b1125e3d0
Instruction Fuzzy Hash: 7881E3B1A002198BDF658A68CC51BEE77B8EF44314F0441EEDB85E3681EB74DAC18B94

Uniqueness

Uniqueness Score: -1.00%

Function 010C138B, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: eb4474c4fe65da0df2779c0c355ddf6bdf85fea01761ec4a4167280a07b31952
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: 48817B75A00645EFCB29CF68C440AAABBF5FF49300F14856DE996C7692D730E941CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0115B2E8, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4ee84f726e1f3c231ae5d79eafcaa39eea05134e7ec358f348d9b6f814b855
Instruction ID: dc557b9ff0221a557229d5c0650d2c92fdcfc16db2521c19084a5ac2d8b4c2e9
Opcode Fuzzy Hash: 6b4ee84f726e1f3c231ae5d79eafcaa39eea05134e7ec358f348d9b6f814b855
Instruction Fuzzy Hash: 8E71E172208341EFD799DF68C980A6BBFE9EF88744F044829FDA59B211D730D404CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0112B8D0, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecb2de60f6eb856c4fca86d103e0a2c7729a1a0a1fa181c7caa15209b9f98bf
Instruction ID: 81595c596626ba7e76349bfd8043d03b0313aa0582da7d787b6835ef2e1b9bad
Opcode Fuzzy Hash: fecb2de60f6eb856c4fca86d103e0a2c7729a1a0a1fa181c7caa15209b9f98bf
Instruction Fuzzy Hash: 66711372204B12EFEB3ACF18C840F96BBE5EF44724F154528E6958B2E0EB71E950CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01116DC9, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 2087f70cd68244c3719ff94b6b870b94302cf8c76ac312b3cff4499f7ca5c051
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 47717B71E0021AEFDB15DFA8C984AEEFBB9FF48714F104569E505E7290DB34AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010AF370, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9495cedef18c57e0cb2b6d647de55e07f30efab707bffaaee58e5c30eee6d95f
Instruction ID: a8df4a68efb61b833988063a4b2060f52a9c2d039af4047727be6f65d452cca1
Opcode Fuzzy Hash: 9495cedef18c57e0cb2b6d647de55e07f30efab707bffaaee58e5c30eee6d95f
Instruction Fuzzy Hash: 1761E132A042169BCB65CF9CC4807AEBBF1EF85710B9881A9E995DF345DA34D942CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0109395E, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ee7715a1ccfda725d14cf1bec6fe93515a9478ae7963192eff9e60b19931bd
Instruction ID: da7ee46a179c9dbdb69245ee21494f1fdb547ba58d1d89a22725f023edd14dac
Opcode Fuzzy Hash: b9ee7715a1ccfda725d14cf1bec6fe93515a9478ae7963192eff9e60b19931bd
Instruction Fuzzy Hash: 94518171A007469FDB24DFA9C894BAEB7E9FF54309F10846DE1868BA11C778E844DF80

Uniqueness

Uniqueness Score: -1.00%

Function 0109B171, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09fc43f0e238aa7030c4ec386689dd360b66498353f296b429acc306084f96c
Instruction ID: 493e60e4d19b1c2d58dffcb6965e2805f4a46e73e7b400843df374438373175d
Opcode Fuzzy Hash: f09fc43f0e238aa7030c4ec386689dd360b66498353f296b429acc306084f96c
Instruction Fuzzy Hash: ED51E271E042598EDF21CF68C846BAEBBF0AF00710F1441ADDE99DB682D7754945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010C95EC, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2be2c4ff7f58b9ff1d81179164e4f489614bafe290bcf3b41f5e91d7ac3a9b0
Instruction ID: 991acac04f187e039be60eef25c82855338a48487a53c4113e97e32d452eac1f
Opcode Fuzzy Hash: a2be2c4ff7f58b9ff1d81179164e4f489614bafe290bcf3b41f5e91d7ac3a9b0
Instruction Fuzzy Hash: 0651CE71E0060AAFDB1ADF68C854BBEBBB4BF58B18F00416DE556972E1DB749910CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0115B581, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df66b6ae901766e5b6c7305255c7be52b40a4375bc329ddcb900e060b3a8502
Instruction ID: ebaa194670fae4f7953f1a018ff2ee828cec42c6440ac284e1824a4cfc5ce690
Opcode Fuzzy Hash: 5df66b6ae901766e5b6c7305255c7be52b40a4375bc329ddcb900e060b3a8502
Instruction Fuzzy Hash: EA51F531608742CFE39DDF28C550BA6BBE6BF50308F090569ED658B290EB34D805CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 010952A5, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f73411d2e22fb2f386c48b90a7c66e8901b64cdfbb3c8982d3d7c1da8bc10ec
Instruction ID: d2dc138598ef5a56cfd7a2f3025248c9f09a29fd12274ea03b2c1831daff0035
Opcode Fuzzy Hash: 2f73411d2e22fb2f386c48b90a7c66e8901b64cdfbb3c8982d3d7c1da8bc10ec
Instruction Fuzzy Hash: 2A51EF301053429BD722EF68C841B6BBBE5FF90710F10495EF5D587A92E770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010C2AE4, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b803a94f1d9be4c92cf12b80beb3a3e46f594082768ca7786bf6bd222a20391f
Instruction ID: f04dffa84f37b87badd7f7e008d621cb523e097f857efacea3e35c20b2668881
Opcode Fuzzy Hash: b803a94f1d9be4c92cf12b80beb3a3e46f594082768ca7786bf6bd222a20391f
Instruction Fuzzy Hash: 9051B276A00115CFCB18DF1CC8909BDB7F2FB88B00719856EE896AB755D730AA91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0115B0C7, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d777d61dabd71478ddf9a70938e76715b0161c3a1fbd354b98ffe1f290b364
Instruction ID: 0a3712d6c95cfb26535c7d89028ebe6f64e3e4bd4112c057a3b262d5bac6110e
Opcode Fuzzy Hash: 48d777d61dabd71478ddf9a70938e76715b0161c3a1fbd354b98ffe1f290b364
Instruction Fuzzy Hash: 4A510972A04208EFDB59CF58DC80BEEB7B6EF44314F058569ED25AB280D774AA04CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010C3C3E, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e5efc1e00cca91d10a375736ee7c8dea2298202d6f995d683bbb1c0e540180
Instruction ID: f4912edd1776a6097ba5a7ad0d4a085a8a96ff1a0154f16529c1544fd6769e20
Opcode Fuzzy Hash: 63e5efc1e00cca91d10a375736ee7c8dea2298202d6f995d683bbb1c0e540180
Instruction Fuzzy Hash: DC51A071618341AFC705DF28D880AAEB7E8FF88624F14892DF899CB281D770D905CF92

Uniqueness

Uniqueness Score: -1.00%

Function 010BDBE9, Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272649a139512a7fabaef68717cd37229bb212b22192790c5ad51953cd0bfb51
Instruction ID: 9dcb7f6dbfef838a6a1ed2aee0a7ad5493efa5bce6c5c42fa8bf3a56f35d5379
Opcode Fuzzy Hash: 272649a139512a7fabaef68717cd37229bb212b22192790c5ad51953cd0bfb51
Instruction Fuzzy Hash: 9E519B71A0060ADFCB19DFA8C4D0AEEFBF1BB58318F20815AD595A7341DB71A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0116740D, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 4b3519acf6e1d61ebbd733bef6b483015cd8f403fabea45f85d5c3bb3ab4adca
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: CB51A071600646DFDB1ACF18C480A95BBB9FF45308F15C1AAE908DF252E772E956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010D4D51, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction ID: db02b2e823431b877490de1c9db0f8ec3f2778494a3b62407de2ef477bb8f5fc
Opcode Fuzzy Hash: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
Instruction Fuzzy Hash: 3C514635E00219DFCB55CF88C480AADB7B5FF88714F2481A9D895EB791D730AE82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010C2990, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89dff6e67ae606ef0f4f9bd98cd6bd6cc389ffdf4fb0a582b0c2de91a50e8c68
Instruction ID: f3a3372379eb47862a478186dc8918d78705e7235c95396f8d36ee0b4cfd39b3
Opcode Fuzzy Hash: 89dff6e67ae606ef0f4f9bd98cd6bd6cc389ffdf4fb0a582b0c2de91a50e8c68
Instruction Fuzzy Hash: 4D516A7190020ADFDF26DF99C880ADEBBB6FF48B50F058169E951AB660C3719D52CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01095050, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc19a065fd73ef3c9b80448e4b0a3543c2c90ee821640ac3a84f892050fdd79
Instruction ID: 6a3a4bc4c81c0147c1af8452060b0d2ad91fdb401ccb821279e1f9825c50de46
Opcode Fuzzy Hash: ccc19a065fd73ef3c9b80448e4b0a3543c2c90ee821640ac3a84f892050fdd79
Instruction Fuzzy Hash: DB4102766043029BC725EF29CCA0BAABBA5AF94710F10492DFAD58B682E730DC41C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 010C4BAD, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fd54af430378505a1d4489c2bc0da06776a426fc48a3f7c1b9c59a3b01992f
Instruction ID: 9f406041a410e890f5f351df34bd82aceef440b95e06f79e61516168b4c3db36
Opcode Fuzzy Hash: 02fd54af430378505a1d4489c2bc0da06776a426fc48a3f7c1b9c59a3b01992f
Instruction Fuzzy Hash: 2C41A035E406299BDB61DF68C980BEE77B4FF55B00F0100A9E948EB291DB749E80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010C4D3B, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac936582495af1b5dc55c933342bf75f9dd06c2dae5ddd8b1576a62af885d9b9
Instruction ID: 6428498e435bac6db50fd7a0c5f6b81a0317ba78a36d237680a9b64ebe765a20
Opcode Fuzzy Hash: ac936582495af1b5dc55c933342bf75f9dd06c2dae5ddd8b1576a62af885d9b9
Instruction Fuzzy Hash: CA41CE71A403189FEB229F18CC90BAEBBA9FB54B10F0140ADE985DB281D7B0DD40CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010BF86D, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97983e39d2c32cd8f2318056c86a240d1a3ec9239fd5afc09910933c30245baf
Instruction ID: 1d42ca1ee66c8603dd516d7709905788f610766e28236596bbf47f0d0eaeaecc
Opcode Fuzzy Hash: 97983e39d2c32cd8f2318056c86a240d1a3ec9239fd5afc09910933c30245baf
Instruction Fuzzy Hash: FB41A0B1A00207EFEB269FADCCC0BEEB6B5BF58754F14041DE580E7291D77598408B60

