Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe

Overview

General Information

Sample Name:T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
Analysis ID:412016
MD5:33d849675e66bf8332b4bb2e4a1d923f
SHA1:5a6a124d73391b021ffb15b5fe0bef53882e9d9b
SHA256:77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x158b9:$sqlite3step: 68 34 1C 7B E1
          • 0x159cc:$sqlite3step: 68 34 1C 7B E1
          • 0x158e8:$sqlite3text: 68 38 2A 90 C5
          • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
          • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
          3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Suspicious Double ExtensionShow sources
            Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, CommandLine: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, NewProcessName: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, OriginalFileName: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe' , ParentImage: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, ParentProcessId: 6764, ProcessCommandLine: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, ProcessId: 6892

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rogegalmish.com/a8si/"], "decoy": ["mosquitocontrolpro.com", "omfgphil.com", "qqkit.net", "compusolutionsac.com", "skynetaccess.com", "helmetmoto.com", "webdomoupravitel.com", "thepocket-onlinelesson.xyz", "stefaniehirsch.space", "goalsandballs.com", "xn--bro-ba-3ya.com", "tomrings.com", "4520oceanviewavenue.com", "mamaebemorientada.com", "shopwreathrails.com", "restaurantestancia.com", "annaquatics.info", "mnarchitect.design", "best-cleaner.com", "jobhuizhan.com", "check-info-bank.network", "boostcoachingonline.com", "basimogroup.com", "076fb5.com", "conansr.icu", "numbereightturquoise.com", "southernbrushworks.com", "home-inland.com", "irrpa.com", "ethereumdailypay.com", "betsysellsswfl.com", "cutebyconstance.website", "modelsnt.com", "medifilt.com", "tracisolomon.xyz", "dchaulingdisposal.com", "minchenhy.com", "smart4earth.com", "rackembilliards.com", "benschiller-coaching.com", "virtualroasters.com", "applewholesales.com", "thesidspot.com", "grechenblogs.com", "marshlandlogisticsservices.net", "covidokotoks.com", "mirabilla.com", "hunab.tech", "foreverjsdesigns.com", "heipacc.info", "simon-schilling.com", "shirleyeluiz.com", "juguetibicicollectors.com", "70shousemanchester.com", "tranthaolinh.net", "urbanpokebar.com", "madras-spice.com", "fulmardelta.net", "drisu-goalkeeping.com", "jiotest.com", "vitatiensa.com", "melbournebusinesslawyers.net", "rajehomes.com", "company-for-you.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeVirustotal: Detection: 58%Perma Link
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeReversingLabs: Detection: 68%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeJoe Sandbox ML: detected
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B777B00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B777BB4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0B777AF0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 4x nop then pop ebx3_2_00406A9A

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.rogegalmish.com/a8si/
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338326905.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004181C0 NtCreateFile,3_2_004181C0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_00418270 NtReadFile,3_2_00418270
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004182F0 NtClose,3_2_004182F0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004183A0 NtAllocateVirtualMemory,3_2_004183A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041826A NtReadFile,3_2_0041826A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041839A NtAllocateVirtualMemory,3_2_0041839A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01369860
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01369660
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_013696E0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369910 NtAdjustPrivilegesToken,3_2_01369910
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369950 NtQueueApcThread,3_2_01369950
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013699A0 NtCreateSection,3_2_013699A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013699D0 NtCreateProcessEx,3_2_013699D0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369820 NtEnumerateKey,3_2_01369820
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0136B040 NtSuspendThread,3_2_0136B040
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369840 NtDelayExecution,3_2_01369840
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013698A0 NtWriteVirtualMemory,3_2_013698A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013698F0 NtReadVirtualMemory,3_2_013698F0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369B00 NtSetValueKey,3_2_01369B00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0136A3B0 NtGetContextThread,3_2_0136A3B0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369A20 NtResumeThread,3_2_01369A20
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369A10 NtQuerySection,3_2_01369A10
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369A00 NtProtectVirtualMemory,3_2_01369A00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369A50 NtCreateFile,3_2_01369A50
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369A80 NtOpenDirectoryObject,3_2_01369A80
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0136AD30 NtSetContextThread,3_2_0136AD30
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369520 NtWaitForSingleObject,3_2_01369520
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369560 NtWriteFile,3_2_01369560
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369540 NtReadFile,3_2_01369540
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013695F0 NtQueryInformationFile,3_2_013695F0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013695D0 NtClose,3_2_013695D0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369730 NtQueryVirtualMemory,3_2_01369730
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369710 NtQueryInformationToken,3_2_01369710
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0136A710 NtOpenProcessToken,3_2_0136A710
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0136A770 NtOpenThread,3_2_0136A770
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369770 NtSetInformationFile,3_2_01369770
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369760 NtOpenProcess,3_2_01369760
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013697A0 NtUnmapViewOfSection,3_2_013697A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369780 NtMapViewOfSection,3_2_01369780
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369FE0 NtCreateMutant,3_2_01369FE0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369610 NtEnumerateValueKey,3_2_01369610
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369670 NtQueryInformationProcess,3_2_01369670
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369650 NtQueryValueKey,3_2_01369650
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_02C4C2B00_2_02C4C2B0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_02C499680_2_02C49968
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7782210_2_0B778221
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B770FA80_2_0B770FA8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7700400_2_0B770040
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7700330_2_0B770033
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7717E80_2_0B7717E8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7717D90_2_0B7717D9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B770F980_2_0B770F98
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7736600_2_0B773660
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B771E400_2_0B771E40
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B771E390_2_0B771E39
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7756900_2_0B775690
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7756800_2_0B775680
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7714E00_2_0B7714E0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7714CF0_2_0B7714CF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004010303_2_00401030
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041C2733_2_0041C273
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041BAA23_2_0041BAA2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_00408C5B3_2_00408C5B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_00408C603_2_00408C60
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041BC223_2_0041BC22
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041CC243_2_0041CC24
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041B4A63_2_0041B4A6
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041BD4F3_2_0041BD4F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041C5013_2_0041C501
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_00402D873_2_00402D87
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_00402D903_2_00402D90
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041BDBD3_2_0041BDBD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041BF3C3_2_0041BF3C
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041C7A53_2_0041C7A5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_00402FB03_2_00402FB0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013441203_2_01344120
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132F9003_2_0132F900
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013429903_2_01342990
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133C1C03_2_0133C1C0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A8303_2_0134A830
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013FE8243_2_013FE824
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135701D3_2_0135701D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013268003_2_01326800
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E10023_2_013E1002
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013520A03_2_013520A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F20A83_2_013F20A8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B0903_2_0133B090
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E60F53_2_013E60F5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F28EC3_2_013F28EC
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F2B283_2_013F2B28
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E231B3_2_013E231B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A3093_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013433603_2_01343360
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013CCB4F3_2_013CCB4F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134AB403_2_0134AB40
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135EBB03_2_0135EBB0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134EB9A3_2_0134EB9A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013CEB8A3_2_013CEB8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135138B3_2_0135138B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013D23E33_2_013D23E3
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01378BE83_2_01378BE8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E03DA3_2_013E03DA
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EDBD23_2_013EDBD2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135ABD83_2_0135ABD8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B2363_2_0134B236
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013DFA2B3_2_013DFA2B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E5A4F3_2_013E5A4F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F22AE3_2_013F22AE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F32A93_2_013F32A9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EE2C53_2_013EE2C5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01320D203_2_01320D20
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F2D073_2_013F2D07
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01342D503_2_01342D50
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F1D553_2_013F1D55
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013565A03_2_013565A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013525813_2_01352581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D823_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133D5E03_2_0133D5E0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F25DD3_2_013F25DD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013424303_2_01342430
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133841F3_2_0133841F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B4773_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013ED4663_2_013ED466
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E44963_2_013E4496
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354CD43_2_01354CD4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F1FF13_2_013F1FF1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E67E23_2_013E67E2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013FDFCE3_2_013FDFCE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01346E303_2_01346E30
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013ED6163_2_013ED616
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013456003_2_01345600
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013AAE603_2_013AAE60
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: String function: 0132B150 appears 159 times
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: String function: 0137D08C appears 46 times
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: String function: 013B5720 appears 81 times
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.337682836.0000000000B2A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.342343612.0000000006220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338326905.0000000002DB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000002.00000000.335604595.000000000038A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000003.00000002.338967434.000000000091A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000003.00000002.339718035.00000000015AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeBinary or memory string: OriginalFilenameAsyncReplySink.exe0 vs T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@5/1@0/0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.logJump to behavior
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeVirustotal: Detection: 58%
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeReversingLabs: Detection: 68%
            Source: unknownProcess created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe 'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe'
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 0_2_0B7705DC push ebx; iretd 0_2_0B7705DD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004161E7 push edi; retf 3_2_004161E8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004151B4 pushfd ; ret 3_2_004151D9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041B3B5 push eax; ret 3_2_0041B408
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041B46C push eax; ret 3_2_0041B472
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041B402 push eax; ret 3_2_0041B408
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041B40B push eax; ret 3_2_0041B472
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0041543B pushfd ; iretd 3_2_0041543E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_00415485 push edx; ret 3_2_00415496
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0137D0D1 push ecx; ret 3_2_0137D0E4
            Source: initial sampleStatic PE information: section name: .text entropy: 7.68296959496