Uniqueness

Uniqueness Score: -1.00%

Function 01126365, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction ID: 8aec7f4f3f40b8300d6b68f0f94667da4d0b14f2a0ab5ebf1219f328d5ea3860
Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
Instruction Fuzzy Hash: E441D336600165EBDB19DF68CC50BAF3B79EF44710F1A8168EE469B291D730DD11C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01091AA0, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction ID: 945dee01a5f680068c8647cd3e952b76f9061e1d29da76602a8e7471015b9174
Opcode Fuzzy Hash: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
Instruction Fuzzy Hash: 90413071B00606EFDB24CF99C990AAEB7F5FF18310B1045ADE596D7650E330EA44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010A0100, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4cfc11e6a4db83b77d155da46c651d7eb7a642cca6a2ee5d8701b21079dab19
Instruction ID: 6adc8cf2b7f64ccbaf04ee6290e707630a34edc49d5f90f3ff397cba0e794693
Opcode Fuzzy Hash: a4cfc11e6a4db83b77d155da46c651d7eb7a642cca6a2ee5d8701b21079dab19
Instruction Fuzzy Hash: EE41E231944209CFDF65DFA8C8917EE7BF0FF14314F484269E5A1AB29AC335A980CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010A8A0A, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087ccca32968fe2d6847d11eddcc67926c8157aac7acdf22c6b1bfb7ea4350e5
Instruction ID: c561a584d1ae11161e7632f671e0a8440c2b6bbd4cfcb92cc2cae41cc22a30e4
Opcode Fuzzy Hash: 087ccca32968fe2d6847d11eddcc67926c8157aac7acdf22c6b1bfb7ea4350e5
Instruction Fuzzy Hash: 9E4182B0A0032D9BDB64DF99C898AE9B7F4FB94301F5081EAD95997242E7709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0115AA16, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 8f65373313071e9b8d4124745c1c9052e7ac75c1cb27c70657b59d30b3ef4e7a
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: 68312432F80105ABEB5D8B69D844BAFFBBBEFC0210F054569ED21A7281DB709D00C690

Uniqueness

Uniqueness Score: -1.00%

Function 010C99BC, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7b33badb9e3f0c11e935f964e8e2b0377a19887b8a4ce7f96f50e55f260de38
Instruction ID: 2b55d5e7e57da138b87dcb61e0a3b3d3b320cfa76662fbb9c39483ff9d3ea9f6
Opcode Fuzzy Hash: d7b33badb9e3f0c11e935f964e8e2b0377a19887b8a4ce7f96f50e55f260de38
Instruction Fuzzy Hash: 92418CB1501701DFCB65EF28C940A9DB7E6BF54718F5581ADC0869B2A1DB309A40CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0115FDE2, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: d1c8f406f39680677c6d6ca549da8d5cd577941cc60e49e8cefb151b15eca29e
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 8D314632300642EFD36E9B6CC844F6ABBEAEBC5640F094459ED668B742DB74DC02C761

Uniqueness

Uniqueness Score: -1.00%

Function 01097B70, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c7e77913f09298d660e6efa816e5e8752ea4022511d32bc6882213a82e161b
Instruction ID: e63c4079465fe9410c6ddd4ff254d45ab485188a179c94c187db11a21ac43122
Opcode Fuzzy Hash: 05c7e77913f09298d660e6efa816e5e8752ea4022511d32bc6882213a82e161b
Instruction Fuzzy Hash: 4931B5322242058BDF699E2DCD617AE37D9FF8165CF24845EEF9287111C731C881EE92

Uniqueness

Uniqueness Score: -1.00%

Function 0115EA55, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: e8e833e2e26f7e1997ab0078d7fc7ff6b3a339d1a7f274b28435f7aca2ab2458
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: F831A3726057069BC75DDF28C880A5BF7AAFFD0250F04492DF9A687641DF30E905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010AB433, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction ID: 34e81c13e877e5b0db6a2f60fd941668d423db76449b9a92e5e28ef3fefec434
Opcode Fuzzy Hash: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
Instruction Fuzzy Hash: 8D411732601645AFDB21CBECCC84BDEBBF9AF10340F0481A6E49997752C6749944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011169A6, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736f102444f272f7529ee5db283a521e6ae0fcff600f49c4817801f66dc789e0
Instruction ID: 20c12a863e2cc477e9d7ac6aa46e74a762da75e79648a926932fc320a11d6fc5
Opcode Fuzzy Hash: 736f102444f272f7529ee5db283a521e6ae0fcff600f49c4817801f66dc789e0
Instruction Fuzzy Hash: 41416DB1D00209AFDB28EFA9D940BFEFBF4EF48714F14812AE954A7244DB759905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01095210, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8260367d4b41e6dacf928afd312291351fde22b3b60d0890a326e8d6dfd5ea66
Instruction ID: 531f5907bac93283d6c552aefa9e1415975662b4ad8338db9fea834140d44bc6
Opcode Fuzzy Hash: 8260367d4b41e6dacf928afd312291351fde22b3b60d0890a326e8d6dfd5ea66
Instruction Fuzzy Hash: 68311631641601DBCB26BB19CC92BAEB7A6FF50760F11866EF6D50B5D5EB30E800C690

Uniqueness

Uniqueness Score: -1.00%

Function 010D3D43, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c17acbf954ba088cf563b1ee3cba1e34c904ea4d369654227d6b15d189de4f6
Instruction ID: ab257fc59d7e34ba1827c5f44072292b91136b562dd7d2a86f5a73d0010914c3
Opcode Fuzzy Hash: 5c17acbf954ba088cf563b1ee3cba1e34c904ea4d369654227d6b15d189de4f6
Instruction Fuzzy Hash: 5C31B0B1A01715DBD7299F2ED841A6BBBF5FF45700B05846AE986CF390E770D840CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010BC182, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 4a6528f688779a4c5594be5ba2ea63f8c9491797c396588f8e62e50073bfe44c
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 25312671A01647BFE709EBB4C5C0BEDFB98BF62204F04815AC49C97241DB356A19C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 01117016, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c76fd97e347cf834d5007d585164b6323a88d337b37ce0cc59f71ff839b42fa
Instruction ID: 18e13af98e4cad26d644974b3964914173ac4a634e9a3eb462f451047f48779b
Opcode Fuzzy Hash: 0c76fd97e347cf834d5007d585164b6323a88d337b37ce0cc59f71ff839b42fa
Instruction Fuzzy Hash: 5631A4726087519BC325DF68C940AAAF7E5BFC8700F054A29F995877D4E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 010C53C5, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c4e9408c09dddc45a6a76c7f60f89ea862c9b800c087b578b73afbb2b0685f
Instruction ID: 56e2e933bd190f3edf8426d537da51a16147092c83c3ad07ad459cfb8517207f
Opcode Fuzzy Hash: 32c4e9408c09dddc45a6a76c7f60f89ea862c9b800c087b578b73afbb2b0685f
Instruction Fuzzy Hash: 4741E334B047458FDB26DFB8C8103EFBAE2AF62304F14452DC0D6A7281DBB56905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01143D40, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd1caebf204a1a7ea93e842e7a194ce25018bbe5d6dc88e182215eb05f9bae5d
Instruction ID: 586e244ba31bd49a2576bf85793712ad07a871469f15c79298c2f61c75be1e15
Opcode Fuzzy Hash: cd1caebf204a1a7ea93e842e7a194ce25018bbe5d6dc88e182215eb05f9bae5d
Instruction Fuzzy Hash: 2A318DB150A322DFCB28DF18D58055AFBE1FF85A04F45856EE4A49B251D730D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01093880, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89e3539c4c7f569ecba314e3c2897ff2e98987531f2f027c24ee809840056d39
Instruction ID: aecb47746d6ceebe8d52e401f6cd50ee4a8ccde0320b3b2192eefd02018d182c
Opcode Fuzzy Hash: 89e3539c4c7f569ecba314e3c2897ff2e98987531f2f027c24ee809840056d39
Instruction Fuzzy Hash: 2F317232E0121AAFDB61DEA9C880BEFBBF9FF44750F014565E995EB250D6709A009BD0

Uniqueness

Uniqueness Score: -1.00%

Function 0115A189, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e5f89da3413a40ad42f9750fb9b4b42e9f1d79836e7d4a29d72cb5abfa0474
Instruction ID: d286d0197fd18af0cee555e03ac44c227f4207aa2365341e2abc7dd9de7c6b4b
Opcode Fuzzy Hash: 06e5f89da3413a40ad42f9750fb9b4b42e9f1d79836e7d4a29d72cb5abfa0474
Instruction Fuzzy Hash: 84313A31A80216EBC75D9F99E840BAEBBB9EF44750F014169F925DB340D770DD008B90

Uniqueness

Uniqueness Score: -1.00%

Function 010C61A0, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb6772dae487961c654a36fec072a1befad9731ae9de1ed32bfc2fa898a70cd9
Instruction ID: 4d201cb7dfcfd61915aa3d20adff2ef0a26bc9fe16ec1a652b9d43c2be612ea2
Opcode Fuzzy Hash: cb6772dae487961c654a36fec072a1befad9731ae9de1ed32bfc2fa898a70cd9
Instruction Fuzzy Hash: 03318E71A057018FE365CF5DC800B2ABBE5FB88B00F09496DE9D59B391E7B1E804CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0109AA16, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88aa875e6b5d1643704d6939d508e1041d7f32ce802102a7775d645275128a06
Instruction ID: 7bb413af8cffd29af70b99879946e0d34190b55e515f5e959e2fce2a888362e4
Opcode Fuzzy Hash: 88aa875e6b5d1643704d6939d508e1041d7f32ce802102a7775d645275128a06
Instruction Fuzzy Hash: 3E31C871A0021AEBDF159F64CD41ABFB7B9FF04700B05406DF981E7150EB74A951DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010D4A2C, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412b9cfb1f53cfe8b650f82ee5fb46ae3cd5e039924e238bd6aeebbf1b227183
Instruction ID: 576f46d62a71c111e5ba08f0ad872a960b061aff7d18a688331749a20137f97f
Opcode Fuzzy Hash: 412b9cfb1f53cfe8b650f82ee5fb46ae3cd5e039924e238bd6aeebbf1b227183
Instruction Fuzzy Hash: B03126326053529FC776EF5CC980B6ABBE4FF85714F50846DE8968BA41C770D801CB86

Uniqueness

Uniqueness Score: -1.00%

Function 010978D6, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
Instruction ID: 24d34ee88cc41767fa7a8e064bde5e80b68c405209fda776697e2d9baf5a91d0
Opcode Fuzzy Hash: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
Instruction Fuzzy Hash: EC3134B2600600AFDB11CF18CC80B9ABBB9EF89650F188099F589CF342DA35DD41DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010CBC2C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5224b96313234c19e99720e2e12bffb396813bc285b6e54ec5fc4cd39c80ad
Instruction ID: c8e573fabba1ad02992dc871eb6d178ba19ef847d3c4301a8d98707e64fa3ddb
Opcode Fuzzy Hash: cd5224b96313234c19e99720e2e12bffb396813bc285b6e54ec5fc4cd39c80ad
Instruction Fuzzy Hash: 3C31FF32A006169BCB21EF58D4C17AE73B4FF18750F0480B8E995DB246E774D946CF81