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Uses an obfuscated file name to hide its real file extension (double extension)Show sources
            Source: Possible double extension: pdf.exeStatic PE information: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM3Show sources
            Source: Yara matchFile source: 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 6764, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004088B0 rdtsc 3_2_004088B0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 6768Thread sleep time: -100297s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe TID: 6788Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeThread delayed: delay time: 100297Jump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_004088B0 rdtsc 3_2_004088B0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01369860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01369860
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01323138 mov ecx, dword ptr fs:[00000030h]3_2_01323138
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135513A mov eax, dword ptr fs:[00000030h]3_2_0135513A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135513A mov eax, dword ptr fs:[00000030h]3_2_0135513A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01344120 mov eax, dword ptr fs:[00000030h]3_2_01344120
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01344120 mov eax, dword ptr fs:[00000030h]3_2_01344120
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01344120 mov eax, dword ptr fs:[00000030h]3_2_01344120
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01344120 mov eax, dword ptr fs:[00000030h]3_2_01344120
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01344120 mov ecx, dword ptr fs:[00000030h]3_2_01344120
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329100 mov eax, dword ptr fs:[00000030h]3_2_01329100
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329100 mov eax, dword ptr fs:[00000030h]3_2_01329100
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329100 mov eax, dword ptr fs:[00000030h]3_2_01329100
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01330100 mov eax, dword ptr fs:[00000030h]3_2_01330100
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01330100 mov eax, dword ptr fs:[00000030h]3_2_01330100
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01330100 mov eax, dword ptr fs:[00000030h]3_2_01330100
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132B171 mov eax, dword ptr fs:[00000030h]3_2_0132B171
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132B171 mov eax, dword ptr fs:[00000030h]3_2_0132B171
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132C962 mov eax, dword ptr fs:[00000030h]3_2_0132C962
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8966 mov eax, dword ptr fs:[00000030h]3_2_013F8966
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EE962 mov eax, dword ptr fs:[00000030h]3_2_013EE962
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132395E mov eax, dword ptr fs:[00000030h]3_2_0132395E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132395E mov eax, dword ptr fs:[00000030h]3_2_0132395E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1951 mov eax, dword ptr fs:[00000030h]3_2_013E1951
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B944 mov eax, dword ptr fs:[00000030h]3_2_0134B944
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B944 mov eax, dword ptr fs:[00000030h]3_2_0134B944
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A51BE mov eax, dword ptr fs:[00000030h]3_2_013A51BE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A51BE mov eax, dword ptr fs:[00000030h]3_2_013A51BE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A51BE mov eax, dword ptr fs:[00000030h]3_2_013A51BE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A51BE mov eax, dword ptr fs:[00000030h]3_2_013A51BE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135C9BF mov eax, dword ptr fs:[00000030h]3_2_0135C9BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135C9BF mov eax, dword ptr fs:[00000030h]3_2_0135C9BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013FF1B5 mov eax, dword ptr fs:[00000030h]3_2_013FF1B5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013FF1B5 mov eax, dword ptr fs:[00000030h]3_2_013FF1B5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov eax, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov eax, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov eax, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov ecx, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013499BF mov eax, dword ptr fs:[00000030h]3_2_013499BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013361A7 mov eax, dword ptr fs:[00000030h]3_2_013361A7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013361A7 mov eax, dword ptr fs:[00000030h]3_2_013361A7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013361A7 mov eax, dword ptr fs:[00000030h]3_2_013361A7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013361A7 mov eax, dword ptr fs:[00000030h]3_2_013361A7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013561A0 mov eax, dword ptr fs:[00000030h]3_2_013561A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013561A0 mov eax, dword ptr fs:[00000030h]3_2_013561A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E49A4 mov eax, dword ptr fs:[00000030h]3_2_013E49A4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E49A4 mov eax, dword ptr fs:[00000030h]3_2_013E49A4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E49A4 mov eax, dword ptr fs:[00000030h]3_2_013E49A4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E49A4 mov eax, dword ptr fs:[00000030h]3_2_013E49A4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A69A6 mov eax, dword ptr fs:[00000030h]3_2_013A69A6
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352990 mov eax, dword ptr fs:[00000030h]3_2_01352990
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354190 mov eax, dword ptr fs:[00000030h]3_2_01354190
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132519E mov eax, dword ptr fs:[00000030h]3_2_0132519E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132519E mov ecx, dword ptr fs:[00000030h]3_2_0132519E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135A185 mov eax, dword ptr fs:[00000030h]3_2_0135A185
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134C182 mov eax, dword ptr fs:[00000030h]3_2_0134C182
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EA189 mov eax, dword ptr fs:[00000030h]3_2_013EA189
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EA189 mov ecx, dword ptr fs:[00000030h]3_2_013EA189
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013231E0 mov eax, dword ptr fs:[00000030h]3_2_013231E0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013B41E8 mov eax, dword ptr fs:[00000030h]3_2_013B41E8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132B1E1 mov eax, dword ptr fs:[00000030h]3_2_0132B1E1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132B1E1 mov eax, dword ptr fs:[00000030h]3_2_0132B1E1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132B1E1 mov eax, dword ptr fs:[00000030h]3_2_0132B1E1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F89E7 mov eax, dword ptr fs:[00000030h]3_2_013F89E7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E19D8 mov eax, dword ptr fs:[00000030h]3_2_013E19D8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133C1C0 mov eax, dword ptr fs:[00000030h]3_2_0133C1C0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013399C7 mov eax, dword ptr fs:[00000030h]3_2_013399C7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013399C7 mov eax, dword ptr fs:[00000030h]3_2_013399C7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013399C7 mov eax, dword ptr fs:[00000030h]3_2_013399C7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013399C7 mov eax, dword ptr fs:[00000030h]3_2_013399C7
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A830 mov eax, dword ptr fs:[00000030h]3_2_0134A830
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A830 mov eax, dword ptr fs:[00000030h]3_2_0134A830
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A830 mov eax, dword ptr fs:[00000030h]3_2_0134A830
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A830 mov eax, dword ptr fs:[00000030h]3_2_0134A830
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354020 mov edi, dword ptr fs:[00000030h]3_2_01354020
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135002D mov eax, dword ptr fs:[00000030h]3_2_0135002D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135002D mov eax, dword ptr fs:[00000030h]3_2_0135002D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135002D mov eax, dword ptr fs:[00000030h]3_2_0135002D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135002D mov eax, dword ptr fs:[00000030h]3_2_0135002D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135002D mov eax, dword ptr fs:[00000030h]3_2_0135002D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B02A mov eax, dword ptr fs:[00000030h]3_2_0133B02A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B02A mov eax, dword ptr fs:[00000030h]3_2_0133B02A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B02A mov eax, dword ptr fs:[00000030h]3_2_0133B02A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B02A mov eax, dword ptr fs:[00000030h]3_2_0133B02A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135701D mov eax, dword ptr fs:[00000030h]3_2_0135701D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135701D mov eax, dword ptr fs:[00000030h]3_2_0135701D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135701D mov eax, dword ptr fs:[00000030h]3_2_0135701D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135701D mov eax, dword ptr fs:[00000030h]3_2_0135701D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135701D mov eax, dword ptr fs:[00000030h]3_2_0135701D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135701D mov eax, dword ptr fs:[00000030h]3_2_0135701D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F4015 mov eax, dword ptr fs:[00000030h]3_2_013F4015
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F4015 mov eax, dword ptr fs:[00000030h]3_2_013F4015
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A7016 mov eax, dword ptr fs:[00000030h]3_2_013A7016
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A7016 mov eax, dword ptr fs:[00000030h]3_2_013A7016
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A7016 mov eax, dword ptr fs:[00000030h]3_2_013A7016
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01326800 mov eax, dword ptr fs:[00000030h]3_2_01326800
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01326800 mov eax, dword ptr fs:[00000030h]3_2_01326800
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01326800 mov eax, dword ptr fs:[00000030h]3_2_01326800
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F1074 mov eax, dword ptr fs:[00000030h]3_2_013F1074
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2073 mov eax, dword ptr fs:[00000030h]3_2_013E2073
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134F86D mov eax, dword ptr fs:[00000030h]3_2_0134F86D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325050 mov eax, dword ptr fs:[00000030h]3_2_01325050
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325050 mov eax, dword ptr fs:[00000030h]3_2_01325050
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325050 mov eax, dword ptr fs:[00000030h]3_2_01325050
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01340050 mov eax, dword ptr fs:[00000030h]3_2_01340050
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01340050 mov eax, dword ptr fs:[00000030h]3_2_01340050
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01327057 mov eax, dword ptr fs:[00000030h]3_2_01327057
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1843 mov eax, dword ptr fs:[00000030h]3_2_013E1843
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135F0BF mov ecx, dword ptr fs:[00000030h]3_2_0135F0BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135F0BF mov eax, dword ptr fs:[00000030h]3_2_0135F0BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135F0BF mov eax, dword ptr fs:[00000030h]3_2_0135F0BF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013520A0 mov eax, dword ptr fs:[00000030h]3_2_013520A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013520A0 mov eax, dword ptr fs:[00000030h]3_2_013520A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013520A0 mov eax, dword ptr fs:[00000030h]3_2_013520A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013520A0 mov eax, dword ptr fs:[00000030h]3_2_013520A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013520A0 mov eax, dword ptr fs:[00000030h]3_2_013520A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013520A0 mov eax, dword ptr fs:[00000030h]3_2_013520A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013578A0 mov eax, dword ptr fs:[00000030h]3_2_013578A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013690AF mov eax, dword ptr fs:[00000030h]3_2_013690AF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328AE mov eax, dword ptr fs:[00000030h]3_2_013328AE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328AE mov eax, dword ptr fs:[00000030h]3_2_013328AE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328AE mov eax, dword ptr fs:[00000030h]3_2_013328AE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328AE mov ecx, dword ptr fs:[00000030h]3_2_013328AE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328AE mov eax, dword ptr fs:[00000030h]3_2_013328AE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328AE mov eax, dword ptr fs:[00000030h]3_2_013328AE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329080 mov eax, dword ptr fs:[00000030h]3_2_01329080
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01323880 mov eax, dword ptr fs:[00000030h]3_2_01323880
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01323880 mov eax, dword ptr fs:[00000030h]3_2_01323880
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A3884 mov eax, dword ptr fs:[00000030h]3_2_013A3884
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A3884 mov eax, dword ptr fs:[00000030h]3_2_013A3884
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E60F5 mov eax, dword ptr fs:[00000030h]3_2_013E60F5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E60F5 mov eax, dword ptr fs:[00000030h]3_2_013E60F5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E60F5 mov eax, dword ptr fs:[00000030h]3_2_013E60F5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E60F5 mov eax, dword ptr fs:[00000030h]3_2_013E60F5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328FD mov eax, dword ptr fs:[00000030h]3_2_013328FD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328FD mov eax, dword ptr fs:[00000030h]3_2_013328FD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013328FD mov eax, dword ptr fs:[00000030h]3_2_013328FD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B8E4 mov eax, dword ptr fs:[00000030h]3_2_0134B8E4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B8E4 mov eax, dword ptr fs:[00000030h]3_2_0134B8E4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013240E1 mov eax, dword ptr fs:[00000030h]3_2_013240E1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013240E1 mov eax, dword ptr fs:[00000030h]3_2_013240E1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013240E1 mov eax, dword ptr fs:[00000030h]3_2_013240E1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013258EC mov eax, dword ptr fs:[00000030h]3_2_013258EC
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013278D6 mov eax, dword ptr fs:[00000030h]3_2_013278D6
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013278D6 mov eax, dword ptr fs:[00000030h]3_2_013278D6
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013278D6 mov ecx, dword ptr fs:[00000030h]3_2_013278D6
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013270C0 mov eax, dword ptr fs:[00000030h]3_2_013270C0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013270C0 mov eax, dword ptr fs:[00000030h]3_2_013270C0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E18CA mov eax, dword ptr fs:[00000030h]3_2_013E18CA
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E131B mov eax, dword ptr fs:[00000030h]3_2_013E131B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A309 mov eax, dword ptr fs:[00000030h]3_2_0134A309
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133F370 mov eax, dword ptr fs:[00000030h]3_2_0133F370
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133F370 mov eax, dword ptr fs:[00000030h]3_2_0133F370
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133F370 mov eax, dword ptr fs:[00000030h]3_2_0133F370
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353B7A mov eax, dword ptr fs:[00000030h]3_2_01353B7A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353B7A mov eax, dword ptr fs:[00000030h]3_2_01353B7A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132DB60 mov ecx, dword ptr fs:[00000030h]3_2_0132DB60
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013B6365 mov eax, dword ptr fs:[00000030h]3_2_013B6365
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013B6365 mov eax, dword ptr fs:[00000030h]3_2_013B6365
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013B6365 mov eax, dword ptr fs:[00000030h]3_2_013B6365
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8B58 mov eax, dword ptr fs:[00000030h]3_2_013F8B58
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132F358 mov eax, dword ptr fs:[00000030h]3_2_0132F358
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353B5A mov eax, dword ptr fs:[00000030h]3_2_01353B5A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353B5A mov eax, dword ptr fs:[00000030h]3_2_01353B5A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353B5A mov eax, dword ptr fs:[00000030h]3_2_01353B5A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353B5A mov eax, dword ptr fs:[00000030h]3_2_01353B5A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132DB40 mov eax, dword ptr fs:[00000030h]3_2_0132DB40
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F9BBE mov eax, dword ptr fs:[00000030h]3_2_013F9BBE
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8BB6 mov eax, dword ptr fs:[00000030h]3_2_013F8BB6
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1BA8 mov eax, dword ptr fs:[00000030h]3_2_013E1BA8
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354BAD mov eax, dword ptr fs:[00000030h]3_2_01354BAD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354BAD mov eax, dword ptr fs:[00000030h]3_2_01354BAD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354BAD mov eax, dword ptr fs:[00000030h]3_2_01354BAD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F5BA5 mov eax, dword ptr fs:[00000030h]3_2_013F5BA5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352397 mov eax, dword ptr fs:[00000030h]3_2_01352397
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135B390 mov eax, dword ptr fs:[00000030h]3_2_0135B390
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01324B94 mov edi, dword ptr fs:[00000030h]3_2_01324B94
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134EB9A mov eax, dword ptr fs:[00000030h]3_2_0134EB9A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134EB9A mov eax, dword ptr fs:[00000030h]3_2_0134EB9A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E138A mov eax, dword ptr fs:[00000030h]3_2_013E138A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013CEB8A mov ecx, dword ptr fs:[00000030h]3_2_013CEB8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013CEB8A mov eax, dword ptr fs:[00000030h]3_2_013CEB8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013CEB8A mov eax, dword ptr fs:[00000030h]3_2_013CEB8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013CEB8A mov eax, dword ptr fs:[00000030h]3_2_013CEB8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01331B8F mov eax, dword ptr fs:[00000030h]3_2_01331B8F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01331B8F mov eax, dword ptr fs:[00000030h]3_2_01331B8F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013DD380 mov ecx, dword ptr fs:[00000030h]3_2_013DD380
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135138B mov eax, dword ptr fs:[00000030h]3_2_0135138B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135138B mov eax, dword ptr fs:[00000030h]3_2_0135138B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135138B mov eax, dword ptr fs:[00000030h]3_2_0135138B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013503E2 mov eax, dword ptr fs:[00000030h]3_2_013503E2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013503E2 mov eax, dword ptr fs:[00000030h]3_2_013503E2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013503E2 mov eax, dword ptr fs:[00000030h]3_2_013503E2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013503E2 mov eax, dword ptr fs:[00000030h]3_2_013503E2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013503E2 mov eax, dword ptr fs:[00000030h]3_2_013503E2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013503E2 mov eax, dword ptr fs:[00000030h]3_2_013503E2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01321BE9 mov eax, dword ptr fs:[00000030h]3_2_01321BE9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134DBE9 mov eax, dword ptr fs:[00000030h]3_2_0134DBE9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013D23E3 mov ecx, dword ptr fs:[00000030h]3_2_013D23E3
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013D23E3 mov ecx, dword ptr fs:[00000030h]3_2_013D23E3
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013D23E3 mov eax, dword ptr fs:[00000030h]3_2_013D23E3
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A53CA mov eax, dword ptr fs:[00000030h]3_2_013A53CA
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A53CA mov eax, dword ptr fs:[00000030h]3_2_013A53CA
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013553C5 mov eax, dword ptr fs:[00000030h]3_2_013553C5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B236 mov eax, dword ptr fs:[00000030h]3_2_0134B236
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B236 mov eax, dword ptr fs:[00000030h]3_2_0134B236
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B236 mov eax, dword ptr fs:[00000030h]3_2_0134B236
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B236 mov eax, dword ptr fs:[00000030h]3_2_0134B236
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B236 mov eax, dword ptr fs:[00000030h]3_2_0134B236
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B236 mov eax, dword ptr fs:[00000030h]3_2_0134B236
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01328239 mov eax, dword ptr fs:[00000030h]3_2_01328239
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01328239 mov eax, dword ptr fs:[00000030h]3_2_01328239
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01328239 mov eax, dword ptr fs:[00000030h]3_2_01328239
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01324A20 mov eax, dword ptr fs:[00000030h]3_2_01324A20
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01324A20 mov eax, dword ptr fs:[00000030h]3_2_01324A20
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1229 mov eax, dword ptr fs:[00000030h]3_2_013E1229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01364A2C mov eax, dword ptr fs:[00000030h]3_2_01364A2C
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01364A2C mov eax, dword ptr fs:[00000030h]3_2_01364A2C
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134A229 mov eax, dword ptr fs:[00000030h]3_2_0134A229
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325210 mov eax, dword ptr fs:[00000030h]3_2_01325210
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325210 mov ecx, dword ptr fs:[00000030h]3_2_01325210
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325210 mov eax, dword ptr fs:[00000030h]3_2_01325210
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325210 mov eax, dword ptr fs:[00000030h]3_2_01325210
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132AA16 mov eax, dword ptr fs:[00000030h]3_2_0132AA16
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132AA16 mov eax, dword ptr fs:[00000030h]3_2_0132AA16
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01343A1C mov eax, dword ptr fs:[00000030h]3_2_01343A1C
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EAA16 mov eax, dword ptr fs:[00000030h]3_2_013EAA16
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EAA16 mov eax, dword ptr fs:[00000030h]3_2_013EAA16
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov ecx, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133BA00 mov eax, dword ptr fs:[00000030h]3_2_0133BA00
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01338A0A mov eax, dword ptr fs:[00000030h]3_2_01338A0A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0136927A mov eax, dword ptr fs:[00000030h]3_2_0136927A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013DB260 mov eax, dword ptr fs:[00000030h]3_2_013DB260
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013DB260 mov eax, dword ptr fs:[00000030h]3_2_013DB260
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8A62 mov eax, dword ptr fs:[00000030h]3_2_013F8A62
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01365A69 mov eax, dword ptr fs:[00000030h]3_2_01365A69
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01365A69 mov eax, dword ptr fs:[00000030h]3_2_01365A69
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01365A69 mov eax, dword ptr fs:[00000030h]3_2_01365A69
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1A5F mov eax, dword ptr fs:[00000030h]3_2_013E1A5F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EEA55 mov eax, dword ptr fs:[00000030h]3_2_013EEA55
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013B4257 mov eax, dword ptr fs:[00000030h]3_2_013B4257
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E5A4F mov eax, dword ptr fs:[00000030h]3_2_013E5A4F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E5A4F mov eax, dword ptr fs:[00000030h]3_2_013E5A4F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E5A4F mov eax, dword ptr fs:[00000030h]3_2_013E5A4F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E5A4F mov eax, dword ptr fs:[00000030h]3_2_013E5A4F
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329240 mov eax, dword ptr fs:[00000030h]3_2_01329240
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329240 mov eax, dword ptr fs:[00000030h]3_2_01329240
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329240 mov eax, dword ptr fs:[00000030h]3_2_01329240
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01329240 mov eax, dword ptr fs:[00000030h]3_2_01329240
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133AAB0 mov eax, dword ptr fs:[00000030h]3_2_0133AAB0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133AAB0 mov eax, dword ptr fs:[00000030h]3_2_0133AAB0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135FAB0 mov eax, dword ptr fs:[00000030h]3_2_0135FAB0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013512BD mov esi, dword ptr fs:[00000030h]3_2_013512BD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013512BD mov eax, dword ptr fs:[00000030h]3_2_013512BD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013512BD mov eax, dword ptr fs:[00000030h]3_2_013512BD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01321AA0 mov eax, dword ptr fs:[00000030h]3_2_01321AA0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013362A0 mov eax, dword ptr fs:[00000030h]3_2_013362A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013362A0 mov eax, dword ptr fs:[00000030h]3_2_013362A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013362A0 mov eax, dword ptr fs:[00000030h]3_2_013362A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013362A0 mov eax, dword ptr fs:[00000030h]3_2_013362A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01355AA0 mov eax, dword ptr fs:[00000030h]3_2_01355AA0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01355AA0 mov eax, dword ptr fs:[00000030h]3_2_01355AA0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013252A5 mov eax, dword ptr fs:[00000030h]3_2_013252A5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013252A5 mov eax, dword ptr fs:[00000030h]3_2_013252A5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013252A5 mov eax, dword ptr fs:[00000030h]3_2_013252A5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013252A5 mov eax, dword ptr fs:[00000030h]3_2_013252A5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013252A5 mov eax, dword ptr fs:[00000030h]3_2_013252A5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135D294 mov eax, dword ptr fs:[00000030h]3_2_0135D294
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135D294 mov eax, dword ptr fs:[00000030h]3_2_0135D294
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E129A mov eax, dword ptr fs:[00000030h]3_2_013E129A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135DA88 mov eax, dword ptr fs:[00000030h]3_2_0135DA88
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135DA88 mov eax, dword ptr fs:[00000030h]3_2_0135DA88
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352AE4 mov eax, dword ptr fs:[00000030h]3_2_01352AE4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E4AEF mov eax, dword ptr fs:[00000030h]3_2_013E4AEF
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8ADD mov eax, dword ptr fs:[00000030h]3_2_013F8ADD
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013212D4 mov eax, dword ptr fs:[00000030h]3_2_013212D4
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325AC0 mov eax, dword ptr fs:[00000030h]3_2_01325AC0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325AC0 mov eax, dword ptr fs:[00000030h]3_2_01325AC0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01325AC0 mov eax, dword ptr fs:[00000030h]3_2_01325AC0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01323ACA mov eax, dword ptr fs:[00000030h]3_2_01323ACA
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352ACB mov eax, dword ptr fs:[00000030h]3_2_01352ACB
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132AD30 mov eax, dword ptr fs:[00000030h]3_2_0132AD30
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01333D34 mov eax, dword ptr fs:[00000030h]3_2_01333D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EE539 mov eax, dword ptr fs:[00000030h]3_2_013EE539
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8D34 mov eax, dword ptr fs:[00000030h]3_2_013F8D34
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013AA537 mov eax, dword ptr fs:[00000030h]3_2_013AA537
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354D3B mov eax, dword ptr fs:[00000030h]3_2_01354D3B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354D3B mov eax, dword ptr fs:[00000030h]3_2_01354D3B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01354D3B mov eax, dword ptr fs:[00000030h]3_2_01354D3B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135F527 mov eax, dword ptr fs:[00000030h]3_2_0135F527
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135F527 mov eax, dword ptr fs:[00000030h]3_2_0135F527
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135F527 mov eax, dword ptr fs:[00000030h]3_2_0135F527
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E3518 mov eax, dword ptr fs:[00000030h]3_2_013E3518
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E3518 mov eax, dword ptr fs:[00000030h]3_2_013E3518
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E3518 mov eax, dword ptr fs:[00000030h]3_2_013E3518
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132751A mov eax, dword ptr fs:[00000030h]3_2_0132751A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132751A mov eax, dword ptr fs:[00000030h]3_2_0132751A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132751A mov eax, dword ptr fs:[00000030h]3_2_0132751A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132751A mov eax, dword ptr fs:[00000030h]3_2_0132751A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013CCD04 mov eax, dword ptr fs:[00000030h]3_2_013CCD04
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01348D76 mov eax, dword ptr fs:[00000030h]3_2_01348D76
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01348D76 mov eax, dword ptr fs:[00000030h]3_2_01348D76
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01348D76 mov eax, dword ptr fs:[00000030h]3_2_01348D76
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01348D76 mov eax, dword ptr fs:[00000030h]3_2_01348D76
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01348D76 mov eax, dword ptr fs:[00000030h]3_2_01348D76
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134C577 mov eax, dword ptr fs:[00000030h]3_2_0134C577
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134C577 mov eax, dword ptr fs:[00000030h]3_2_0134C577
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01347D50 mov eax, dword ptr fs:[00000030h]3_2_01347D50
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01364D51 mov eax, dword ptr fs:[00000030h]3_2_01364D51
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01364D51 mov eax, dword ptr fs:[00000030h]3_2_01364D51
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01363D43 mov eax, dword ptr fs:[00000030h]3_2_01363D43
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A3540 mov eax, dword ptr fs:[00000030h]3_2_013A3540
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013D8D47 mov eax, dword ptr fs:[00000030h]3_2_013D8D47
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013D3D40 mov eax, dword ptr fs:[00000030h]3_2_013D3D40
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132354C mov eax, dword ptr fs:[00000030h]3_2_0132354C
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0132354C mov eax, dword ptr fs:[00000030h]3_2_0132354C
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01351DB5 mov eax, dword ptr fs:[00000030h]3_2_01351DB5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01351DB5 mov eax, dword ptr fs:[00000030h]3_2_01351DB5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01351DB5 mov eax, dword ptr fs:[00000030h]3_2_01351DB5
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F05AC mov eax, dword ptr fs:[00000030h]3_2_013F05AC
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F05AC mov eax, dword ptr fs:[00000030h]3_2_013F05AC
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013535A1 mov eax, dword ptr fs:[00000030h]3_2_013535A1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013565A0 mov eax, dword ptr fs:[00000030h]3_2_013565A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013565A0 mov eax, dword ptr fs:[00000030h]3_2_013565A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013565A0 mov eax, dword ptr fs:[00000030h]3_2_013565A0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01323591 mov eax, dword ptr fs:[00000030h]3_2_01323591
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135FD9B mov eax, dword ptr fs:[00000030h]3_2_0135FD9B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135FD9B mov eax, dword ptr fs:[00000030h]3_2_0135FD9B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352581 mov eax, dword ptr fs:[00000030h]3_2_01352581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352581 mov eax, dword ptr fs:[00000030h]3_2_01352581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352581 mov eax, dword ptr fs:[00000030h]3_2_01352581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01352581 mov eax, dword ptr fs:[00000030h]3_2_01352581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01322D8A mov eax, dword ptr fs:[00000030h]3_2_01322D8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01322D8A mov eax, dword ptr fs:[00000030h]3_2_01322D8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01322D8A mov eax, dword ptr fs:[00000030h]3_2_01322D8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01322D8A mov eax, dword ptr fs:[00000030h]3_2_01322D8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01322D8A mov eax, dword ptr fs:[00000030h]3_2_01322D8A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D82 mov eax, dword ptr fs:[00000030h]3_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D82 mov eax, dword ptr fs:[00000030h]3_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D82 mov eax, dword ptr fs:[00000030h]3_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D82 mov eax, dword ptr fs:[00000030h]3_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D82 mov eax, dword ptr fs:[00000030h]3_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D82 mov eax, dword ptr fs:[00000030h]3_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E2D82 mov eax, dword ptr fs:[00000030h]3_2_013E2D82
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EB581 mov eax, dword ptr fs:[00000030h]3_2_013EB581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EB581 mov eax, dword ptr fs:[00000030h]3_2_013EB581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EB581 mov eax, dword ptr fs:[00000030h]3_2_013EB581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EB581 mov eax, dword ptr fs:[00000030h]3_2_013EB581
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013295F0 mov eax, dword ptr fs:[00000030h]3_2_013295F0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013295F0 mov ecx, dword ptr fs:[00000030h]3_2_013295F0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013D8DF1 mov eax, dword ptr fs:[00000030h]3_2_013D8DF1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133D5E0 mov eax, dword ptr fs:[00000030h]3_2_0133D5E0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133D5E0 mov eax, dword ptr fs:[00000030h]3_2_0133D5E0
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013595EC mov eax, dword ptr fs:[00000030h]3_2_013595EC
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EFDE2 mov eax, dword ptr fs:[00000030h]3_2_013EFDE2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EFDE2 mov eax, dword ptr fs:[00000030h]3_2_013EFDE2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EFDE2 mov eax, dword ptr fs:[00000030h]3_2_013EFDE2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013EFDE2 mov eax, dword ptr fs:[00000030h]3_2_013EFDE2
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013DFDD3 mov eax, dword ptr fs:[00000030h]3_2_013DFDD3
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6DC9 mov eax, dword ptr fs:[00000030h]3_2_013A6DC9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6DC9 mov eax, dword ptr fs:[00000030h]3_2_013A6DC9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6DC9 mov eax, dword ptr fs:[00000030h]3_2_013A6DC9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6DC9 mov ecx, dword ptr fs:[00000030h]3_2_013A6DC9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6DC9 mov eax, dword ptr fs:[00000030h]3_2_013A6DC9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6DC9 mov eax, dword ptr fs:[00000030h]3_2_013A6DC9
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013215C1 mov eax, dword ptr fs:[00000030h]3_2_013215C1
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B433 mov eax, dword ptr fs:[00000030h]3_2_0133B433
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B433 mov eax, dword ptr fs:[00000030h]3_2_0133B433
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0133B433 mov eax, dword ptr fs:[00000030h]3_2_0133B433
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01342430 mov eax, dword ptr fs:[00000030h]3_2_01342430
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01342430 mov eax, dword ptr fs:[00000030h]3_2_01342430
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353C3E mov eax, dword ptr fs:[00000030h]3_2_01353C3E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353C3E mov eax, dword ptr fs:[00000030h]3_2_01353C3E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01353C3E mov eax, dword ptr fs:[00000030h]3_2_01353C3E
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01324439 mov eax, dword ptr fs:[00000030h]3_2_01324439
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135BC2C mov eax, dword ptr fs:[00000030h]3_2_0135BC2C
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8C14 mov eax, dword ptr fs:[00000030h]3_2_013F8C14
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6C0A mov eax, dword ptr fs:[00000030h]3_2_013A6C0A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6C0A mov eax, dword ptr fs:[00000030h]3_2_013A6C0A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6C0A mov eax, dword ptr fs:[00000030h]3_2_013A6C0A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013A6C0A mov eax, dword ptr fs:[00000030h]3_2_013A6C0A
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F740D mov eax, dword ptr fs:[00000030h]3_2_013F740D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F740D mov eax, dword ptr fs:[00000030h]3_2_013F740D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F740D mov eax, dword ptr fs:[00000030h]3_2_013F740D
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013E1C06 mov eax, dword ptr fs:[00000030h]3_2_013E1C06
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0134B477 mov eax, dword ptr fs:[00000030h]3_2_0134B477
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_01365C70 mov eax, dword ptr fs:[00000030h]3_2_01365C70
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_013F8C75 mov eax, dword ptr fs:[00000030h]3_2_013F8C75
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCode function: 3_2_0135AC7B mov eax, dword ptr fs:[00000030h]3_2_0135AC7B
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeMemory written: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeProcess created: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeQueries volume information: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection111Masquerading11OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSSystem Information Discovery112Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information14Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe59%VirustotalBrowse
            T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe12%MetadefenderBrowse
            T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe69%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            3.2.T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            www.rogegalmish.com/a8si/3%VirustotalBrowse
            www.rogegalmish.com/a8si/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.rogegalmish.com/a8si/true
            • 3%, Virustotal, Browse
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameT31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338326905.0000000002DB1000.00000004.00000001.sdmpfalse
              		high
              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssT31597760-Confirm-20210507-100016-Email-1574401.PDF.exe, 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmpfalse
                		high

                Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:412016
                Start date:12.05.2021
                Start time:10:41:28
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 6m 49s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:4
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@5/1@0/0
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 1.6% (good quality ratio 1.5%)
                • Quality average: 67.5%
                • Quality standard deviation: 29.9%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 59
                • Number of non-executed functions: 232
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Simulations

                Behavior and APIs

                TimeTypeDescription
                10:42:20API Interceptor1x Sleep call for process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe.log
                Process:C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1314
                Entropy (8bit):5.350128552078965
                Encrypted:false
                SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                Malicious:true
                Reputation:high, very likely benign file
                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.334342506830447
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                File size:843264
                MD5:33d849675e66bf8332b4bb2e4a1d923f
                SHA1:5a6a124d73391b021ffb15b5fe0bef53882e9d9b
                SHA256:77a065555ec0a5c4dfbae72cdb035af45edf7997b1859fa75a158c40f119a020
                SHA512:1567d7b75a49cfc4dea92b703310395898ea6e4e7b6b5716f046ae0c9aefc96cb2f09c0fda1cfc2e827d1ef62decd6735e82a93dc84a39ed04c0e14f84f292f2
                SSDEEP:12288:Z70hHwq6oGbWgW4nVV2aiGnCqlAkS6cGfRxyFkpHbsM:h0hQDoG66nVOjab7s
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...HR.`..............P..H...........g... ........@.. .......................@............@................................