Uniqueness

Uniqueness Score: -1.00%

Function 01099100, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 347833894a2d2879c9fce7f1d72fb83cdc2194776961652bbff9caed630d3841
Instruction ID: 04c743a5a5bf9d473d1258af9e1e40b09733dee1c0b9702bbf231d0421e7cb72
Opcode Fuzzy Hash: 347833894a2d2879c9fce7f1d72fb83cdc2194776961652bbff9caed630d3841
Instruction Fuzzy Hash: 8431D4B1A01345DFDF69DF6CC09879CBBF1BB48358F28819DC59467251C331A980DB51

Uniqueness

Uniqueness Score: -1.00%

Function 010CF527, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction ID: 4321fdabb255ac0a7c3a11179f6b03692a5643928c5fdca31d6cf92b16439aba
Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
Instruction Fuzzy Hash: 7F319A31600649EFD725CF68C980F6AB7F9EF94754F2005A9EA558B290E770EE01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010C1DB5, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 421ca8397601340ab7601417d48b55416c701aab0fb228616bea24b64e05f258
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 21216D72A00119FBD721CF59CC80EAEBBBDEF89B40F114099EA45D7251D674AE01DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 010B8D76, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e508ff38c0570f60f87dde1c0687546e7b8c731b5cf751c8158c4b3070b2b1f
Instruction ID: 731bb658d29963e6da95ece1cd3a99f5b6495b28f2efbdb8883896e5ba16a0eb
Opcode Fuzzy Hash: 7e508ff38c0570f60f87dde1c0687546e7b8c731b5cf751c8158c4b3070b2b1f
Instruction Fuzzy Hash: 4121A039241A80CFE76A9B2CC0D4BB677E8EB55745F0884A7E9C28B6A1D779D881C710

Uniqueness

Uniqueness Score: -1.00%

Function 010B0050, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a47a3865a00251413a65644779a7adbaf59cfd4f810018025cc4de606dda5d
Instruction ID: 517ffbc2a91e4a1c37de18b0cfb587cf53f7c2d1214b6413fa58660d6184b56c
Opcode Fuzzy Hash: 70a47a3865a00251413a65644779a7adbaf59cfd4f810018025cc4de606dda5d
Instruction Fuzzy Hash: F7319C31211B048FD766CF28C880B9BB3F5FB89714F1485ADF59687A94EB35A801CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0113CD04, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5f9cf51fe0145239d5d8793eeda8febb461616cdb0fd645c0b6811a31bb174
Instruction ID: b77f7a4974f90f5e63a6bdee305797c5e84efc507365394d878c96a46c57c184
Opcode Fuzzy Hash: cc5f9cf51fe0145239d5d8793eeda8febb461616cdb0fd645c0b6811a31bb174
Instruction Fuzzy Hash: 3631F874E102199FCB19DFA9D848AECBFF5BF88740F15816AE915B7214C7709840CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 01116C0A, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0b2a7120d300649b604f60390e19e59b1dadbbb00fd5e1e64095945f588b30d
Instruction ID: 8135c098792fed9c5a6ae09fd756c7d620f7926142c4c2ba75b83d692b2e6009
Opcode Fuzzy Hash: e0b2a7120d300649b604f60390e19e59b1dadbbb00fd5e1e64095945f588b30d
Instruction Fuzzy Hash: 52219A72A00645ABD715DB68D880FAAB7B8FF48740F144069F945CB791D735ED10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0116F1B5, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd90c35c782e3af4888cba3cd975168c9d9b98e080b411ff8b83b70c132d8fe8
Instruction ID: 6fa4aac800340882a0f72774e9892b66660e6f4c12e31a4c673eb74d334c89e6
Opcode Fuzzy Hash: cd90c35c782e3af4888cba3cd975168c9d9b98e080b411ff8b83b70c132d8fe8
Instruction Fuzzy Hash: A821033AA00516EBDB258F49E894F9ABBB8FF46750F014068E9059B250D332DD21CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01094A20, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55446498d719a84e68d90e449dc781b92888ad15905ef056957b879b174c59db
Instruction ID: 732dfaf97f82dc3f86c6909e2c55338d92ea9dfc5844528943e3e716271d7117
Opcode Fuzzy Hash: 55446498d719a84e68d90e449dc781b92888ad15905ef056957b879b174c59db
Instruction Fuzzy Hash: 96210E31100601DFCF76AB29CA20B2F77E6FB50324F10875DE5D6869E6E7349842DB95

Uniqueness

Uniqueness Score: -1.00%

Function 010D90AF, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 976a453f97ffeba624c3c4a5fe1b00cac40867447d76011b8eda8019abfb2856
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 59218075A00305EFDB21DF69C844AAAFBF8EB54714F14887AEA85A7200D330ED00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010C3B7A, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be3fd9e6e747d0415e4ee916dd39f2adb660c0e978e26da5083c4365214db16
Instruction ID: a1fe25f1c8bd92125c95d9a9f9cd93342ba078dd5d560ea542d90f9cad20f791
Opcode Fuzzy Hash: 6be3fd9e6e747d0415e4ee916dd39f2adb660c0e978e26da5083c4365214db16
Instruction Fuzzy Hash: CE219F72A00119AFC715DF98CD81BAEBBBDFB44748F154068EA09AB252D371ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01094B94, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction ID: a99af99f6845de80f015deb89638a6708dc3ab61781d0941073a4fbe40e92aed
Opcode Fuzzy Hash: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
Instruction Fuzzy Hash: D331E1B1900669DFCBA8CF68C290679F3F4FF44210F1486A9C8A9D7620E770B942EB40

Uniqueness

Uniqueness Score: -1.00%

Function 010A28AE, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7af8a9a591ffc11a4c93b0ba6c67160aa4925fb5fdb4691448f44f7796a75f1
Instruction ID: 7b7ac9d256992bcb34859bc0b228f3a7cdc22b3705960e1596a3543a4bf37a92
Opcode Fuzzy Hash: e7af8a9a591ffc11a4c93b0ba6c67160aa4925fb5fdb4691448f44f7796a75f1
Instruction Fuzzy Hash: A221DB326067819BF722A7ACCD44F643BD4AF45774F1907F5FBA09BAE2DB689840C211

Uniqueness

Uniqueness Score: -1.00%

Function 0109519E, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17fd313bccedecd70f905405cc0abbae830859fb89b3362d104030afc4cebc49
Instruction ID: bee519fc027258d022726ad89e0cce9ba2d264416bbbda93b99d1896c640f0cc
Opcode Fuzzy Hash: 17fd313bccedecd70f905405cc0abbae830859fb89b3362d104030afc4cebc49
Instruction Fuzzy Hash: D61136709013059BCF61AF69C861BFEBFE6EF15710F1401ABFAC697680D631C841C690

Uniqueness

Uniqueness Score: -1.00%

Function 010912D4, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction ID: 1642d1dced519360ac08a40f35f0443219441c41e8306de595529e7ac507cc03
Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
Instruction Fuzzy Hash: C211E6B270060AFFDB229F58CC51FDEBBB8EB84760F108069EA458B590D671EE44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010CFD9B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 14e713668c8c57ed7fb98a14a9f0430299e3245caf54e920c09cc7932e96b930
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: AB217C72A40642DBD735DF4DC540AAAB7E6EB94F10F2481AEE9868B611D7309C00CF81

Uniqueness

Uniqueness Score: -1.00%

Function 010C12BD, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5960ee42d82b23191e1eafff2801b86e0b312e1bf3fa33fe4777f9cfa3a9bba
Instruction ID: c2a21c90c5abb7a228818215890c49daf49643a468e9ffff6fdbd58d0fd814cb
Opcode Fuzzy Hash: c5960ee42d82b23191e1eafff2801b86e0b312e1bf3fa33fe4777f9cfa3a9bba
Instruction Fuzzy Hash: 34213871600640EFD775DF68C880BAEB7E9FB48654F14C86DE5DACB652DA70A840CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010D5A69, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0ef02eec4230b21b0fed27980711233bd516188c70c3ac997766f0e711ef547
Instruction ID: 1482a62656a019f0ef4d44d5859a2ec306c4891db8c4dbf9ed2c371daed57cdd
Opcode Fuzzy Hash: d0ef02eec4230b21b0fed27980711233bd516188c70c3ac997766f0e711ef547
Instruction Fuzzy Hash: 4A11B179641B628FD32A9B2CD8E07B977F4EB05714F08449AECC28B791D3A9DC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010CB390, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ea782629c519e1c395c97daa763e356d08745d7d77697342c36b96b03485012
Instruction ID: c2a434051e2bb321089a4a8442f876663cb6fea6c1fc432f014f76bc1ab4025e
Opcode Fuzzy Hash: 2ea782629c519e1c395c97daa763e356d08745d7d77697342c36b96b03485012
Instruction Fuzzy Hash: 68114C337152105BCB2DDB189D81A6F77A6EFC5770B29812DED56EB3C0CA715C02CA94

Uniqueness

Uniqueness Score: -1.00%

Function 01099240, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07544557b94ba7f91cd30df0a13000817ce873ae3e980c4510382c9c16fa111
Instruction ID: fc0a8eedf626ac8162a6a939d54ebbdd001dba35ac012e7dc99f13c50b5ad5c1
Opcode Fuzzy Hash: f07544557b94ba7f91cd30df0a13000817ce873ae3e980c4510382c9c16fa111
Instruction Fuzzy Hash: F9219232080641DFC725EF68CA50F99B7F9FF18708F54856CE089876A1C734E941DB44

Uniqueness

Uniqueness Score: -1.00%

Function 01093138, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction ID: 8e5dc442f4c00f95b4042064df4ffe225381c386b2e34649d755812ff2d5094d
Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
Instruction Fuzzy Hash: 95110071A04301EFDB25DB64C804F6ABBFAFB80314F10869DE4818B251EB72A802CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0115E962, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction ID: 0b2a1080bca93783e08040a89a1328e256247d2f19d266b6f4344b8c24958457
Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
Instruction Fuzzy Hash: 7911C432A00519EFDB5DCB58C805AADFBB5EF84310F058269EC5597350EB31AE51CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01124257, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d4836549dce59db8c62af3f442121b378c535538f4af5fe1be6d8d8ef4389b
Instruction ID: 35292702c6af7793b5f1d4b25cbc6f126e4d2fc23f9b2e87c8398c3064a983ab
Opcode Fuzzy Hash: 95d4836549dce59db8c62af3f442121b378c535538f4af5fe1be6d8d8ef4389b
Instruction Fuzzy Hash: DF219070500B11CFC72DEF69E0006587BF1FB86754BA4C26ED1A58BA99D731D4A1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 010A28FD, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dff7ff1f4331b8137bcdbb1b8b87508168ed233a441bc9d3868269940dd8c4b
Instruction ID: 0092c515fd096d08502947c74e7d7aa149579aaec69197cfa2ef3276216a0fbd
Opcode Fuzzy Hash: 5dff7ff1f4331b8137bcdbb1b8b87508168ed233a441bc9d3868269940dd8c4b
Instruction Fuzzy Hash: 8F110835354740ABF326936DCD45F663BD8EF90B90F1400B9FAC18B6D1DAA4D8008121