                File Icon

                Icon Hash:d4e8e8f8bcacd2cc

                Static PE Info

                General

                Entrypoint:0x4a67f2
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x60985248 [Sun May 9 21:21:12 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v4.0.30319
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0xa67a00x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x29130.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xd20000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000xa47f80xa4800False0.824677348499data7.68296959496IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0xa80000x291300x29200False0.0776856952888data4.11408600816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xd20000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0xa82e00x10d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                RT_ICON0xa93b40x10828dBase III DBT, version number 0, next free block index 40
                RT_ICON0xb9bdc0x94a8data
                RT_ICON0xc30840x5488data
                RT_ICON0xc850c0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 57599, next used block 4278648832
                RT_ICON0xcc7340x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                RT_ICON0xcecdc0x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                RT_ICON0xcfd840x988data
                RT_ICON0xd070c0x468GLS_BINARY_LSB_FIRST
                RT_GROUP_ICON0xd0b740x84data
                RT_GROUP_ICON0xd0bf80x14data
                RT_VERSION0xd0c0c0x338data
                RT_MANIFEST0xd0f440x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyrightCopyright MCS 2018
                Assembly Version1.0.0.0
                InternalNameAsyncReplySink.exe
                FileVersion1.0.0.0
                CompanyNameMCS
                LegalTrademarks
                Comments
                ProductNameLibrary
                ProductVersion1.0.0.0
                FileDescriptionLibrary
                OriginalFilenameAsyncReplySink.exe

                Network Behavior

                No network behavior found

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 6764 Parent PID: 5952

                General

                Start time:10:42:17
                Start date:12/05/2021
                Path:C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe'
                Imagebase:0xa70000
                File size:843264 bytes
                MD5 hash:33D849675E66BF8332B4BB2E4A1D923F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.338400909.0000000002E06000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.338738770.0000000003DB9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 6892 Parent PID: 6764

                General

                Start time:10:42:22
                Start date:12/05/2021
                Path:C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                Imagebase:0x2d0000
                File size:843264 bytes
                MD5 hash:33D849675E66BF8332B4BB2E4A1D923F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                Chronological Activities

                Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 6900 Parent PID: 6764

                General

                Start time:10:42:22
                Start date:12/05/2021
                Path:C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user\Desktop\T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe
                Imagebase:0x860000
                File size:843264 bytes
                MD5 hash:33D849675E66BF8332B4BB2E4A1D923F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Disassembly

                Code Analysis

                Reset < >

                  Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 6764 Parent PID: 5952 T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCOMMON

                  Executed Functions

                  Function 0B778221, Relevance: .5, Instructions: 505COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 13a253572408e9cdbc7862832cf89670c9a615c531fd46258accb13f9529a1f7
                  • Instruction ID: 522db001add29bec74ea4b58a1c1dda93306f06db75dc92a955140677ea78f37
                  • Opcode Fuzzy Hash: 13a253572408e9cdbc7862832cf89670c9a615c531fd46258accb13f9529a1f7
                  • Instruction Fuzzy Hash: 39E1DC71B012148FDB29EB66C4587AFB7F6AF88700F14446AE146DB291CB35E801CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B770FA8, Relevance: .3, Instructions: 276COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a66894c462c52c3ca6bbe410947a61ee7db42c3b01d94282d6a21184ad634f5
                  • Instruction ID: 916801e950864b27a740aca8229ce448b48fbc5cfd4ed4b584d599f0f3124ed7
                  • Opcode Fuzzy Hash: 6a66894c462c52c3ca6bbe410947a61ee7db42c3b01d94282d6a21184ad634f5
                  • Instruction Fuzzy Hash: F2B14574E052498BCF04DFE9C5856DEFBF2BF89300F54852AD415BB658E7349A02CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B770F98, Relevance: .3, Instructions: 274COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3df5e5d93190d2380edc56f063798a79f3e53807d71d8c5b55ab07b519be2e63
                  • Instruction ID: 4789f697ed09a0e3fc01da2c297e8fb37e5f1ee4a994ec21386e780a833aacaa
                  • Opcode Fuzzy Hash: 3df5e5d93190d2380edc56f063798a79f3e53807d71d8c5b55ab07b519be2e63
                  • Instruction Fuzzy Hash: 26B15578E052498FCF04DFA9C9856DEFBF2BF89300F54852AD415BB658D7349A02CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773660, Relevance: .1, Instructions: 142COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a2d43684f68d96609bc557ad686eaf56c05b2bae866cdd918ef38265dfbc973
                  • Instruction ID: a5e1d5a2dfed3e7df1d2805d3600f8ecdae41972d6eae88e384c3951b72f90bb
                  • Opcode Fuzzy Hash: 5a2d43684f68d96609bc557ad686eaf56c05b2bae866cdd918ef38265dfbc973
                  • Instruction Fuzzy Hash: 3A517970D456499FCF09DFA8D4885DEFBF2FF89310B15806AE812EB260D770A942DB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B777AF0, Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 070006709ab5af12556066cc759b20e4873731c1829fe4990adf13d0ff6c5577
                  • Instruction ID: 37f70dc9fcae51d75dc8b1fb10d1726d40015203f0acc789dedc7c5e83d0ee37
                  • Opcode Fuzzy Hash: 070006709ab5af12556066cc759b20e4873731c1829fe4990adf13d0ff6c5577
                  • Instruction Fuzzy Hash: 2F116671D452588FDF19DFA8C548BEDBBF0BB0E305F18946AE411B32A0C7788944CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B777B00, Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7d324e108238013fde7462a7ea561a27d530298e7e3d6ded86ac8fc99a2c9f82
                  • Instruction ID: 3d156049e1e8c76fc5c99af20e67cb75a4fb4514d5bca67529e987767816c57f
                  • Opcode Fuzzy Hash: 7d324e108238013fde7462a7ea561a27d530298e7e3d6ded86ac8fc99a2c9f82
                  • Instruction Fuzzy Hash: D9117930D442588BDF18DFA9C418BEEBBF1AB4E305F14906AE415B32A0CB788D44CB68
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B777BB4, Relevance: .0, Instructions: 27COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: be57e6d12bc28b18319cef8619c887e036d48bf89f40b1a13fda2f24b7c39d3f
                  • Instruction ID: 543d35b63083cb9acba2a4e97ee2f9858260ed99a257393508530a1eeed1e27c
                  • Opcode Fuzzy Hash: be57e6d12bc28b18319cef8619c887e036d48bf89f40b1a13fda2f24b7c39d3f
                  • Instruction Fuzzy Hash: 45E02B5188C3998ACB025FA448255BABFF09B0B200F54A0CBE041F71A1C6688901D7A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C46B90, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 02C46C00
                  • GetCurrentThread.KERNEL32 ref: 02C46C3D
                  • GetCurrentProcess.KERNEL32 ref: 02C46C7A
                  • GetCurrentThreadId.KERNEL32 ref: 02C46CD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: d6b45af0ff0d9a1ca282353e953e4eb6683def4d334ccadc08eed1e3d315eaac
                  • Instruction ID: f8ee6997e407ee439b59cc579170c1bb3f4227ee90c0ac741bc86a7caf896616
                  • Opcode Fuzzy Hash: d6b45af0ff0d9a1ca282353e953e4eb6683def4d334ccadc08eed1e3d315eaac
                  • Instruction Fuzzy Hash: 2B5167B49007498FDB14DFA9D648B9EBBF4FF49308F20805AE019A7391DB745A44CF65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C46BA0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32 ref: 02C46C00
                  • GetCurrentThread.KERNEL32 ref: 02C46C3D
                  • GetCurrentProcess.KERNEL32 ref: 02C46C7A
                  • GetCurrentThreadId.KERNEL32 ref: 02C46CD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: Current$ProcessThread
                  • String ID:
                  • API String ID: 2063062207-0
                  • Opcode ID: 9d3777ff295c909eaad05ec45e081da2e0b3013f6e4b400443f534994a9c3a55
                  • Instruction ID: e91c77aa40333b557f16cdad2fca19f3fcfff75070e21f1e5cd206395fa119c5
                  • Opcode Fuzzy Hash: 9d3777ff295c909eaad05ec45e081da2e0b3013f6e4b400443f534994a9c3a55
                  • Instruction Fuzzy Hash: 015157B49007498FDB14DFAAD64879EBBF4FF89308F208059E019A7350DB745A44CF65
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773FB4, Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0B7741F6
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: b715b7fe4027409a87d4f7c8f101ab20267e0c54920ceda6e241bfd479a5144a
                  • Instruction ID: 6a8e9e9428ff293b1f49ffd36f0260cbe1f668776b61a5b5510be192e25b96bd
                  • Opcode Fuzzy Hash: b715b7fe4027409a87d4f7c8f101ab20267e0c54920ceda6e241bfd479a5144a
                  • Instruction Fuzzy Hash: A8A16B71D002298FDF20DFA8C8817EDBBB2BF49304F1585A9E809A7350DB759A95CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773FC0, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0B7741F6
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 5f46ca2f73ec9aa0e340cb99779f2a9f22ad2a17c8bff693e9712910447c5d10
                  • Instruction ID: bee06d40c6b816d89413ff164a26563d3e65cf5e2e778c88afb9efa01115acee
                  • Opcode Fuzzy Hash: 5f46ca2f73ec9aa0e340cb99779f2a9f22ad2a17c8bff693e9712910447c5d10
                  • Instruction Fuzzy Hash: 20916B71D002298FDF20DFA8C8417EDBAB2BF48314F0585A9E809A7350DB759995CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4BBB8, Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02C4BE0E
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: cd48301ab9f6a82afefd562d41cbc6a11e1969112a0e28d9fb840501b1a1ad5a
                  • Instruction ID: de242100af2cc84f6bd1cbc421930bdd842f7403c23afdb6bd3bb52ea5fa3c77
                  • Opcode Fuzzy Hash: cd48301ab9f6a82afefd562d41cbc6a11e1969112a0e28d9fb840501b1a1ad5a
                  • Instruction Fuzzy Hash: 13711470A00B058FD724DF6AC59575BBBF1FF88208F008A2DD45AD7A40DB75E90A8F91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4DBE0, Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C4DD8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: 10bc9e1147ca20bc19eea25e784fc33f4d5099f0a77ac8b19bbd83185b18e62c
                  • Instruction ID: 0beefba21372565f584a3ba597dbe8131cfc5340aad1964af2ccd9560d4f6749
                  • Opcode Fuzzy Hash: 10bc9e1147ca20bc19eea25e784fc33f4d5099f0a77ac8b19bbd83185b18e62c
                  • Instruction Fuzzy Hash: 326134B1C04348AFCF12DFA9D880ADEBFB2BF49310F15816AE919AB261D7719944CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4DC78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                  Download Yara Rule
                  APIs
                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C4DD8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: CreateWindow
                  • String ID:
                  • API String ID: 716092398-0
                  • Opcode ID: c6f4112f12b6f5b7497d603c946930ff777f4217b7a7cce9305a8263078fef99
                  • Instruction ID: 0fda18b32a21b9ff3dfa8ffd9fbefbc8cdbfcb69408dd3f2625bfbbea906fa7a
                  • Opcode Fuzzy Hash: c6f4112f12b6f5b7497d603c946930ff777f4217b7a7cce9305a8263078fef99
                  • Instruction Fuzzy Hash: E741C2B1D00309DFDF14DF99C984ADEBBB5BF89314F24812AE819AB210DB759945CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C46D51, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C46E4F
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 3221499a4fd49d11d2cf068827f6a283fbe78cb58e0c4f7bd12859a1ad2b7fa8
                  • Instruction ID: 7bf5e6d8c0f3ba00d31cd6ca7df2b6cf7cb8c41ef281059339c180e5e57701a0
                  • Opcode Fuzzy Hash: 3221499a4fd49d11d2cf068827f6a283fbe78cb58e0c4f7bd12859a1ad2b7fa8
                  • Instruction Fuzzy Hash: 67416776A00218AFCF01CF99D884ADEBFF9EF49310F14805AE904A7361C775A914DFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773D30, Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                  Download Yara Rule
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0B773DC8
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 7863930891e5dc017332e223ffc8b893ee10dc48df08ca89a17f9874c8513ff8
                  • Instruction ID: a163a358e2e535623a154183d6a33d41d9c90ae3b3c1345462974ba33a1da6b5
                  • Opcode Fuzzy Hash: 7863930891e5dc017332e223ffc8b893ee10dc48df08ca89a17f9874c8513ff8
                  • Instruction Fuzzy Hash: 632137719002099FCF00DFA9C984BEEBBF5FF48314F04882AE919A7240C778A955DBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773D38, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                  Download Yara Rule
                  APIs
                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0B773DC8
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 1f92f0dd1f77b6805f0453facd999e81a69be008d520757b69cbc69185ca6ba3
                  • Instruction ID: 4bf2d2f2bb80485069520da2f696c7c1c4447a043131ddd30fead170971d6be9
                  • Opcode Fuzzy Hash: 1f92f0dd1f77b6805f0453facd999e81a69be008d520757b69cbc69185ca6ba3
                  • Instruction Fuzzy Hash: D72128719003499FCF00DFA9C884BEEBBF5FF48314F508829E919A7240D774A955DBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773E21, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0B773EA8
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: be8b5b00add376142c6e027e1aee256c7f5e864ce3ec8fa8da83b6c3390f5466
                  • Instruction ID: 34c6fed819bced0e8e21fa482c9a7de1df21857a85efb66c6f4153a4ffd2c2f9
                  • Opcode Fuzzy Hash: be8b5b00add376142c6e027e1aee256c7f5e864ce3ec8fa8da83b6c3390f5466
                  • Instruction Fuzzy Hash: 792136B1D002199FCF00CFA9D8857EEBBF5FF48310F50882AE919A7240D77999059BA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773B99, Relevance: 1.6, APIs: 1, Instructions: 64threadinjectionCOMMON
                  Download Yara Rule
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 0B773C1E
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: 25b5b30ae392c131a2bce3f832a3f921e5915ff1e58802ee9911b753c0b74877
                  • Instruction ID: 7ec48dd33e490011517dd4942a0ccd9638358e043e947300255bba640da38d5f
                  • Opcode Fuzzy Hash: 25b5b30ae392c131a2bce3f832a3f921e5915ff1e58802ee9911b753c0b74877
                  • Instruction Fuzzy Hash: 0E213A719002098FDB10DFA9C4847EEBBF5EF48324F55C429E919A7240CB78A945CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C46DC0, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C46E4F
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: ede7918e31674eefdc325cf1dfd0ddc18a83f3bd0d8205aaf261fb7f3d1934a9
                  • Instruction ID: e98855c9fa903b1091a84b63feeca8e5204ffd9e2f052134c8192aad85f91afb
                  • Opcode Fuzzy Hash: ede7918e31674eefdc325cf1dfd0ddc18a83f3bd0d8205aaf261fb7f3d1934a9
                  • Instruction Fuzzy Hash: 322114B59002489FCB10CFA9D984ADEBBF8FF48324F14801AE914A7310D774A954CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773BA0, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                  Download Yara Rule
                  APIs
                  • SetThreadContext.KERNELBASE(?,00000000), ref: 0B773C1E
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: ContextThread
                  • String ID:
                  • API String ID: 1591575202-0
                  • Opcode ID: a25e84a5e71cea1316e8524e9c0910ec9be5e75bb2f31a6e69d3e01d98580e0a
                  • Instruction ID: 71e9e37554b36240f629747fe1c8453ea1366515aec5baacb809291316329dd0
                  • Opcode Fuzzy Hash: a25e84a5e71cea1316e8524e9c0910ec9be5e75bb2f31a6e69d3e01d98580e0a
                  • Instruction Fuzzy Hash: 2A2138719002098FCB10DFA9C4847EEBBF4EF48214F54842AD519A7240CB78A945CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773E28, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0B773EA8
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: MemoryProcessRead
                  • String ID:
                  • API String ID: 1726664587-0
                  • Opcode ID: bca78f43251db650d31ad09ac6d2ab3a6bf2ad4ff3531d2869f5e85d211f76e3
                  • Instruction ID: 64816cb719ac0b7d35e354f59278abf6971132d4b35a9bd617fe30490f603497
                  • Opcode Fuzzy Hash: bca78f43251db650d31ad09ac6d2ab3a6bf2ad4ff3531d2869f5e85d211f76e3
                  • Instruction Fuzzy Hash: 992114719002499FCF00DFAAD884AEEBBF5FF48314F50842AE919A7240C779A945CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C46DC8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C46E4F
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: DuplicateHandle
                  • String ID:
                  • API String ID: 3793708945-0
                  • Opcode ID: 04aefa31cdedf5e9806ba3eac657b6895cd277e728abf685d87a0cf2cb33daa7
                  • Instruction ID: 0ddb52d6a7363a23de3a1334004a803514e97989eb2fd1db2bcab21a8172e407
                  • Opcode Fuzzy Hash: 04aefa31cdedf5e9806ba3eac657b6895cd277e728abf685d87a0cf2cb33daa7
                  • Instruction Fuzzy Hash: 6921F3B59002489FDB10CFA9D984ADEBBF8FB49324F14801AE915A7310D775A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4B0B0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C4BE89,00000800,00000000,00000000), ref: 02C4C09A
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: 0b69cafc53fbfe8638dda5afa75dbb0812cf4c7079a174650467bf2301e1ee80
                  • Instruction ID: 40396f2f033dee65977897fbefae574a55d8df6a6f0c15cd592211e553d14e4e
                  • Opcode Fuzzy Hash: 0b69cafc53fbfe8638dda5afa75dbb0812cf4c7079a174650467bf2301e1ee80
                  • Instruction Fuzzy Hash: EE1103B2D012088FCB10CF9AC444B9FBBF4EB89314F04842AE915A7210C775AA45CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773C71, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B773CE6
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 6e169377e5bc04a7dd728a1ab98fb920b86157068d3c5d4d3089dd4dbb5d7625
                  • Instruction ID: b0d8a2d2fdf93ac5a9c58e9fb932563374f41cc6578c42a0e5cb5735c33a6211
                  • Opcode Fuzzy Hash: 6e169377e5bc04a7dd728a1ab98fb920b86157068d3c5d4d3089dd4dbb5d7625
                  • Instruction Fuzzy Hash: 6D1179729002099FCF10DFA9C9447EEBBF5EF48324F148829E919B7250CB35A945CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773C78, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0B773CE6
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: fcbb32ab40c5196aa4e2cdaea40d0340ee4d113118abf345e702544a1d430a3b
                  • Instruction ID: 4d6dfb11a58d06aa1edd07909c6fa41c5603101122a5c07ad586c8d14024c39f
                  • Opcode Fuzzy Hash: fcbb32ab40c5196aa4e2cdaea40d0340ee4d113118abf345e702544a1d430a3b
                  • Instruction Fuzzy Hash: 5B1149719002499FCF10DFA9D844BDFBBF5EF48324F148829E915A7250CB75A954CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B778C08, Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0B778C68
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 13365311f765f9d575fde6d735e05f89d306b4239077fe3949f5aeafcb0d30c2
                  • Instruction ID: bd192f41f9307c691bcd5bea1acdd82adc8d0d55d55a205c5e3e23e1d3b19eee
                  • Opcode Fuzzy Hash: 13365311f765f9d575fde6d735e05f89d306b4239077fe3949f5aeafcb0d30c2
                  • Instruction Fuzzy Hash: 9A1176B2800249CFCB10CFA9C1897DEBBF0EF08324F14886AD455A7280C338A945CFA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4C028, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C4BE89,00000800,00000000,00000000), ref: 02C4C09A
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: db37f91a0e7989f1178c046cc93e895717932593231538efbcf9523765242b2f
                  • Instruction ID: 352a2ea851677084e995d29bd635a415681dcdebba24a62e8377e0d4b7a98a53
                  • Opcode Fuzzy Hash: db37f91a0e7989f1178c046cc93e895717932593231538efbcf9523765242b2f
                  • Instruction Fuzzy Hash: 771153B6D002088FCB10CFA9C444BDEFBF4AF88324F04842ED815AB210C775AA49CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773AE8, Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 04e36a5920678701543d80324d7cce1735bbd69b8d49c99a0147a4fbf2ae19b4
                  • Instruction ID: d233fc72440aca21c4039800fd90a638f30d31e6f68116b629fba4a0e1d9c81d
                  • Opcode Fuzzy Hash: 04e36a5920678701543d80324d7cce1735bbd69b8d49c99a0147a4fbf2ae19b4
                  • Instruction Fuzzy Hash: 761158B1D042488FCB10DFA9D4447EFBBF5AB88214F14882AD519A7650CB75A944CF95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B773AF0, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: 78bfc86cf4e952ef2d7eeeda7cf25bf751eb52032facbb5a279657ccdc5502ce
                  • Instruction ID: 5b9ce23209bf36873d8ce345f056b212a6613f7dd5fde4e6da2691a166a4608d
                  • Opcode Fuzzy Hash: 78bfc86cf4e952ef2d7eeeda7cf25bf751eb52032facbb5a279657ccdc5502ce
                  • Instruction Fuzzy Hash: E9113A71D003488FCB10DFA9D4447DFFBF5AF88224F148829D519A7650CB75A944CFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B7770D1, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,?,?,?), ref: 0B777135
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: b1b0fe67df1044c5f892ba49356f0a47b7ba7e0d3f020ecb8cc8e4378c2e9682
                  • Instruction ID: 919cee0403a310965163d926196b46ff58c6c5b00282997945d1b2943371f55a
                  • Opcode Fuzzy Hash: b1b0fe67df1044c5f892ba49356f0a47b7ba7e0d3f020ecb8cc8e4378c2e9682
                  • Instruction Fuzzy Hash: 201155B68002488FDB10DF98C989BDEBFF4EB48324F10881AE414B7240C378A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B778C10, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0B778C68
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: bae97ab9c567d213fd9b2cb7cbe118a3dcbdfde1fec50eaf51db565729a567e4
                  • Instruction ID: 2608fa5c7f4c444409272e337afdb03708f3c5205da39518ff563a47d8019dd9
                  • Opcode Fuzzy Hash: bae97ab9c567d213fd9b2cb7cbe118a3dcbdfde1fec50eaf51db565729a567e4
                  • Instruction Fuzzy Hash: C91148B18002098FCB10DF9AC548BDEBBF4EF48324F148469D915A7340C738A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4BDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02C4BE0E
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: HandleModule
                  • String ID:
                  • API String ID: 4139908857-0
                  • Opcode ID: 18be374ff246025637722386d8365e94a367370708d4a6f4b4490600d8968bf0
                  • Instruction ID: ee702c43bfea014ec79e28d562a8e0553b3a406c3dd15bed72f2b4f3cffb5a6f
                  • Opcode Fuzzy Hash: 18be374ff246025637722386d8365e94a367370708d4a6f4b4490600d8968bf0
                  • Instruction Fuzzy Hash: 9811DFB5D006498FCB10CFAAC444BDFFBF4EB88228F14846AD919A7610C775A945CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B7770D8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                  Download Yara Rule
                  APIs
                  • PostMessageW.USER32(?,?,?,?), ref: 0B777135
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID: MessagePost
                  • String ID:
                  • API String ID: 410705778-0
                  • Opcode ID: 1f229f9ce793876f482ec2bc0f2c540a6ed91c5b8672261faf185d223c1f149d
                  • Instruction ID: dded483851c9d8221d79feb223d54d39a287ceb67ea6505677f66b8e774d7b30
                  • Opcode Fuzzy Hash: 1f229f9ce793876f482ec2bc0f2c540a6ed91c5b8672261faf185d223c1f149d
                  • Instruction Fuzzy Hash: 8111E2B58003499FDB10DF99D885BDEBBF8EB49324F14845AE915A7600C375A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4DEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,?,?), ref: 02C4DF1D
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: ae788fe751ee0be58c9acb5bc59c26b809d8107ff7273870792913bb3b40684f
                  • Instruction ID: 31e07362cdf1a79e432c1a145c015b8ebe470de616818661aee66e69a36fdfdc
                  • Opcode Fuzzy Hash: ae788fe751ee0be58c9acb5bc59c26b809d8107ff7273870792913bb3b40684f
                  • Instruction Fuzzy Hash: EF1112B59002088FDB20DF99D584BDFBBF8EB88324F10851AE916A7300C375A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4DEB9, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • SetWindowLongW.USER32(?,?,?), ref: 02C4DF1D
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID: LongWindow
                  • String ID:
                  • API String ID: 1378638983-0
                  • Opcode ID: 104f529b8c73ae4690a4b035a579a827e5eea87c6f65a25fe193a8fa1e62fecb
                  • Instruction ID: 1f74bdec939392bd33edbe37722f9312bc4d09608b06492dc56f1b1a13e38162
                  • Opcode Fuzzy Hash: 104f529b8c73ae4690a4b035a579a827e5eea87c6f65a25fe193a8fa1e62fecb
                  • Instruction Fuzzy Hash: 7F1112B59002088FDB20DF99D584BDFBBF4FB48324F25851AE91AA7240C375A944CFA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0130D3EC, Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338177782.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a7d40c06d22e25fbe8c6c6e443ee832de9b5eb956b711d5a619aa94235ed10a
                  • Instruction ID: 165720702cc08dcc2ede8f4343e5c6dbbff7368146337f5dc0edac44130efc9f
                  • Opcode Fuzzy Hash: 4a7d40c06d22e25fbe8c6c6e443ee832de9b5eb956b711d5a619aa94235ed10a
                  • Instruction Fuzzy Hash: BA213671104204DFCB02DFD8D8D0B67BBE5FB84328F21C569E9091B686C736E856C6A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0130D4D8, Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338177782.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 46b94c491f8f91ae7bb3dacbd5104591f15da53693199f3cdd0cd451dd740249
                  • Instruction ID: c667b603f9a7632df533cae1858c52b65268f7307ee4be68ab54ab671e4c7e72
                  • Opcode Fuzzy Hash: 46b94c491f8f91ae7bb3dacbd5104591f15da53693199f3cdd0cd451dd740249
                  • Instruction Fuzzy Hash: 34210371504204DFDB02DFD8D9D4B26BBE9FB8832CF248569ED054B286C337D856CAA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0131D01C, Relevance: .1, Instructions: 72COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338192491.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 31e95792b61cb2502c65d41b8cad8fea83d874e72e7c4d397e369c4f5ad80c40
                  • Instruction ID: 36c7578dbe00b061f7142b21eba12cf1b4114a9dc77e82bf82a4d1bb30434a98
                  • Opcode Fuzzy Hash: 31e95792b61cb2502c65d41b8cad8fea83d874e72e7c4d397e369c4f5ad80c40
                  • Instruction Fuzzy Hash: AB212575504204DFCB19DF98D8C8B16BB65FB85358F20C969D8094B24AC33BD847CA61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0130D3E7, Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338177782.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 90825e81fda1175a189452765487cd28cd30970da8754c189eaf9e16a5c9c767
                  • Instruction ID: 2c2836805ffcb2f245bd40b9a0a1f0ed29441fc7f4afd17273057250ce83d2c4
                  • Opcode Fuzzy Hash: 90825e81fda1175a189452765487cd28cd30970da8754c189eaf9e16a5c9c767
                  • Instruction Fuzzy Hash: 0311D376404284DFCB02DF94D9D4B56BFB2FB84324F24C6A9D8091B656C33AE45ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0130D4D3, Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338177782.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 90825e81fda1175a189452765487cd28cd30970da8754c189eaf9e16a5c9c767
                  • Instruction ID: c2afef3dc153bae34d7f07b2bb94403e5c7acc29e8948b7cc5bb2c11e71e41f3
                  • Opcode Fuzzy Hash: 90825e81fda1175a189452765487cd28cd30970da8754c189eaf9e16a5c9c767
                  • Instruction Fuzzy Hash: AA11D376404280CFCB12CF94D5C4B16BFB1FB84328F24C6A9DC050B656C33AD45ACBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0131D017, Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338192491.000000000131D000.00000040.00000001.sdmp, Offset: 0131D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ed38130cc456892f0caa2b8aedfe38c2b09f5093f4f2c6b79a667aa289cdca40
                  • Instruction ID: 5364a6f5b446fbae3a0506039323ea2fa55c64ae47a874930685f47fa6382ad6
                  • Opcode Fuzzy Hash: ed38130cc456892f0caa2b8aedfe38c2b09f5093f4f2c6b79a667aa289cdca40
                  • Instruction Fuzzy Hash: 2511D075504280CFCB16CF54D5C8B16FF61FB45318F24C6AAD8094B65AC33AD44ACB62
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0130D749, Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338177782.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f5cb972c4bd4a89b93c148e2e1bd725e1de2cddf18f67b95b60f7129330b0a0
                  • Instruction ID: 9946c08ca6dbbe539d99058f4315a4a96104ede397286cfaebce91548f5f846b
                  • Opcode Fuzzy Hash: 7f5cb972c4bd4a89b93c148e2e1bd725e1de2cddf18f67b95b60f7129330b0a0
                  • Instruction Fuzzy Hash: 0001F7710083C89AE7224EE9CC84B67FBDCEF45638F08855AEE054B282C3799844CAB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0130D748, Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338177782.000000000130D000.00000040.00000001.sdmp, Offset: 0130D000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ec5a2d14ffe9d41384d61d67d2334ea449df37a6d8793ea543fd8acf9f3144f5
                  • Instruction ID: d56c1e369f6a05c097609eaaf8facb1ce3d240f63cc6563b5f0a888473ae94f9
                  • Opcode Fuzzy Hash: ec5a2d14ffe9d41384d61d67d2334ea449df37a6d8793ea543fd8acf9f3144f5
                  • Instruction Fuzzy Hash: 55F068714042849EE7158E59DCC4762FFD8EB85634F18C55AEE045B287C3759844CAB1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 0B775690, Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: ~1MJ$Wma$Wma
                  • API String ID: 0-2219911554
                  • Opcode ID: 2da064e6714ca4ef132434ee8df25ed369f34b35dd9bb79f6439c06fc5e3d416
                  • Instruction ID: 70b357c4d282217d3ceaf0c1bd11cc4cf63c42d643c6ad5a79631f56175012e5
                  • Opcode Fuzzy Hash: 2da064e6714ca4ef132434ee8df25ed369f34b35dd9bb79f6439c06fc5e3d416
                  • Instruction Fuzzy Hash: EF714A71D5462ACBDB28DF66C8447EDB7B6FF99300F10C5AAD41DA7214EB309A858F40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B775680, Relevance: 3.9, Strings: 3, Instructions: 177COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID: ~1MJ$Wma$Wma
                  • API String ID: 0-2219911554
                  • Opcode ID: 2a8ecd03c7c8597e6ea53242235c5af0cd9408e2f862a386c2af6c9c27129211
                  • Instruction ID: 89018bf4782d2a0ca00d3ae856c1ce1f08e0eb011207f737487fb266ff9227c9
                  • Opcode Fuzzy Hash: 2a8ecd03c7c8597e6ea53242235c5af0cd9408e2f862a386c2af6c9c27129211
                  • Instruction Fuzzy Hash: 1E713C71E5466ACBDB28CF66C8447DDB7B2FF99300F14C5EAD419A7214EB305A868F40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C4C2B0, Relevance: .5, Instructions: 520COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b722641bdb31dabc775a7212f6eb75ec394c52a338c28deb144c0b7f5a9b5dd0
                  • Instruction ID: ee7b493010158b0f7f73422dfd73ec0f91c38ac66ece4ddd3d736fde412c7065
                  • Opcode Fuzzy Hash: b722641bdb31dabc775a7212f6eb75ec394c52a338c28deb144c0b7f5a9b5dd0
                  • Instruction Fuzzy Hash: D45213B16316068BD710CF14F98E1AD7FA1BF4532CB904209E2656FBD0DBB8658ACF94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02C49968, Relevance: .3, Instructions: 265COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.338292368.0000000002C40000.00000040.00000001.sdmp, Offset: 02C40000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 133594b189d7186923ea09eca1452433419c7f868f07abbe56e75cf19f60b8e7
                  • Instruction ID: a878563755a53d5ba5c72c499cc5ea2ec753b8bf6a1c14de104751dbcea8cb97
                  • Opcode Fuzzy Hash: 133594b189d7186923ea09eca1452433419c7f868f07abbe56e75cf19f60b8e7
                  • Instruction Fuzzy Hash: DAA16A36E106198FCF05DFA5D8845DEBBB2FF85304B15856AE905AB261EF31EA06CF40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B7714CF, Relevance: .2, Instructions: 188COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d7e14cfa4aeae7b7e3b49b5e641ffeee89df24ebe201ef2a30559c045db492e8
                  • Instruction ID: 2793296d3e0546b972b3cd0930b5ac490caeb5ca7fc26f5a69c2173eafa3b9bd
                  • Opcode Fuzzy Hash: d7e14cfa4aeae7b7e3b49b5e641ffeee89df24ebe201ef2a30559c045db492e8
                  • Instruction Fuzzy Hash: DE7146B4E4420A8FCF08DFA9C4815EEFBF2AF89310F54D426E526B7654D7349A418FA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B7714E0, Relevance: .2, Instructions: 184COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d419e5d6613996a26070f60217cf3af35c04db6be25d2c44ac320b9d7d3d0f45
                  • Instruction ID: 944e8e9c17231f0180afa035db66a913a2fb0506aed37e2104eb07d510a97009
                  • Opcode Fuzzy Hash: d419e5d6613996a26070f60217cf3af35c04db6be25d2c44ac320b9d7d3d0f45
                  • Instruction Fuzzy Hash: 2B712874E0520A9BCF08DFA9C4815EEFBF2AB88350F54D426E526B7654D734DA418FA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B771E40, Relevance: .2, Instructions: 153COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3cd1f70e0b086ee3de1aed85ee16b0939050eb073a358c3299f1aad890697d3
                  • Instruction ID: bd4b263e982a410310b08c9e4de6ccfeb9ae9aa3e784db49891a01d6d508c0a1
                  • Opcode Fuzzy Hash: e3cd1f70e0b086ee3de1aed85ee16b0939050eb073a358c3299f1aad890697d3
                  • Instruction Fuzzy Hash: 6D611674E01218DFDB58DF69D980B9EFBF2BF89300F1484AAE519AB251DB309A40CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B771E39, Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 649944fc3dddb434574c5775aad5ba7c6d0ee0dfe1d3cca155127cbfa73f8c12
                  • Instruction ID: db43f4808d2cba33c7ffc905ba6b46c40b1b821f753e0ce315a97f9b13308f6e
                  • Opcode Fuzzy Hash: 649944fc3dddb434574c5775aad5ba7c6d0ee0dfe1d3cca155127cbfa73f8c12
                  • Instruction Fuzzy Hash: 62511674E112199FDB58DF69C980B9EB7F2BF88300F1484AAE418A7365DB309A40CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B770040, Relevance: .1, Instructions: 84COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f2077be8cc271f50c773b39893be544a109e53acce2b6c70cb7b788ce54025f0
                  • Instruction ID: 4533f3a13df9fd7172f72cbf0819a588f189401baca8faed5dc77f75297de70a
                  • Opcode Fuzzy Hash: f2077be8cc271f50c773b39893be544a109e53acce2b6c70cb7b788ce54025f0
                  • Instruction Fuzzy Hash: 73311870E12219DBDF18CFAAD9916DEFAF6FBC8210F14C46AE509E7214DB345A418F50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B770033, Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cfc669ef3560e416e809836a4fd71fe268d18e589cd8b0b8edc18168ad02dfb0
                  • Instruction ID: d62ffffa651c5310d8e6e882d29095658a91e98e0ac6d619d480ec1689038f4e
                  • Opcode Fuzzy Hash: cfc669ef3560e416e809836a4fd71fe268d18e589cd8b0b8edc18168ad02dfb0
                  • Instruction Fuzzy Hash: 80313A70E122199BDF08CFAAD9906AEFAF3BFC9200F14C46AE409E7254DB345A01CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B7717E8, Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5c676d030cd18b45bf1f3f12cb2562a6b9137c6f47d94764b38db1f820fb1a05
                  • Instruction ID: a3a22b4eacdc1da8523e13f346db485218a04523ac6a4ddc89cbf7c1275a6306
                  • Opcode Fuzzy Hash: 5c676d030cd18b45bf1f3f12cb2562a6b9137c6f47d94764b38db1f820fb1a05
                  • Instruction Fuzzy Hash: 1D110671E116199BDB08CFAAE8416DEFBF7ABC8210F14C46AD508B7254DB305A128B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0B7717D9, Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.342665607.000000000B770000.00000040.00000001.sdmp, Offset: 0B770000, based on PE: false
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07259302ac393949e8e6485f3c2f076cc421221b1309bd7d98c79d631f6d5278
                  • Instruction ID: 59fd596d3ca8238cc334ea7358cfb7a55ffda3d47d6531d91e4d590de2d8372d
                  • Opcode Fuzzy Hash: 07259302ac393949e8e6485f3c2f076cc421221b1309bd7d98c79d631f6d5278
                  • Instruction Fuzzy Hash: AA212970E116189BDB08CFAAD94169EFBF3AFC9210F18C46AD408B7259DB708A41CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Analysis Process: T31597760-Confirm-20210507-100016-Email-1574401.PDF.exe PID: 6900 Parent PID: 6764 T31597760-Confirm-20210507-100016-Email-1574401.PDF.exeCOMMON