Uniqueness

Uniqueness Score: -1.00%

Function 010C2397, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ca025ca5a73ba4497529d59cb4be25853e608b4bcce39e972847f60f54f31e
Instruction ID: 85e4089325088c79e1644e6d3ec776b3386cfc75f92cd0b6165d4fb3b5e34c98
Opcode Fuzzy Hash: 27ca025ca5a73ba4497529d59cb4be25853e608b4bcce39e972847f60f54f31e
Instruction Fuzzy Hash: F8112B72740301A7E735A73DDC80B5DB6D9BB60B10F54C42EF682A7580CAB0E840CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0109C962, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ba8b704bf78a8f556161ba9827c16c2fa191b565e0fa0a314bdf883b3c90b6
Instruction ID: e67e81fe54df708445e4a7951cfbd1a1c5667f78ebd75068f107a160c46dd84f
Opcode Fuzzy Hash: 28ba8b704bf78a8f556161ba9827c16c2fa191b565e0fa0a314bdf883b3c90b6
Instruction Fuzzy Hash: 79112131B007079BCB2AAF2CDD84A6BB7E1BB85610B200538E991836D1DB60FC55CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 010C002D, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: f17fde5b707a47f7454338a6c4289cd5d103886add980f326a6c3958518c7e55
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 2811E536A01A81CFE727972CC984B793BE4AB40B94F1A00A4FE4487AD2D769D841CA50

Uniqueness

Uniqueness Score: -1.00%

Function 01099080, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d27249de7970dd5218eea5686c212c2dde0b46ac5624fac8ebc9efd42a8c497
Instruction ID: fc38f500512b192ef263d0892f7b2b1a9391458a8548ff8d0b5fc056bc995a74
Opcode Fuzzy Hash: 4d27249de7970dd5218eea5686c212c2dde0b46ac5624fac8ebc9efd42a8c497
Instruction Fuzzy Hash: D501FF726052008FC7699F08D850B16BBEAFF81328F2180AAE5619B692C370DC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0112C450, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 9dd70d56a15ea63c1dffaeda8c14ed0bca535de39ffa81fc63fd15ea6bdc1815
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 23019272180656BFE725AF69CC80EE7FB6DFF64394F404525F254465A0CB21ACA0CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01098190, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b642101a7554452e5745c12c9e4c44eaecc4c9671d77dd980b20eaed04b467
Instruction ID: dc64ff585447633394b90f146369c1670c55a2a81a185ae06d5684258d14ccff
Opcode Fuzzy Hash: b0b642101a7554452e5745c12c9e4c44eaecc4c9671d77dd980b20eaed04b467
Instruction Fuzzy Hash: F001D872141609ABD7229F65CC50EA777DDEF82760F15C1AAE5A58F381CB30D901C790

Uniqueness

Uniqueness Score: -1.00%

Function 010C3B5A, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd171a7f7287d57a20a5a6b5527fc4d4dc270aad535f1670fefeec996e78c3d
Instruction ID: 1b45e3ee48483787f009e42b75d8162d15c52dadfc9842dcafc9c7d1c234964b
Opcode Fuzzy Hash: fcd171a7f7287d57a20a5a6b5527fc4d4dc270aad535f1670fefeec996e78c3d
Instruction Fuzzy Hash: 7911F836941554DFCB2ADB4CCA80FAE77B9FB48A00F55006CE505AB792C338EC10CB54

Uniqueness

Uniqueness Score: -1.00%

Function 01151A5F, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48da22afb9c39d3e7a81b7c2dd09682c5c9c3a1bd938f3d94703b49ffa68f1d6
Instruction ID: 3217602ccc820c51db3786881b54e994679d5653d4b21f50f961f72cea613d9c
Opcode Fuzzy Hash: 48da22afb9c39d3e7a81b7c2dd09682c5c9c3a1bd938f3d94703b49ffa68f1d6
Instruction Fuzzy Hash: BF116D71A01359ABCB14DFA8D845EAEBBF8EF54710F04406AF915EB380D6749A00CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010931E0, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction ID: eaa4eaad886807eb74d4965c03219f87e7b14fa5c65a0901010ece1ccd9313d1
Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
Instruction Fuzzy Hash: 2B01F9321007019FEB6296BAD504AA777EEFFD1710F0444599AD28B550DA30F401CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01164015, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70778af4c2909483bdc5358d65fc650e1b70960ea91e2ea0009d90471c8ccbf2
Instruction ID: fd76a9df9f648ea40a7e69f36c416bf4850aa745688dda75e11a06f627eb0a28
Opcode Fuzzy Hash: 70778af4c2909483bdc5358d65fc650e1b70960ea91e2ea0009d90471c8ccbf2
Instruction Fuzzy Hash: C101A2722419467FD715BF79CD80E97BBACFF95660B000229F548C7A51CB24EC11CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 01151951, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d379316dc070d14aadba5b5c648cfff7cb92d33e141199c9335fa3d2bc39cd07
Instruction ID: 232c22a7be7472945cc187267f5ba4ea2163331cd1117272db6878529b4a4b45
Opcode Fuzzy Hash: d379316dc070d14aadba5b5c648cfff7cb92d33e141199c9335fa3d2bc39cd07
Instruction Fuzzy Hash: 17019271A01319ABCB14DFA8D845EEFBBB8EF84710F004066B950EB380D6749A00C791

Uniqueness

Uniqueness Score: -1.00%

Function 011519D8, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12220be3d20f7e806301f4d7045465289751dec02f7d96450e6ed1b7542a8363
Instruction ID: dc988f6654681f7c1eb20aa10d732399d3fb4799341acd07bfa077e4b2b17810
Opcode Fuzzy Hash: 12220be3d20f7e806301f4d7045465289751dec02f7d96450e6ed1b7542a8363
Instruction Fuzzy Hash: C2019E71A01359ABCB14EFA9D845FEEBBB8EF44710F00406AB950EB380DA749A01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01151843, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa094ba01d1abec7295a720f493f0cb9e3b70ea056f86f1e10c192cae6e5b32f
Instruction ID: 2379d36e32dfab8bae17f27b1de8cc77274c67278efcaf89905be7e7e8f8fe87
Opcode Fuzzy Hash: aa094ba01d1abec7295a720f493f0cb9e3b70ea056f86f1e10c192cae6e5b32f
Instruction Fuzzy Hash: 34019271E01319ABCB14EFA8D845EEEBBB8EF44710F044066F940EB380D6749A00C791

Uniqueness

Uniqueness Score: -1.00%

Function 010970C0, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction ID: 7436d98ca35abf5a90e6e48c4d51e27430cfce9397e37bf98b480d659264db3e
Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
Instruction Fuzzy Hash: 5F118E32560B02DFDB319E18C890B62B7E1BF90722F1588A8E5C94A592C778E880DF10

Uniqueness

Uniqueness Score: -1.00%

Function 011518CA, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 849ea8ec0fdc1bac08bc17ad91103e25215612b7408c99193f48a2fbde8d3bd6
Instruction ID: 8ef8ca61c437a3aad66e2bd1739dfb91160bd169c144ce8b7201ab1e458dd7da
Opcode Fuzzy Hash: 849ea8ec0fdc1bac08bc17ad91103e25215612b7408c99193f48a2fbde8d3bd6
Instruction Fuzzy Hash: 44019271A01319ABCB14EFA9D845EEEBBB8EF44710F004066FD51EB380E6749A01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0115138A, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8062626bb98b8ff69452339225051909f4189c7c9a8ab330d056ce09ca60cde2
Instruction ID: aefaefc5ace985d4d992615893013c241797a2a5dc65ae61d588a5aaa6ce8d54
Opcode Fuzzy Hash: 8062626bb98b8ff69452339225051909f4189c7c9a8ab330d056ce09ca60cde2
Instruction Fuzzy Hash: DF019271A04319AFCB14DFA8D881FEEBBB8EF44710F004066B910EB280D6749A01C791

Uniqueness

Uniqueness Score: -1.00%

Function 01168450, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction ID: 275f2eb491d12210e07a6855661eece40572f9394ce1b1f44cd5bec279f517a8
Opcode Fuzzy Hash: fab0c485f60ad926169880dc8cf1c2acbb4a6bb70ced4fcaa2074de596fe31cb
Instruction Fuzzy Hash: 100184332007019FE7299A69D844F96B7EEFFD5654F08481DEA468B650DB72F890CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010958EC, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371e9b178a127813723f74a16717cfcc5dcf84aed6f83a1b21e0fd8b3327ec37
Instruction ID: b91ad57920623673b0a7dcc2660354c1a90550b36121287bea81ebee010b584a
Opcode Fuzzy Hash: 371e9b178a127813723f74a16717cfcc5dcf84aed6f83a1b21e0fd8b3327ec37
Instruction Fuzzy Hash: 1501F731A04109DBEB18EE2ADC109AEB7E8FF45120F4540BADA5597384DF30DD01C754

Uniqueness

Uniqueness Score: -1.00%

Function 010995F0, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction ID: 1ef5ee709b2be392935b45ed4eafc4f2581808a25e8905d255aa6c6e89c8a56b
Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
Instruction Fuzzy Hash: 05017B32A01240DBDF119B58C820F6933A9AB98738F10415DEF858F2A0DB35ED00D7D0