                  Executed Functions

                  Function 0041826A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 21%
                  			E0041826A(void* __eax, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t20;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				asm("movsd");
				_t15 = _a4;
				_t32 = _a4 + 0xc48;
				E00418DC0(__edi, _a4, _t32,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t20 =  *((intOrPtr*)( *_t32))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t31, _t34); // executed
				return _t20;
			}







                  0x0041826e
                  0x00418273
                  0x0041827f
                  0x00418287
                  0x00418292
                  0x004182ad
                  0x004182b5
                  0x004182b9

                  APIs
                  • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: FileRead
                  • String ID: R=A$R=A
                  • API String ID: 2738559852-3742021989
                  • Opcode ID: e4d14842bb087fc98d619dea8e6f7a977b267004ade3294232af9d8594a33d30
                  • Instruction ID: e9e0998607bea7e7cc0b8a1f29ca1e73b5fed5e855c2cf8eead2bcebcb3dc59e
                  • Opcode Fuzzy Hash: e4d14842bb087fc98d619dea8e6f7a977b267004ade3294232af9d8594a33d30
                  • Instruction Fuzzy Hash: 3BF01DB6210045ABCB04DF98D890DEB77ADFF8C354B15864DFE5D97202C634E855CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                  0x00418273
                  0x0041827f
                  0x00418287
                  0x00418292
                  0x004182ad
                  0x004182b5
                  0x004182b9

                  APIs
                  • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: FileRead
                  • String ID: R=A$R=A
                  • API String ID: 2738559852-3742021989
                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                  • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                  • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0041839A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49memorynativeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041839A(signed int __eax, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20, void* _a24, void* _a28) {