Uniqueness

Uniqueness Score: -1.00%

Function 01168966, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6491692b295e2085f5a29cac975dfe6880ea5435c6483ab5625945fdc5849238
Instruction ID: 9ba9dc47a054a3dda413f58b60569a05c510beab3f0a16490cad9e5266efedc0
Opcode Fuzzy Hash: 6491692b295e2085f5a29cac975dfe6880ea5435c6483ab5625945fdc5849238
Instruction Fuzzy Hash: 8201E9B1A0031DABDB04DFA9D9419EEB7B8FF58300F10446AE955E7380E7759A10CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 010AB02A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: 5c4411002cc11aebf30430f9c9b71ddc02a0b7d15df7af5aebd9ca1ddc421a4c
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 89018F32340A80DFE326875CC988F6A7BE8EB89750F0940E5FA59CBA91D728DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 01161074, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a49a3f840cc0afd84b64b19b8957f7a4192f7d1cafc69a3bbb37baf4c17b2b
Instruction ID: 44d65c2ee57c75d2ca059a68d97ef7688da410dd1a87638990a44d8207cb0315
Opcode Fuzzy Hash: d4a49a3f840cc0afd84b64b19b8957f7a4192f7d1cafc69a3bbb37baf4c17b2b
Instruction Fuzzy Hash: 93012872604742AFC718EF28C940B1A7BE9ABD4314F04C629F99593290DF31D851CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0115129A, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabee4d40a3a6f37cfa4084c84619080ef7f78bea454f71b61fc2a7e100ce1d5
Instruction ID: 749db6cc31a5f8739938b917613bdab935f91e48fc948d0b7c97af3bdd2171c0
Opcode Fuzzy Hash: dabee4d40a3a6f37cfa4084c84619080ef7f78bea454f71b61fc2a7e100ce1d5
Instruction Fuzzy Hash: CF01D471A00368EBDB14EFA9D805FAFBBB8EF54700F04406AF951EB280D674D900C790

Uniqueness

Uniqueness Score: -1.00%

Function 0114FD52, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d6e62d5ea964958b3e1671386721a1767ee5c2e6e4801204bbe30144218fc3
Instruction ID: 51317dd5ae13663c3986ab8d683d7dea622196722776af2fbe701c1d7b7c06fd
Opcode Fuzzy Hash: 42d6e62d5ea964958b3e1671386721a1767ee5c2e6e4801204bbe30144218fc3
Instruction Fuzzy Hash: 0B018471E00319ABDB14DFA9D845FAEBBB8EF95700F044066B951EB380DA749901C795

Uniqueness

Uniqueness Score: -1.00%

Function 011689E7, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459f2d92a4f118cba7bc9711a2d7a7599383d3af0155879b7bbc7f3e776a6f10
Instruction ID: da23538ae13c2543bbeae910211fbaf6a9c65b67cdfb4fabc3856b34a16295d3
Opcode Fuzzy Hash: 459f2d92a4f118cba7bc9711a2d7a7599383d3af0155879b7bbc7f3e776a6f10
Instruction Fuzzy Hash: 74012CB1A0031DAFDB04DFA9D9819EEBBB8EF58350F10405AF905E7380D774AA01CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01168A62, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af36b458d394b15608a134e605828248fbafd77a7e9bdb8ff53e2c7a8558a2b6
Instruction ID: e9721cacb5dff0bb79279779b9ccc2a46219246476fb93d673473886c0a13395
Opcode Fuzzy Hash: af36b458d394b15608a134e605828248fbafd77a7e9bdb8ff53e2c7a8558a2b6
Instruction Fuzzy Hash: 6D012CB1A0031DAFCB04DFA9D9419EEBBB8EF58310F10445AFA04E7381D734A910CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01168ADD, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2dee02b3a563a9ce5da78ef94567cd109ca405f77b6e193d7ffa43edf3c909f
Instruction ID: 7f432876ac3ef623da558bfc6bc915eaac0ec502bc8c9a69d4538e04a36efc09
Opcode Fuzzy Hash: a2dee02b3a563a9ce5da78ef94567cd109ca405f77b6e193d7ffa43edf3c909f
Instruction Fuzzy Hash: 43011EB1A003199BDB04DFA9E9519EEBBB8EF58310F10405AF904E7340D6349A01CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0109DB60, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: f9071c22a46b71f3341a3961a27c72714c8fed3b073942bf5efdef7fc4b3b3c8
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: B6F0FC33281523DBDB325AD988F0F6BB6D59FD1A60F150035F3859B344CA608C02A7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0109B1E1, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 740e17a7aefbda81149fc76c76200bec0adba74e880c89dff85bc244a8f615ca
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: C901F4322006809BD722A75DD844FAABBD8EF91764F0800E5FE94CBAB2D678C800D314

Uniqueness

Uniqueness Score: -1.00%

Function 01097057, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324c95fd9ea63770d179aa5608afae7d03878e07d8467dfa8ed28962046a8731
Instruction ID: 1ca7bc3f42a08288b630dfe271df0e83f4f2c384df1be19b1db9e025b63a6606
Opcode Fuzzy Hash: 324c95fd9ea63770d179aa5608afae7d03878e07d8467dfa8ed28962046a8731
Instruction Fuzzy Hash: 7A01A232210608ABDB35DF58DC05FABBBF9EF84600F14016DF94583190CAA1A904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01169BBE, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b995172560177ec0c2d8ce524955646a2e41d2ca88ae18c809a3ab8de487b38e
Instruction ID: bcd5039646129185b26d88f06dc81373ef205ba6f566b4c11a5822b8a987d9c8
Opcode Fuzzy Hash: b995172560177ec0c2d8ce524955646a2e41d2ca88ae18c809a3ab8de487b38e
Instruction Fuzzy Hash: 9A012C71A0061D9FDB04DFA9D841AEEBBB8AF59310F14405AF905AB280D734AA11CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01151229, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a81704f751d2388ec3f20b2863a473adebd936831bce30b2b49cfc8ef411473
Instruction ID: e2bd72494dfb91083a1bc769fedacfc3d140b72ea094797668974d9eb03d34c8
Opcode Fuzzy Hash: 0a81704f751d2388ec3f20b2863a473adebd936831bce30b2b49cfc8ef411473
Instruction Fuzzy Hash: 2401A972A04318EBDB14DBF9D405AEFB7B8EF54750F00805AF911E7290DA749900C791

Uniqueness

Uniqueness Score: -1.00%

Function 010C5AA0, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction ID: a2e552b1bb6cc9a03fe7dc934d16864e523bfdc664a10028cddb22c63f4fe64a
Opcode Fuzzy Hash: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
Instruction Fuzzy Hash: 9101D135640746AFD726AB5DCC84FAE37A9AB10B20F008245FD948B2D1D7B4FD50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01093591, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction ID: d0262c184832443245f3103eb1140c9c5344c8708dabf3cf3f90ec352fc7ffe1
Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
Instruction Fuzzy Hash: 9CF0FC71A01305BBEF34EB798860FEA7BE8FF58710F048195EE42DB100DA32DA409B91

Uniqueness

Uniqueness Score: -1.00%

Function 0114FDD3, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce66c94e986d1372c276834976d0cd7726fb7faa55d6c8754902ee72256fccba
Instruction ID: 7881d20306a86d37cdef07041f4c945fc5d8e1b160f22865826ee59487ad6c58
Opcode Fuzzy Hash: ce66c94e986d1372c276834976d0cd7726fb7faa55d6c8754902ee72256fccba
Instruction Fuzzy Hash: E7F0C271B04359ABDB18EBA9E905EBEB3B4EF55A00F014069B901EB6D0EA30D901C741

Uniqueness

Uniqueness Score: -1.00%

Function 01091BE9, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction ID: eb955e805f0fd3aca142c7f48bc30c1284d6b35e439b2a06050352c21bee80c3
Opcode Fuzzy Hash: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
Instruction Fuzzy Hash: 3DF0F671714209ABDB18CB29CC10B96B7EDEF98310F1080789585C72A0EAB2ED01E354

Uniqueness

Uniqueness Score: -1.00%

Function 0115131B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54ee1713cce52a229584cb087fe65bbe581cbda14e068edd0aea7f092d1cbfdb
Instruction ID: 7523ca6a26a58bb865eaddee7ef04c2b23e59d803996c93c72deb968e869bc38
Opcode Fuzzy Hash: 54ee1713cce52a229584cb087fe65bbe581cbda14e068edd0aea7f092d1cbfdb
Instruction Fuzzy Hash: CC013C71A05209AFCB44EFA9D545AAEB7F4FF58700F008469BD55EB381E6349A00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 010BC577, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c37e2d8c43b38bf7ff1f5ac10a2ed4849ed0e5468ee98137e99c0352d565371d
Instruction ID: ba30efe3335f21befb659535b2a667025c4dd14616f05c8b13e063d15cb3a9f0
Opcode Fuzzy Hash: c37e2d8c43b38bf7ff1f5ac10a2ed4849ed0e5468ee98137e99c0352d565371d
Instruction Fuzzy Hash: 64F09AB29157909EF7B68B2CC2C4BA27FE89B05670F4484A6D68687242C6A4DCC0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01152073, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f771046b2b3c2b416052a88903a6e845728ed0315250991a4e5a41a512ef961
Instruction ID: 018577a8019fca9cec0500261d5c1e902dee296deb3c02169ebce4276cac2ef0
Opcode Fuzzy Hash: 2f771046b2b3c2b416052a88903a6e845728ed0315250991a4e5a41a512ef961
Instruction Fuzzy Hash: 4AF0202B423585CBDFBF6B2C61003ED3BA2D756114F4A8496DCB027209C73488C3CB20

Uniqueness

Uniqueness Score: -1.00%

Function 010D927A, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5c763fc75761f296230db34efe55cda824a677700119294bc6d7a509147d3dae
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: DBE02232340A016BE7219E0ACCC0F9737ADEF92724F044078B9005E282CAE6DD0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 01168D34, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2b07082fadb2133f1ec477815161707d626ce41ad681d9e21613e7df4dac75
Instruction ID: 4f5dda1076822724a125b9c180c8a9b506d3f535c1a0c9ad6bf1ae0412fc0b60
Opcode Fuzzy Hash: 7a2b07082fadb2133f1ec477815161707d626ce41ad681d9e21613e7df4dac75
Instruction Fuzzy Hash: C1F0B470A047089FDB18EFB8D441AAE77B8EF28300F108099E905EB280DA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 01168C14, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cb475e90b5557eb61d5c111c3eeefe42a760c6b1bf0ea805100c1d7a41782f
Instruction ID: 941d4d7fff189cd74d0e0e5c6ffff447da20674cc598b6f4aebbb145d2a12337
Opcode Fuzzy Hash: 58cb475e90b5557eb61d5c111c3eeefe42a760c6b1bf0ea805100c1d7a41782f
Instruction Fuzzy Hash: 98F0B470A053199FDB18EFB8E901EAE77B8FF14300F004459B915EB280EA34D900C791

Uniqueness

Uniqueness Score: -1.00%

Function 01168C75, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fb1ddbc0467a746496af759aca48f5c6110aca9e543bce4489d3b971f42ecd4
Instruction ID: 2b09c341b3e363c45eb07e2d413760b3600d1d131c4332498ec4e0ddf20b73a9
Opcode Fuzzy Hash: 2fb1ddbc0467a746496af759aca48f5c6110aca9e543bce4489d3b971f42ecd4
Instruction Fuzzy Hash: 03F0B470A143599FDB18EFB8E941EAEB7B8EF54300F004459B905DB380EB34D900C780