				if ((__eax & 0x276678a0) >= 0) goto L3;
			}



                  0x0041839f

                  APIs
                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: AllocateMemoryVirtual
                  • String ID: )zA
                  • API String ID: 2167126740-483804167
                  • Opcode ID: 402d84d8e7c438e1ba9ce69849eabaa5df1aa3944c7e5ad4102d93dbc5c78b6f
                  • Instruction ID: ce0d02a3d783eeb29b2ccfa86ec0c49f2f78b9eeb23b083cb934913116641df3
                  • Opcode Fuzzy Hash: 402d84d8e7c438e1ba9ce69849eabaa5df1aa3944c7e5ad4102d93dbc5c78b6f
                  • Instruction Fuzzy Hash: 140116B2200209AFCB04DF99DC81EEB73ADEF88714F10850DFE1997241DA34E820CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                  • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                  • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: AllocateMemoryVirtual
                  • String ID:
                  • API String ID: 2167126740-0
                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                  • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                  • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                  • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                  • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: dc46429c5e6821c52636eee91567cf4762904e38432a4002368bb751ae4dbeaf
                  • Instruction ID: 74741a67e24cb28b881b83f3ba163e506b9ccc6280285d71c6b1b5186d0a9411
                  • Opcode Fuzzy Hash: dc46429c5e6821c52636eee91567cf4762904e38432a4002368bb751ae4dbeaf
                  • Instruction Fuzzy Hash: 2390027520100513E521619945047070009ABD0285F91C422A0415558DD69A8956B161
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 5e46edd5fffca53e222006b0dc689a786ae9905a7ff95a3dbab93073f135caca
                  • Instruction ID: a3f17b5b6f1c37ca23a0264c33f233826f565501b49d30e3d09cae61ffb1a442
                  • Opcode Fuzzy Hash: 5e46edd5fffca53e222006b0dc689a786ae9905a7ff95a3dbab93073f135caca
                  • Instruction Fuzzy Hash: 7990027520100902E5907199440464A0005ABD1345F91C025A0016654DCA598A5D77E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 049967c619366acf593830773f3c1259c43b10b017a1b18bc2ca05f532d00014
                  • Instruction ID: 3dc40dc6188b3d3632ff4af2eedef2dd6286d27d28da7775e2fc77237da3b46b
                  • Opcode Fuzzy Hash: 049967c619366acf593830773f3c1259c43b10b017a1b18bc2ca05f532d00014
                  • Instruction Fuzzy Hash: 6E90027520108902E5206199840474A0005ABD0345F55C421A4415658DC6D988957161
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004088B0, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                  • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                  • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                  • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004184C3, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: d4bf495cb6b2f7158607f587fc980670498cb54fb4976acfd9385afcc1eddcb9
                  • Instruction ID: 8d1bc7d2bb9a21ab2fec779cdc8dbcd83cdd7f5ea9abd3e72fdc322e110b62bd
                  • Opcode Fuzzy Hash: d4bf495cb6b2f7158607f587fc980670498cb54fb4976acfd9385afcc1eddcb9
                  • Instruction Fuzzy Hash: A3F06DB22002147BCB14EFA9DC85DE77769EF84320F11859AFD589B242DA30ED508BF0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00418456, Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 9166814a1b9337c75d0b10b6963e62a533780551f2b3932bf76439c922d6724e
                  • Instruction ID: f19b84f3fb4b98287ed207175da4bbbd0e4a5beff73ed650df0103b647d0ac5a
                  • Opcode Fuzzy Hash: 9166814a1b9337c75d0b10b6963e62a533780551f2b3932bf76439c922d6724e
                  • Instruction Fuzzy Hash: E8F0A072204314ABD728EF84EC85EE7776DEF84350F01849DFA485B251DA36EA14C7E0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: FreeHeap
                  • String ID:
                  • API String ID: 3298025750-0
                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                  • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                  • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                  Memory Dump Source
                  • Source File: 00000003.00000002.338833757.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                  • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                  • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0136967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: 30b55fa673fe34731802113e1d48b415a414e6af0114c46dda07107ba583878b
                  • Instruction ID: d6870fbd43e3a2f2bab507b739b5854422c787c10357b5ee55c8b048a67ef7da
                  • Opcode Fuzzy Hash: 30b55fa673fe34731802113e1d48b415a414e6af0114c46dda07107ba583878b
                  • Instruction Fuzzy Hash: F2B09B719015C5C9EA11D7A4470871779047BD0759F16C061D1020641F477CC495F6B5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 013DB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                  Download Yara Rule
                  Strings
                  • This failed because of error %Ix., xrefs: 013DB446
                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 013DB53F
                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 013DB39B
                  • The critical section is owned by thread %p., xrefs: 013DB3B9
                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 013DB323
                  • The resource is owned shared by %d threads, xrefs: 013DB37E
                  • Go determine why that thread has not released the critical section., xrefs: 013DB3C5
                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 013DB2DC
                  • write to, xrefs: 013DB4A6
                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 013DB484
                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 013DB314
                  • a NULL pointer, xrefs: 013DB4E0
                  • *** Resource timeout (%p) in %ws:%s, xrefs: 013DB352
                  • an invalid address, %p, xrefs: 013DB4CF
                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 013DB3D6
                  • *** enter .cxr %p for the context, xrefs: 013DB50D
                  • *** Inpage error in %ws:%s, xrefs: 013DB418
                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 013DB2F3
                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 013DB476
                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 013DB305
                  • *** An Access Violation occurred in %ws:%s, xrefs: 013DB48F
                  • *** enter .exr %p for the exception record, xrefs: 013DB4F1
                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 013DB38F
                  • The resource is owned exclusively by thread %p, xrefs: 013DB374
                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 013DB47D
                  • <unknown>, xrefs: 013DB27E, 013DB2D1, 013DB350, 013DB399, 013DB417, 013DB48E
                  • *** then kb to get the faulting stack, xrefs: 013DB51C
                  • The instruction at %p tried to %s , xrefs: 013DB4B6
                  • read from, xrefs: 013DB4AD, 013DB4B2
                  • The instruction at %p referenced memory at %p., xrefs: 013DB432
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                  • API String ID: 0-108210295
                  • Opcode ID: af0dfbc4fbc15993dbcfb841a400ca6fb712ce532bf833afda7094658e8d8b21
                  • Instruction ID: 869cbefe573f2803e77141905d826d5ca052f28f8e9c3c9a65238e03b64ae0b4
                  • Opcode Fuzzy Hash: af0dfbc4fbc15993dbcfb841a400ca6fb712ce532bf833afda7094658e8d8b21
                  • Instruction Fuzzy Hash: 50814A36A00210FFDB2A9E4AEC8ADAB7F35EF5765DF420048F6042B21AE3668511D771
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E013E1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x13048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0132B150();
				} else {
					E0132B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x141589c);
				E0132B150("Heap error detected at %p (heap handle %p)\n",  *0x14158a0);
				_t27 =  *0x1415898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M013E1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0132B150();
				} else {
					E0132B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0132B150("Error code: %d - %s\n",  *0x1415898);
				_t113 =  *0x14158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0132B150();
					} else {
						E0132B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0132B150("Parameter1: %p\n",  *0x14158a4);
				}
				_t115 =  *0x14158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0132B150();
					} else {
						E0132B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0132B150("Parameter2: %p\n",  *0x14158a8);
				}
				_t117 =  *0x14158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0132B150();
					} else {
						E0132B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0132B150("Parameter3: %p\n",  *0x14158ac);
				}
				_t119 =  *0x14158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0132B150();
					} else {
						E0132B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x14158b4);
					E0132B150("Last known valid blocks: before - %p, after - %p\n",  *0x14158b0);
				} else {
					_t120 =  *0x14158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0132B150();
				} else {
					E0132B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0132B150("Stack trace available at %p\n", 0x14158c0);
			}











                  0x013e1c10
                  0x013e1c16
                  0x013e1c1e
                  0x013e1c3d
                  0x013e1c3e
                  0x013e1c20
                  0x013e1c35
                  0x013e1c3a
                  0x013e1c44
                  0x013e1c55
                  0x013e1c5a
                  0x013e1c65
                  0x013e1c67
                  0x00000000
                  0x013e1c6e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x013e1c67
                  0x013e1cdc
                  0x013e1ce5
                  0x013e1d04
                  0x013e1d05
                  0x013e1ce7
                  0x013e1cfc
                  0x013e1d01
                  0x013e1d0b
                  0x013e1d17
                  0x013e1d1f
                  0x013e1d25
                  0x013e1d30
                  0x013e1d4f
                  0x013e1d50
                  0x013e1d32
                  0x013e1d47
                  0x013e1d4c
                  0x013e1d61
                  0x013e1d67
                  0x013e1d68
                  0x013e1d6e
                  0x013e1d79
                  0x013e1d98
                  0x013e1d99
                  0x013e1d7b
                  0x013e1d90
                  0x013e1d95
                  0x013e1daa
                  0x013e1db0
                  0x013e1db1
                  0x013e1db7
                  0x013e1dc2
                  0x013e1de1
                  0x013e1de2
                  0x013e1dc4
                  0x013e1dd9
                  0x013e1dde
                  0x013e1df3
                  0x013e1df9
                  0x013e1dfa
                  0x013e1e00
                  0x013e1e0a
                  0x013e1e13
                  0x013e1e32
                  0x013e1e33
                  0x013e1e15
                  0x013e1e2a
                  0x013e1e2f
                  0x013e1e39
                  0x013e1e4a
                  0x013e1e02
                  0x013e1e02
                  0x013e1e08
                  0x00000000
                  0x00000000
                  0x013e1e08
                  0x013e1e5b
                  0x013e1e7a
                  0x013e1e7b
                  0x013e1e5d
                  0x013e1e72
                  0x013e1e77
                  0x013e1e95

                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                  • API String ID: 0-2897834094
                  • Opcode ID: 228c091ccf7ca1d41218f71786822bc7a3d67bbe902f4982a5a7727da1d21355
                  • Instruction ID: af46d7fd256ad3ace859e3af3f5c00e2317e0b77d1a2c536cab661d91073a073
                  • Opcode Fuzzy Hash: 228c091ccf7ca1d41218f71786822bc7a3d67bbe902f4982a5a7727da1d21355
                  • Instruction Fuzzy Hash: 5461F836510269DFD616BB8DD489E31B3E8EB4493CB59803EFC0D9F799D631AC608B09
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135C9BF, Relevance: 14.2, Strings: 11, Instructions: 412COMMON
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E0135C9BF(signed int __ecx, signed int __edx, signed int _a4, intOrPtr _a12) {
				signed int _v12;
				char _v552;
				char _v1072;
				char _v1073;
				signed int _v1080;
				signed int _v1084;
				signed short _v1088;
				signed int _v1092;
				signed short _v1094;
				char _v1096;
				char _v1100;
				intOrPtr _v1104;
				signed int _v1108;
				char _v1112;
				char _v1116;
				signed short _v1120;
				char _v1124;
				char* _v1128;
				char _v1132;
				char _v1135;
				char _v1136;
				signed int _v1140;
				char _v1144;
				intOrPtr _v1148;
				short _v1150;
				char _v1152;
				signed int _v1156;
				char* _v1160;
				char _v1164;
				signed int _v1168;
				signed int _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				char _v1184;
				signed int _v1188;
				signed int _v1192;
				intOrPtr _v1196;
				char* _v1200;
				intOrPtr _v1204;
				char _v1208;
				char _v1216;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t166;
				void* _t184;
				signed short _t188;
				char _t199;
				intOrPtr _t200;
				signed int _t205;
				signed int _t207;
				intOrPtr _t218;
				short _t219;
				char _t236;
				char _t242;
				signed int _t253;
				intOrPtr _t258;
				void* _t260;
				signed int _t272;
				void* _t276;
				unsigned int _t277;
				signed short _t279;
				signed int _t280;
				void* _t281;
				void* _t305;

				_t271 = __edx;
				_v12 =  *0x141d360 ^ _t280;
				_t253 = _a4;
				_v1104 = _a12;
				_t272 = __ecx;
				_v1160 =  &_v1072;
				_v1168 = __ecx;
				_t166 = 0;
				_v1073 = 0;
				_v1084 = 0;
				_t274 = 0;
				_v1156 = 0;
				_v1164 = 0x2080000;
				_v1096 = 0;
				_v1092 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1100 = 0;
				if(__ecx == 0) {
					L67:
					_push(_t166);
					_push(_t253);
					_push(_t271);
					_push(_t272);
					E013B5720(0x33, 0, "SXS: %s() bad parameters\nSXS:   Map                : %p\nSXS:   Data               : %p\nSXS:   AssemblyRosterIndex: 0x%lx\nSXS:   Map->AssemblyCount : 0x%lx\n", "RtlpResolveAssemblyStorageMapEntry");
					_t274 = 0xc000000d;
					L21:
					if(_v1073 == 0) {
						L23:
						if(_v1092 != 0) {
							E0132AD30(_v1092);
						}
						L24:
						if(_v1084 != 0) {
							_push(_v1084);
							E013695D0();
						}
						_t170 = _v1156;
						if(_v1156 != 0) {
							L013477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t170);
						}
						L26:
						return E0136B640(_t274, _t253, _v12 ^ _t280, _t271, _t272, _t274);
					}
					L22:
					_v1144 = _v1100;
					E0135CCC0(4,  &_v1144, _v1104);
					goto L23;
				}
				if(__edx == 0 || _t253 < 1 || _t253 >  *((intOrPtr*)(__ecx + 4))) {
					_t166 =  *((intOrPtr*)(_t272 + 4));
					goto L67;
				} else {
					if( *((intOrPtr*)( *((intOrPtr*)(__ecx + 8)) + _t253 * 4)) != 0) {
						goto L26;
					}
					asm("lfence");
					_t258 =  *((intOrPtr*)(__edx + 0x18));
					_t260 =  *((intOrPtr*)(_t258 + __edx + 0x10)) + __edx;
					_t276 =  *((intOrPtr*)(_t253 * 0x18 +  *((intOrPtr*)(_t258 + __edx + 0xc)) + __edx + 0x10)) + __edx;
					_t181 =  *((intOrPtr*)(_t276 + 0x50));
					if( *((intOrPtr*)(_t276 + 0x50)) > 0xfffe) {
						_push(__edx);
						E013B5720(0x33, 0, "SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p\n", _t181);
						_t274 = 0xc0000106;
						goto L23;
					}
					if(( *(_t276 + 4) & 0x00000010) != 0) {
						_v1080 =  &_v1164;
						_t272 =  *((intOrPtr*)(_t276 + 0x18)) + _t260;
						if(_t272 != 0) {
							_t184 = L013713D0(_t272, 0x5c);
							if(_t184 != 0) {
								_t188 = 0x00000004 + (_t184 - _t272 >> 0x00000001) * 0x00000002 & 0x0000ffff;
								_v1088 = _t188;
								_t277 = _t188 & 0x0000ffff;
								if(_t188 <= 0x208) {
									_t264 = _v1080;
									L39:
									E0136F3E0( *((intOrPtr*)(_t264 + 4)), _t272, _t277 - 2);
									_t281 = _t281 + 0xc;
									 *((short*)( *((intOrPtr*)(_v1080 + 4)) + (_t277 >> 1) * 2 - 2)) = 0;
									 *_v1080 = _v1088 + 0xfffffffe;
									L18:
									if(_v1084 == 0) {
										if(E01336A00( *((intOrPtr*)(_v1080 + 4)),  &_v1112, 0,  &_v1184) != 0) {
											_v1156 = _v1108;
											_t199 = _v1184;
											if(_t199 == 0) {
												_t200 = 0;
											} else {
												_v1112 = _t199;
												_v1108 = _v1180;
												_t200 = _v1176;
											}
											_v1192 = _v1192 & 0x00000000;
											_v1188 = _v1188 & 0x00000000;
											_v1204 = _t200;
											_push(0x21);
											_v1200 =  &_v1112;
											_push(3);
											_push( &_v1216);
											_v1208 = 0x18;
											_push( &_v1208);
											_push(0x100020);
											_v1196 = 0x40;
											_push( &_v1084);
											_t205 = E01369830();
											_t272 = _v1172;
											_t274 = _t205;
											if(_t272 != 0) {
												asm("lock xadd [edi], eax");
												if((_t205 | 0xffffffff) == 0) {
													_push( *((intOrPtr*)(_t272 + 4)));
													E013695D0();
													L013477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t272);
												}
											}
											if(_t274 >= 0) {
												goto L19;
											} else {
												_push(_t274);
												E013B5720(0x33, 0, "SXS: Unable to open assembly directory under storage root \"%S\"; Status = 0x%08lx\n",  *((intOrPtr*)(_v1080 + 4)));
												goto L21;
											}
										}
										E013B5720(0x33, 0, "SXS: Attempt to translate DOS path name \"%S\" to NT format failed\n",  *((intOrPtr*)(_v1080 + 4)));
										_t274 = 0xc000003a;
										goto L21;
									}
									L19:
									_t271 = _t253;
									_t207 = E0135CE6C(_v1168, _t253, _v1080,  &_v1084);
									_t274 = _t207;
									if(_t207 < 0) {
										E013B5720(0x33, 0, "SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx\n", _t274);
									} else {
										_t274 = 0;
									}
									goto L21;
								}
								_v1094 = _t188;
								_t218 = E01343A1C(_t277);
								_v1092 = _t218;
								if(_t218 != 0) {
									_t264 =  &_v1096;
									_v1080 =  &_v1096;
									goto L39;
								}
								_t274 = 0xc0000017;
								goto L24;
							}
							_t274 = 0xc00000e5;
							goto L23;
						}
						_t274 = 0xc00000e5;
						goto L26;
					}
					_v1080 = _v1080 & 0x00000000;
					_t219 =  *((intOrPtr*)(_t276 + 0x50));
					_v1152 = _t219;
					_v1150 = _t219;
					_v1144 = __edx;
					_v1148 =  *((intOrPtr*)(_t276 + 0x54)) + _t260;
					_v1140 = _t253;
					_v1128 =  &_v552;
					_v1136 = 0;
					_v1132 = 0x2160000;
					_v1124 = 0;
					_v1116 = 0;
					_v1120 = 0;
					E0135CCC0(1,  &_v1144, _v1104);
					if(_v1116 != 0) {
						_t274 = 0xc0000120;
						goto L23;
					}
					if(_v1124 != 0) {
						_t271 =  &_v1132;
						_t274 = E0135CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 >= 0) {
							_t271 = _t253;
							_t274 = E0135CE6C(_t272, _t253,  &_v1132,  &_v1084);
							if(_t274 < 0) {
								_push(_t274);
								_push(_t253);
								_push("SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx\n");
								L44:
								_push(0);
								_push(0x33);
								E013B5720();
								goto L23;
							}
							_t274 = 0;
							goto L23;
						}
						_push(_t274);
						_push( &_v1132);
						_push("SXS: Attempt to probe known root of assembly storage (\"%wZ\") failed; Status = 0x%08lx\n");
						goto L44;
					}
					_t279 = _v1120;
					_t272 = 0;
					_t236 = _v1136;
					_v1100 = _t236;
					_v1088 = _t279;
					_v1073 = 1;
					if(_t279 == 0) {
						L16:
						_t305 = _t272 - _t279;
						L17:
						if(_t305 == 0) {
							L54:
							_push(_t272);
							E013B5720(0x33, 0, "SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries\n",  &_v1152);
							_t274 = 0xc0150004;
							goto L22;
						}
						goto L18;
					} else {
						goto L10;
					}
					while(1) {
						L10:
						_v1144 = _t236;
						_v1128 =  &_v552;
						_v1140 = _t272;
						_v1132 = 0x2160000;
						_v1136 = 0;
						E0135CCC0(2,  &_v1144, _v1104);
						if(_v1136 != 0) {
							break;
						}
						_t242 = _v1132;
						if(_v1135 != 0) {
							if(_t242 == 0) {
								goto L54;
							}
							_t119 = _t272 + 1; // 0x1
							_t279 = _t119;
							_v1088 = _t279;
						}
						if(_t242 == 0) {
							L27:
							_t272 = _t272 + 1;
							if(_t272 >= _t279) {
								goto L17;
							} else {
								_t236 = _v1100;
								continue;
							}
						}
						if(_v1084 != 0) {
							_push(_v1084);
							E013695D0();
							_v1084 = _v1084 & 0x00000000;
						}
						_t271 =  &_v1132;
						_t274 = E0135CF6A( &_v1132,  &_v1152,  &_v1164,  &_v1096,  &_v1080,  &_v1084);
						if(_t274 < 0) {
							if(_t274 != 0xc0150004) {
								_push(_t274);
								_push( &_v1152);
								E013B5720(0x33, 0, "SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx\n",  &_v1132);
								goto L22;
							}
							_t279 = _v1088;
							goto L27;
						} else {
							_t279 = _v1088;
							goto L16;
						}
					}
					_t274 = 0xc0000120;
					goto L22;
				}
			}




































































                  0x0135c9bf
                  0x0135c9d1
                  0x0135c9d8
                  0x0135c9dc
                  0x0135c9e9
                  0x0135c9eb
                  0x0135c9f3
                  0x0135c9f9
                  0x0135c9fb
                  0x0135ca01
                  0x0135ca07
                  0x0135ca09
                  0x0135ca0f
                  0x0135ca19
                  0x0135ca1f
                  0x0135ca25
                  0x0135ca2b
                  0x0135ca31
                  0x0135ca39
                  0x0139ac23
                  0x0139ac23
                  0x0139ac24
                  0x0139ac25
                  0x0139ac26
                  0x0139ac34
                  0x0139ac3c
                  0x0135cc3c
                  0x0135cc43
                  0x0135cc65
                  0x0135cc6c
                  0x0139ac4c
                  0x0139ac4c
                  0x0135cc72
                  0x0135cc79
                  0x0139ac56
                  0x0139ac5c
                  0x0139ac5c
                  0x0135cc7f
                  0x0135cc87
                  0x0139ac72
                  0x0139ac72
                  0x0135cc8d
                  0x0135cc9f
                  0x0135cc9f
                  0x0135cc45
                  0x0135cc51
                  0x0135cc60
                  0x00000000
                  0x0135cc60
                  0x0135ca41
                  0x0139ac20
                  0x00000000
                  0x0135ca59
                  0x0135ca5f
                  0x00000000
                  0x00000000
                  0x0135ca65
                  0x0135ca68
                  0x0135ca76
                  0x0135ca7c
                  0x0135ca7e
                  0x0135ca86
                  0x0139a8ea
                  0x0139a8f5
                  0x0139a8fd
                  0x00000000
                  0x0139a8fd
                  0x0135ca90
                  0x0139a90d
                  0x0139a916
                  0x0139a918
                  0x0139a927
                  0x0139a930
                  0x0139a94c
                  0x0139a94f
                  0x0139a955
                  0x0139a95b
                  0x0139a98c
                  0x0139a992
                  0x0139a99a
                  0x0139a9a9
                  0x0139a9af
                  0x0139a9c3
                  0x0135cc09
                  0x0135cc10
                  0x0139ab03
                  0x0139ab2f
                  0x0139ab35
                  0x0139ab3e
                  0x0139ab5a
                  0x0139ab40
                  0x0139ab40
                  0x0139ab4c
                  0x0139ab52
                  0x0139ab52
                  0x0139ab5c
                  0x0139ab63
                  0x0139ab6a
                  0x0139ab76
                  0x0139ab78
                  0x0139ab84
                  0x0139ab86
                  0x0139ab8d
                  0x0139ab97
                  0x0139ab98
                  0x0139aba3
                  0x0139abad
                  0x0139abae
                  0x0139abb3
                  0x0139abb9
                  0x0139abbd
                  0x0139abc2
                  0x0139abc6
                  0x0139abc8
                  0x0139abcb
                  0x0139abdc
                  0x0139abdc
                  0x0139abc6
                  0x0139abe3
                  0x00000000
                  0x0139abe9
                  0x0139abef
                  0x0139abfc
                  0x00000000
                  0x0139ac01
                  0x0139abe3
                  0x0139ab17
                  0x0139ab1f
                  0x00000000
                  0x0139ab1f
                  0x0135cc16
                  0x0135cc29
                  0x0135cc2b
                  0x0135cc30
                  0x0135cc34
                  0x0139ac13
                  0x0135cc3a
                  0x0135cc3a
                  0x0135cc3a
                  0x00000000
                  0x0135cc34
                  0x0139a95e
                  0x0139a965
                  0x0139a96a
                  0x0139a972
                  0x0139a97e
                  0x0139a984
                  0x00000000
                  0x0139a984
                  0x0139a974
                  0x00000000
                  0x0139a974
                  0x0139a932
                  0x00000000
                  0x0139a932
                  0x0139a91a
                  0x00000000
                  0x0139a91a
                  0x0135ca96
                  0x0135ca9d
                  0x0135caa7
                  0x0135caae
                  0x0135caba
                  0x0135cac0
                  0x0135cace
                  0x0135cad4
                  0x0135cae3
                  0x0135cae9
                  0x0135caf3
                  0x0135caf9
                  0x0135caff
                  0x0135cb05
                  0x0135cb11
                  0x0139a9cb
                  0x00000000
                  0x0139a9cb
                  0x0135cb1e
                  0x0139a9f8
                  0x0139aa03
                  0x0139aa07
                  0x0139aa36
                  0x0139aa47
                  0x0139aa4b
                  0x0139aa18
                  0x0139aa19
                  0x0139aa1a
                  0x0139aa1f
                  0x0139aa1f
                  0x0139aa21
                  0x0139aa23
                  0x00000000
                  0x0139aa28
                  0x0139aa4d
                  0x00000000
                  0x0139aa4d
                  0x0139aa09
                  0x0139aa10
                  0x0139aa11
                  0x00000000
                  0x0139aa11
                  0x0135cb24
                  0x0135cb2a
                  0x0135cb2c
                  0x0135cb32
                  0x0135cb38
                  0x0135cb3e
                  0x0135cb47
                  0x0135cc01
                  0x0135cc01
                  0x0135cc03
                  0x0135cc03
                  0x0139aac0
                  0x0139aac0
                  0x0139aad1
                  0x0139aad9
                  0x00000000
                  0x0139aad9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0135cb4d
                  0x0135cb4d
                  0x0135cb53
                  0x0135cb5f
                  0x0135cb6e
                  0x0135cb74
                  0x0135cb7e
                  0x0135cb87
                  0x0135cb93
                  0x00000000
                  0x00000000
                  0x0135cba0
                  0x0135cba7
                  0x0139aa57
                  0x00000000
                  0x00000000
                  0x0139aa59
                  0x0139aa59
                  0x0139aa5c
                  0x0139aa5c
                  0x0135cbb0
                  0x0135cca2
                  0x0135cca2
                  0x0135cca5
                  0x00000000
                  0x0135ccab
                  0x0135ccab
                  0x00000000
                  0x0135ccab
                  0x0135cca5
                  0x0135cbbd
                  0x0139aa67
                  0x0139aa6d
                  0x0139aa72
                  0x0139aa72
                  0x0135cbe6
                  0x0135cbf1
                  0x0135cbf5
                  0x0139aa84
                  0x0139aa91
                  0x0139aa98
                  0x0139aaa9
                  0x00000000
                  0x0139aaae
                  0x0139aa86
                  0x00000000
                  0x0135cbfb
                  0x0135cbfb
                  0x00000000
                  0x0135cbfb
                  0x0135cbf5
                  0x0139aab6
                  0x00000000
                  0x0139aab6

                  Strings
                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 0139AC2C
                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 0139A8EC
                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 0139AA11
                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 0139AB0E
                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 0139AAC8
                  • @, xrefs: 0139ABA3
                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 0139AC0A
                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 0139AAA0
                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 0139AC27
                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 0139ABF3
                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 0139AA1A
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                  • API String ID: 0-4009184096
                  • Opcode ID: 3c42e0f285c3a845f927a5e42381b5d56de8a2605b856f7f559ecdeffe78d9be
                  • Instruction ID: 468393e848c3fea8e89a09bde3505c199719146b141749e143e683856aaaad7c
                  • Opcode Fuzzy Hash: 3c42e0f285c3a845f927a5e42381b5d56de8a2605b856f7f559ecdeffe78d9be
                  • Instruction Fuzzy Hash: 61026FF1D002299BDF61DB18CD80BDAB7BCAB54708F4051DAEA09A7241DB319E85CF59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E4AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                  • API String ID: 0-3591852110
                  • Opcode ID: 3970806fc0a680fe013fe984df154037d241f8b1a5db43368f8cb269b34def52
                  • Instruction ID: 68509e8c36a3fe5e9fbd859f38902df4f7c2d8b921c7780edb2017df3173618c
                  • Opcode Fuzzy Hash: 3970806fc0a680fe013fe984df154037d241f8b1a5db43368f8cb269b34def52
                  • Instruction Fuzzy Hash: 8912FF70200766DFEB25DF69C499BB6BBE5EF48718F148459E486CB782D734E880CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013578A0, Relevance: 8.5, Strings: 6, Instructions: 989COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$MUI$R$T${
                  • API String ID: 0-2515562510
                  • Opcode ID: 8620711a7f8f61bcb960ba5fbd8dcfd36252e451692c750580fa29499d1aa92f
                  • Instruction ID: 10c5a6ca5c0193456ba1f17d8dadc40faeca73e0ba310dc11192b2143b011293
                  • Opcode Fuzzy Hash: 8620711a7f8f61bcb960ba5fbd8dcfd36252e451692c750580fa29499d1aa92f
                  • Instruction Fuzzy Hash: B9926B71E0422DCFEFA5CF98C880BADBBB5BF45708F548299D95AAB241D734A941CF40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134A309, Relevance: 8.2, Strings: 6, Instructions: 687COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-523794902
                  • Opcode ID: 46d86958fb356053e7cd9437082702a6af318e4094d818350ae88e3abde5edd7
                  • Instruction ID: 8c02afde4475e0554dfc1f700fbedda9438ca010a2db274e9d7ac78f748946ed
                  • Opcode Fuzzy Hash: 46d86958fb356053e7cd9437082702a6af318e4094d818350ae88e3abde5edd7
                  • Instruction Fuzzy Hash: 5642EE716487429FDB15DF28C884B2BBBE9FF8821CF04496DE5868B392D734E981CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E2D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                  • API String ID: 0-1745908468
                  • Opcode ID: 8aeb6211c