Uniqueness

Uniqueness Score: -1.00%

Function 01168B58, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686024aa8124e33d247a09bc60a3f325c07b23ff44617d8da1f8c23c91a193ff
Instruction ID: a0d5e0debb93991c9581e564c3b809ff7d8c06a86bcaf8421fe442ce2761d12b
Opcode Fuzzy Hash: 686024aa8124e33d247a09bc60a3f325c07b23ff44617d8da1f8c23c91a193ff
Instruction Fuzzy Hash: 33F082B1A14359AFDF14EBA8E906EAE77B8EF14300F050459BA15DB3C0EB74D900C795

Uniqueness

Uniqueness Score: -1.00%

Function 01168BB6, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d397668a5d2a079f55f25b6f602f96e9cb2c98656d44456348304414ceaff802
Instruction ID: 01fd098f516d4150c41ca6601d63421bb6dbfa6bc93e6a42b811648f3fc27d2d
Opcode Fuzzy Hash: d397668a5d2a079f55f25b6f602f96e9cb2c98656d44456348304414ceaff802
Instruction Fuzzy Hash: C6F0E2B0A04359AFDB08EFACE905EAE73B8EF08300F000058B901DB2C0EA34D900C788

Uniqueness

Uniqueness Score: -1.00%

Function 01151BA8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94830aedec4a7f0c1615ccb76783a0a5f6617597affb7aa055bf2fa4b9445e37
Instruction ID: e80e0e4b5e7b1918fb14fba042ab59c72728fb329e3f4c03705d13ec0e9ca591
Opcode Fuzzy Hash: 94830aedec4a7f0c1615ccb76783a0a5f6617597affb7aa055bf2fa4b9445e37
Instruction Fuzzy Hash: 4DF08271A05248AFDB18EBE9D446FAE77B4EF18304F400099F945EB2C0EA78DD00C755

Uniqueness

Uniqueness Score: -1.00%

Function 010B746D, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcf65f0226fb798ad55d1bc3b50df10498cbfbd7ebe4ed450d8df6f98103b6cf
Instruction ID: 2ac8e4dc1797e3a3c187f1c2262b4eb63bcd9ac887233bb76e39e9cb9840a1f5
Opcode Fuzzy Hash: bcf65f0226fb798ad55d1bc3b50df10498cbfbd7ebe4ed450d8df6f98103b6cf
Instruction Fuzzy Hash: 80F0E935A04145AADF4A976CC8C0BFDBFB1AF84211F440299D5D1AB1D1EB6C9C00C785

Uniqueness

Uniqueness Score: -1.00%

Function 0109354C, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3acf98039bb51f2f631af42ab684b524bbf76727c4c9197598c914aea91ca4
Instruction ID: 07d32c5894d6a1bf6493b29f799f01b15c1496efa6432245ae8096e8e0d1a1b1
Opcode Fuzzy Hash: ff3acf98039bb51f2f631af42ab684b524bbf76727c4c9197598c914aea91ca4
Instruction Fuzzy Hash: EAF0A732A1179A9FD762D72DC148F11BBD89B05B70F1540A5E58587A43C778EC80C690

Uniqueness

Uniqueness Score: -1.00%

Function 010CA44B, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 250f5aad225856db402b38bd3432ff6deb2e5d2cf8cd66b90f1b1a18da9fcf83
Instruction ID: 2ea018fd66a3a8c50f34b3e6b886ab3aff6cf7cbca48487a25795f668e95fa70
Opcode Fuzzy Hash: 250f5aad225856db402b38bd3432ff6deb2e5d2cf8cd66b90f1b1a18da9fcf83
Instruction Fuzzy Hash: 2BE09272B01422ABD2215F18AC00FABB39EDBE5A51F1D4039E645C7254EA68DD02C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 0109F358, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: aa74ebb458b342b1bad5ab7292961b348952552843a9dc2b6373cdf1de2ad99b
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 42E06F32A00119FBCB20AAC88E01FAABFACDB48AA0F008095BA04D7050C5649E00D2D0

Uniqueness

Uniqueness Score: -1.00%

Function 010915C1, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction ID: 5249d34006cf6fb4a165e1361487f224052838b7c5333e34b91c6dc00495c216
Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
Instruction Fuzzy Hash: D2E02B31300187E7CF32AA48C550BF6B3D9AF91720F0980B1E4428F242DA70DC42E3D0

Uniqueness

Uniqueness Score: -1.00%

Function 011241E8, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615750c7b01799be9f426a9bd207c343ced74af83dd734dff2583185226026c5
Instruction ID: b052fbf4d1825767469bd60870f5fdbefa93612557d71c9b510307b8c72ec297
Opcode Fuzzy Hash: 615750c7b01799be9f426a9bd207c343ced74af83dd734dff2583185226026c5
Instruction Fuzzy Hash: D0F01E78860B01CFCBB8FFAAE6047483AB4F755B20F80C12AE160876C8C73444A0CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0114D380, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 0e71546e323bc83a5a5b95eb134e037df6400e6cdeb3aeb14799f332b81dac3e
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: D6E0C231284245FBDF265E84DC00FA97B16EB60BA0F104031FE485E6A1C6719C91E6C4

Uniqueness

Uniqueness Score: -1.00%

Function 010CA185, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf6faf1431e8d46eb2fbb573f4000c550c84a6c6d782894dcf139e2090c1a67
Instruction ID: c99e0cc16ebdbed55d48262ced204e8858a0dfe99bbe34c78e78b596b6965d3a
Opcode Fuzzy Hash: cbf6faf1431e8d46eb2fbb573f4000c550c84a6c6d782894dcf139e2090c1a67
Instruction Fuzzy Hash: 5AD0C7A12610049AC72D33109EA4BAA3222F7C0F60F24C80CF2861B9A4FA6088D0DA49

Uniqueness

Uniqueness Score: -1.00%

Function 011153CA, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: f38c9aa4a97901c7c35705c01cc082a656bb7289382e3e5f1374a8f9c9dc4aaa
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: AAE08C319546809BCF16DB88C690F8EBBF6FB85B00F140014A0485F660C724AC00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00406A9A, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.680778929.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb2735361d0fc81f54ba96981c65502eebc6d2b8916ff3253f33114cd3bae189
Instruction ID: cc073fda0e6d84b5c13b0de625ca4b5fc627b13902e2204adfa273589104bf8a
Opcode Fuzzy Hash: fb2735361d0fc81f54ba96981c65502eebc6d2b8916ff3253f33114cd3bae189
Instruction Fuzzy Hash: C7C09B27D1616405D12D9C0DB8411F5E778DF53135F4877DBED0977D524046C4A105C9

Uniqueness

Uniqueness Score: -1.00%

Function 01098410, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0d712b6c6fef27b78e2b0a920c60696e06cc30729a19bca03d9772f4bedcd61
Instruction ID: 87acff9098adf504f89c902a74314b50ceabe1bf9d333669708c9059b5bbde06
Opcode Fuzzy Hash: e0d712b6c6fef27b78e2b0a920c60696e06cc30729a19bca03d9772f4bedcd61
Instruction Fuzzy Hash: C1D0A732080144ABC711FF0CDD80F893BAEEB94700F004024B40887262CA30EC60CA84

Uniqueness

Uniqueness Score: -1.00%

Function 010AAAB0, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: faf560be5b4c1c53f9d46e22f2ce91fd54f40dc579a6d81a92dc2504aadbb245
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 1BD09235352A80CFD6568B4CC564B0533E4BB44A40FC504D0E5408BA62E628E940CA00

Uniqueness

Uniqueness Score: -1.00%

Function 010C35A1, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 40c924073279a86594e674c8da06260df6a42526d81f33991cafb4ecbef054e2
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 1AD0A7314311819FDB41AB54C1187ACB7B1BB20A0CF58609D80C10D452C3354909CE00

Uniqueness

Uniqueness Score: -1.00%

Function 0109DB40, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 015efe2147062df26239cd92735440d83220b765e6b3b7e1b3dc0cfb233ba5e5
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: DEC08C302D0A01EAEB221F20CD01B803AA0BB10B01F4400A07341DA0F0DBB8D901E600

Uniqueness

Uniqueness Score: -1.00%

Function 0111A537, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 9c77aef58c7d26076cc2bdf41816f6e797d188f96b4581ccd581a221024ae5fd
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: D4C01232080248BBCB126E81CC01F867B2AEBA4B60F008011BA580A5708632E970EA84

Uniqueness

Uniqueness Score: -1.00%

Function 010B3A1C, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 8f47c794b9591b92491d1447b6e0ca605e3253f85b8953c89e1849304de0a204
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 01C08C32080248BBC7126E41DC00F417B29E7A4B60F000020B6040A5618572ED60D588

Uniqueness

Uniqueness Score: -1.00%

Function 0109AD30, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: b571796f9299495501f5ab48c74aa1accf13c3db75102499da6a58da4c7d4e9a
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: EAC08C320C0288BBC7126A45CD40F417B29E7A0B60F000020F6040A6A18932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 010C4190, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction ID: aff8f2c0d04bad0d99a004d0b9afa9b0ed73082b947ebb9a1a73b0fe3b90943e
Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
Instruction Fuzzy Hash: 13C04C35711541CFCF16DB29C2C4F5537F4B754744F150890E805CB761D764E850CA10

Uniqueness

Uniqueness Score: -1.00%

Function 01148D47, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction ID: 48cd5381ce3cde12e3d3e49597d883636891f97ce5583f10d62f28c1fa817726
Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
Instruction Fuzzy Hash: 82C09B1F1566C54ECD279F3443127D5BF60D742DD4F1D14C1D4D52F513C1144513D625

Uniqueness

Uniqueness Score: -1.00%

Function 010B7D50, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 9c1ec84b94da2a43cd4f74fff0b8b8f229fd84c0be0dc7489b549240071686a6
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 0DB092353019408FCF56EF18C080B5533F4BB84A80B8400D4E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 010C2ACB, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 1d40a7cbf2e1e1c952ba7d60a576c40d169c9349ab11c8cf0234e1428b9ef03b
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: DDB01232C21441CFCF02EF80C620B5A7331FB40750F054490900127930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 010D9910, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50235f2debf0f4613b2c3190dac966329627819b2444a83276baaa5ab8993211
Instruction ID: 9f21dcc5159de3f5354dd31ff8c9d244ac5328e4e8506d93c5e19caf94d42259
Opcode Fuzzy Hash: 50235f2debf0f4613b2c3190dac966329627819b2444a83276baaa5ab8993211
Instruction Fuzzy Hash: 0B9002B120100906D140719A84087560145E7D0381F51C011A9454554EC6998DE577A5

Uniqueness

Uniqueness Score: -1.00%

Function 010D9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 501144bea62395a63fac9aa9d40e9230f5318c88d424f3ca6ec44e4f1dab89bf
Instruction ID: defb6596cacbca23dce55e11d89edef4b39537f3d88192a57163a5677315dfaa
Opcode Fuzzy Hash: 501144bea62395a63fac9aa9d40e9230f5318c88d424f3ca6ec44e4f1dab89bf
Instruction Fuzzy Hash: 299002A120140907D140659A88086170145E7D0382F51C011A6454555ECA698C617275

Uniqueness

Uniqueness Score: -1.00%

Function 010D99A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c54d11e8b69b1e636b7b6216443f3ddef9d3dc1501ee07086114244725d4c5a
Instruction ID: 5af510c185107b19353b5b6e7a5f5a5136dafd50571c2a583b17462f15ee5bc7
Opcode Fuzzy Hash: 1c54d11e8b69b1e636b7b6216443f3ddef9d3dc1501ee07086114244725d4c5a
Instruction Fuzzy Hash: 759002A134100946D100619A8418B160145E7E1381F51C015E5454554DC659CC627266

Uniqueness

Uniqueness Score: -1.00%

Function 010D99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe274800c664e5b7610b99e452fff2ae6d599ed0fbc9c0a0615dd50d5f8f416
Instruction ID: 42d0f9c42576a0bdacea706a99d8f5f61575a97e0f92ef5239dccd65295352b6
Opcode Fuzzy Hash: 4fe274800c664e5b7610b99e452fff2ae6d599ed0fbc9c0a0615dd50d5f8f416
Instruction Fuzzy Hash: B99002A121100546D104619A84087160185E7E1281F51C012A6544554CC5698C716265

Uniqueness

Uniqueness Score: -1.00%

Function 010D9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502cc9c71f024000afcbf5b518c90e083b0f48b9d59a83d23cc32c86766b3115
Instruction ID: 52528e00a70333917b3931e4b4a6a6f0eb324fb646fdc931349e759a768f6f05
Opcode Fuzzy Hash: 502cc9c71f024000afcbf5b518c90e083b0f48b9d59a83d23cc32c86766b3115
Instruction Fuzzy Hash: AB90027124100906D141719A84086160149F7D02C1F91C012A4814554EC6958A66BBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010DB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 531cf82fd28730a46abc7c569d79f0bd5ebb3b2f6c80f53ecf96957d3f07ca86
Instruction ID: e8c90f5af30bc2b6bb7e99d1e0de38a2b51521e6bb80abbba08f11a69721c1c1
Opcode Fuzzy Hash: 531cf82fd28730a46abc7c569d79f0bd5ebb3b2f6c80f53ecf96957d3f07ca86
Instruction Fuzzy Hash: 749002A1601145474540B19A88084165155F7E1381391C121A4844560CC6A88865A3A5

Uniqueness

Uniqueness Score: -1.00%

Function 010D9840, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970448482a60d4641b818005a97adb435ecb7bd49398769ad271207534eb74d7
Instruction ID: 75fad08de848ac927a122a230cf3f2f8c6c939c4d5f354b1a7676cd9e395b202
Opcode Fuzzy Hash: 970448482a60d4641b818005a97adb435ecb7bd49398769ad271207534eb74d7
Instruction Fuzzy Hash: 51900261242046565545B19A84085174146F7E02C1791C012A5804950CC5669866E761

Uniqueness

Uniqueness Score: -1.00%

Function 010D98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c40d525dd633ce260157287dab4825979203a444bdec661a9e105aa420ad3f9
Instruction ID: f0fdbcab2c7b203edecc248f37d3dcf539bc7b9503a3b129cd4a7aad966a81f5
Opcode Fuzzy Hash: 8c40d525dd633ce260157287dab4825979203a444bdec661a9e105aa420ad3f9
Instruction Fuzzy Hash: A590026130100906D102619A84186160149E7D13C5F91C012E5814555DC6658963B272

Uniqueness

Uniqueness Score: -1.00%

Function 010D98F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0467f5f5dd513c590f164ea353dadb25dac90ccda7efadaaabd47489181a8849
Instruction ID: 99a91faa8006ff0755174faece106737b61be6edb927c8689e8c3111faeae71c
Opcode Fuzzy Hash: 0467f5f5dd513c590f164ea353dadb25dac90ccda7efadaaabd47489181a8849
Instruction Fuzzy Hash: 3E90026160100A06D101719A8408626014AE7D02C1F91C022A5414555ECA6589A2B271

Uniqueness

Uniqueness Score: -1.00%

Function 010D9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c863ec5ee06d590fe9edfa1fa4ae55822d116eaa2c7bcd3967dd7d155a26f8b
Instruction ID: 2007ac1b573a244d8ea15f8ca6438e1bcfee59a38f8a88fac350da2d024dd0ab
Opcode Fuzzy Hash: 2c863ec5ee06d590fe9edfa1fa4ae55822d116eaa2c7bcd3967dd7d155a26f8b
Instruction Fuzzy Hash: CB90026124100D06D140719AC4187170146E7D0681F51C011A4414554DC656897577F1

Uniqueness

Uniqueness Score: -1.00%

Function 010DA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736f82b6e1b5200f14c34210d84a8a45bf57bfbd6f6f70748df58b211cfc445c
Instruction ID: 39bfc74c8a63812d1218ad45bb29ddcc1c681ebc22c5d29580af867dee57d2d4
Opcode Fuzzy Hash: 736f82b6e1b5200f14c34210d84a8a45bf57bfbd6f6f70748df58b211cfc445c
Instruction Fuzzy Hash: 2890027120144506D140719AC44861B5145F7E0381F51C411E4815554CC6558866A361

Uniqueness

Uniqueness Score: -1.00%

Function 010D9A00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5849945d81aba4cc760646ce30a1da32ef12dd1f08357f9a33a792802e0eb3a
Instruction ID: 71a4fb7dac754ea716f0a0ce05e361e62246b046bf0b3b544d5ce675100b2b93
Opcode Fuzzy Hash: d5849945d81aba4cc760646ce30a1da32ef12dd1f08357f9a33a792802e0eb3a
Instruction Fuzzy Hash: E390027120140906D100619A881871B0145E7D0382F51C011A5554555DC665886176B1

Uniqueness

Uniqueness Score: -1.00%

Function 010D9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2251dfbaaa6ef6b6865c43e7661094f7fb79786f7f5103b33d1376244d329346
Instruction ID: 3cfb637db907afe79a618ee6b2069c672923e776bca9ba4d6576ea4321dafbd7
Opcode Fuzzy Hash: 2251dfbaaa6ef6b6865c43e7661094f7fb79786f7f5103b33d1376244d329346
Instruction Fuzzy Hash: 7790027120140906D100619A880C7570145E7D0382F51C011A9554555EC6A5C8A17671

Uniqueness

Uniqueness Score: -1.00%

Function 010D9A20, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2192b78eb101cdeab2fcf5f03046bcbe0fef9fbb5b8e04facbe734bbb830548f
Instruction ID: 47b2837b4d425085f55626219136bd6e2fb2676d9bfa85db6620735549eca241
Opcode Fuzzy Hash: 2192b78eb101cdeab2fcf5f03046bcbe0fef9fbb5b8e04facbe734bbb830548f
Instruction Fuzzy Hash: 6790026160100546414071AAC8489164145FBE1291751C121A4D88550DC599887567A5

Uniqueness

Uniqueness Score: -1.00%

Function 010D9A50, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ff15fd84857277dcba15fe27e88ae2bce6acc3119e68fd68a214922660ad38
Instruction ID: d82c7907042b4a18d0c237a4ad2d6c4627f7f4dd01a3c578ad8c1602fa30122f
Opcode Fuzzy Hash: a4ff15fd84857277dcba15fe27e88ae2bce6acc3119e68fd68a214922660ad38
Instruction Fuzzy Hash: 0790026121180546D20065AA8C18B170145E7D0383F51C115A4544554CC95588716661

Uniqueness

Uniqueness Score: -1.00%

Function 010D9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d590dacccb90d8ddf6de0575781e8ab914ff34efa7f8ec998ac0a27ebaf9b8c
Instruction ID: aad311a9d7476eccd10ce6f295d5ef2ee3a69c55e7c01a649553271b97ed202c
Opcode Fuzzy Hash: 2d590dacccb90d8ddf6de0575781e8ab914ff34efa7f8ec998ac0a27ebaf9b8c
Instruction Fuzzy Hash: E990026120144946D140629A8808B1F4245E7E1282F91C019A8546554CC95588656761

Uniqueness

Uniqueness Score: -1.00%

Function 010D9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba44c6c573a23f88a7bfbef3a136cc43a915797df72c91a7c0bf167d8d0bbff7
Instruction ID: f5f3ef03a0ae23105c22a1427ae7ab7be9686fbc6c1aa36be09ee3d8b8276e00
Opcode Fuzzy Hash: ba44c6c573a23f88a7bfbef3a136cc43a915797df72c91a7c0bf167d8d0bbff7
Instruction Fuzzy Hash: C29002E1201145964500A29AC408B1A4645E7E0281B51C016E5444560CC5658861A275

Uniqueness

Uniqueness Score: -1.00%

Function 010DAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5780d6a433cee8360fd8bd30e784cf4c28d180d0fb41831acc9b9b1807557874
Instruction ID: 94e3fedfde7a782fc3398481107855df88c68fb49e2ef5ce3e91ca98e922ed5a
Opcode Fuzzy Hash: 5780d6a433cee8360fd8bd30e784cf4c28d180d0fb41831acc9b9b1807557874
Instruction Fuzzy Hash: 75900271A05005169140719A88186564146F7E07C1B55C011A4904554CC9948A6563E1

Uniqueness

Uniqueness Score: -1.00%

Function 010D9540, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c4606e7a8fc4234e6f77455539f94597d5b47f599ba4dbdee158d7dab46ff5
Instruction ID: f7b468db0887df892bf5831e88951b2af847f01abff2a8402e0c3abf929d491d
Opcode Fuzzy Hash: 75c4606e7a8fc4234e6f77455539f94597d5b47f599ba4dbdee158d7dab46ff5
Instruction Fuzzy Hash: 71900265211005070105A59A47085170186E7D53D1351C021F5405550CD66188716261

Uniqueness

Uniqueness Score: -1.00%

Function 010D9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e316672b8717cc600744be6a35c95440b87ff3cefd77ead0adedc9f88ba41098
Instruction ID: 883a23500d50d9f4c7f51c74188298e0869b5564e5c5c7c9f39729a98650dfaf
Opcode Fuzzy Hash: e316672b8717cc600744be6a35c95440b87ff3cefd77ead0adedc9f88ba41098
Instruction Fuzzy Hash: 54900265221005060145A59A460851B0585F7D63D1391C015F5806590CC66188756361

Uniqueness

Uniqueness Score: -1.00%

Function 010D95D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8659ce8913b49f53425846395ed5b2db1c817d33730e9803d443718aa482b8da
Instruction ID: 9c8a9884fd08cc7444b4fb478c560a66351a2717d2885bd0b4f125a186782530
Opcode Fuzzy Hash: 8659ce8913b49f53425846395ed5b2db1c817d33730e9803d443718aa482b8da
Instruction Fuzzy Hash: 199002A1202005074105719A8418626414AE7E0281B51C021E5404590DC56588A17265

Uniqueness

Uniqueness Score: -1.00%

Function 010D95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1aa475f30448f60f828b96a83c3374510b6791aac26c25723ba89255e7df787
Instruction ID: 0cedb76b0bdda7bd25dffdaa1dd326d1946ae05a08330e6cc6eedf733c4f2cf5
Opcode Fuzzy Hash: b1aa475f30448f60f828b96a83c3374510b6791aac26c25723ba89255e7df787
Instruction Fuzzy Hash: 5390027120100D06D104619A88086960145E7D0381F51C011AA414655ED6A588A17271

Uniqueness

Uniqueness Score: -1.00%

Function 010D9710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84ff0ec7278ea2e0a8cd7428b3c8db0a57af9cc94dd77711594072e7c22889e
Instruction ID: 4ae3e39027775c5a5beb38c51fec4615b50a940fe0dafc4fca3cb8c759a45ade
Opcode Fuzzy Hash: e84ff0ec7278ea2e0a8cd7428b3c8db0a57af9cc94dd77711594072e7c22889e
Instruction Fuzzy Hash: E890027120100906D10065DA940C6560145E7E0381F51D011A9414555EC6A588A17271

Uniqueness

Uniqueness Score: -1.00%

Function 010DA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 060b316b0a9c16db4d98bcede2755ce3c13e2a3d17b00f0eb96038c90e8e8c35
Instruction ID: 985fbc7be6c17a964f55f1891b1530de7b2b21bf3f775b53a474fe9dffff9dd1
Opcode Fuzzy Hash: 060b316b0a9c16db4d98bcede2755ce3c13e2a3d17b00f0eb96038c90e8e8c35
Instruction Fuzzy Hash: E4900271301005569500A6DA9808A5A4245E7F0381B51D015A8404554CC59488716261

Uniqueness

Uniqueness Score: -1.00%

Function 010D9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 033a31e621c7bec4877095826e843c6064f9c920741ccb75255a79e0b34f49ec
Instruction ID: 88152597636ada0c8f36f0a33b663f3c34dc5d773ac03f10e5e7b85a171d8b25
Opcode Fuzzy Hash: 033a31e621c7bec4877095826e843c6064f9c920741ccb75255a79e0b34f49ec
Instruction Fuzzy Hash: C890026160500906D140719A941C7160155E7D0281F51D011A4414554DC6998A6577E1

Uniqueness

Uniqueness Score: -1.00%

Function 010D9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f2cceef60c752c12b1e23bbf4527d8c9df21cdf06fc6918d2c5acad3a422e8
Instruction ID: 3319000b7eb45803aee98cf6fd7e40836d9b8c3d03f90bc8676a99a9704dc948
Opcode Fuzzy Hash: 85f2cceef60c752c12b1e23bbf4527d8c9df21cdf06fc6918d2c5acad3a422e8
Instruction Fuzzy Hash: 9F90027120100907D100619A950C7170145E7D0281F51D411A4814558DD69688617261

Uniqueness

Uniqueness Score: -1.00%

Function 010DA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33baffd9ff420b536f268bdb35a5fbae1515994a0ba135e7dd862113391a9227
Instruction ID: c1862e1e37714a4eb88d74de47b98953cb85af172f1c3f6798ca942fb891fd83
Opcode Fuzzy Hash: 33baffd9ff420b536f268bdb35a5fbae1515994a0ba135e7dd862113391a9227
Instruction Fuzzy Hash: 8190027520504946D500659A9808A970145E7D0385F51D411A481459CDC6948871B261

Uniqueness

Uniqueness Score: -1.00%

Function 010D9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80cd9f12b57b9da669bf306b5691cbe6da4d2b90cbbd8e305449533875bc256
Instruction ID: cb7275046a58778fb145306c535a2d8bedc4806857dd4fdccada75469e7d101a
Opcode Fuzzy Hash: c80cd9f12b57b9da669bf306b5691cbe6da4d2b90cbbd8e305449533875bc256
Instruction Fuzzy Hash: 5790026120504946D100659A940CA160145E7D0285F51D011A5454595DC6758861B271

Uniqueness

Uniqueness Score: -1.00%

Function 010D9780, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a29097f4620b99412f1dc35a48d67e09fd630681088aa3e38992724acda6b6a7
Instruction ID: 725ec7f25ef69b43662c48c956e0d922abd8da19fadbb0c5945bde849ae81a9c
Opcode Fuzzy Hash: a29097f4620b99412f1dc35a48d67e09fd630681088aa3e38992724acda6b6a7
Instruction Fuzzy Hash: F590026921300506D180719A940C61A0145E7D1282F91D415A4405558CC95588796361

Uniqueness

Uniqueness Score: -1.00%

Function 010D97A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 380f89161d4ff9a10bcfff24dad9a4778822084ae220877cc960bfe2a58e64ca
Instruction ID: 41cb5418c73392f7213d317a81cd68bb333ccf6d0fe3d1a827474a8422c24754
Opcode Fuzzy Hash: 380f89161d4ff9a10bcfff24dad9a4778822084ae220877cc960bfe2a58e64ca
Instruction Fuzzy Hash: 1590026130100507D140719A941C6164145F7E1381F51D011E4804554CD95588666362

Uniqueness

Uniqueness Score: -1.00%

Function 010D9FE0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 058dfeace22d23bb7f6b0458dca5af00d507b7101c701a1454f9a36367800e62
Instruction ID: f1be452a8a1232b44fe46472f362d9ba23353dbcafc78ee71eb95a83d566890f
Opcode Fuzzy Hash: 058dfeace22d23bb7f6b0458dca5af00d507b7101c701a1454f9a36367800e62
Instruction Fuzzy Hash: 7590027131114906D110619AC4087160145E7D1281F51C411A4C14558DC6D588A17262

Uniqueness

Uniqueness Score: -1.00%

Function 010D9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc1e4bbc2898be156727053f9c4854a80c476028767719fdddfb2b220103003
Instruction ID: fe6745cffefc2e2db680f9524f04f372458ae58003ea565dba65eeda48df6030
Opcode Fuzzy Hash: 5bc1e4bbc2898be156727053f9c4854a80c476028767719fdddfb2b220103003
Instruction Fuzzy Hash: 3C90027160500D06D150719A84187560145E7D0381F51C011A4414654DC7958A6577E1

Uniqueness

Uniqueness Score: -1.00%

Function 01097CC0, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 198COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01097D51
___swprintf_l.LIBCMT ref: 01097D73
___swprintf_l.LIBCMT ref: 010F2C3D

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 010F2C5E
::%hs%u.%u.%u.%u, xrefs: 010F2C36
ffff:, xrefs: 010F2C0E, 010F2C35
:%u.%u.%u.%u, xrefs: 010F2D10

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 732531051870b90264b4bb05f2468b4cf0cdd9cdba8232da07b811516bef50d8
Instruction ID: 26e63e9021be49613752581b8bf54c304b9f43bf28931e2bdfcdf757dc9648e5
Opcode Fuzzy Hash: 732531051870b90264b4bb05f2468b4cf0cdd9cdba8232da07b811516bef50d8
Instruction Fuzzy Hash: 3C61D6B2A1015AAFCF10EF9DC89097EF7F8BF58200B108269E9D4D7641D374DE509BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010940FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 010F058F
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 010F05AC
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010F0566
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 010F04BF
Execute=1, xrefs: 010F057D
ExecuteOptions, xrefs: 010F050A
CLIENT(ntdll): Processing section info %ws..., xrefs: 010F05F1

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 67d8725a48461ab840e806fde72271362b77a2a338146648699585e9ab7c4a73
Instruction ID: 70974fb8ce9eee39aa9ba71c8b10930d85124c050c8c93bae42972ce971b5c8f
Opcode Fuzzy Hash: 67d8725a48461ab840e806fde72271362b77a2a338146648699585e9ab7c4a73
Instruction Fuzzy Hash: E3618D71B4021A7AEF20DA54EDA5FFE77A9EF28304F0400D9E685D7181DB709A42DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010977A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010F2953

Strings

RTL: Resource at %p, xrefs: 010F296B
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 010F295B
RTL: Re-Waiting, xrefs: 010F2988

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 8e4a2ca963e77c1d79398b66fcb83e57c7174c3a9287c4935b3e628f86b1b630
Instruction ID: 87eaa0bc315319c0bb9d513cb82f111333501a02a78dc7a787e764c84ed510ca
Opcode Fuzzy Hash: 8e4a2ca963e77c1d79398b66fcb83e57c7174c3a9287c4935b3e628f86b1b630
Instruction Fuzzy Hash: E9314932A00632BBDB215A15CC81FAB7BA5FF11B60F500258EEC4ABA81D711F811DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 010D1CC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

@, xrefs: 010D1D1B
$, xrefs: 010D1D37

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 198ac7b456e0d7237a9591bc943122ed9460eebb549a56087e334717f9ba6f03
Instruction ID: d230fcb266ffe019665c8051f7dbce721e36641e866b06ac9f70cc9367851ad3
Opcode Fuzzy Hash: 198ac7b456e0d7237a9591bc943122ed9460eebb549a56087e334717f9ba6f03
Instruction Fuzzy Hash: E8812D71D002699BDB35DF94CC45BEEBAB8AF09714F0441EAAA1DB7280D7705E85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0112FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0112FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0112FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0112FE01

Memory Dump Source

Source File: 00000004.00000002.681273392.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 79be0e06e9cc1c0520f9f1f960ee67d0f6dd50ae3c3d834515e8f6110f560bac
Instruction ID: ace52edace65256f09a96a3c7ac73b29363c677dfab16bd128680ba11c8bfeaf
Opcode Fuzzy Hash: 79be0e06e9cc1c0520f9f1f960ee67d0f6dd50ae3c3d834515e8f6110f560bac
Instruction Fuzzy Hash: D4F0F672244612BFE6292A45DC02F73BF6AEB44B70F150318F6685A1D1DAA2FC30D6F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior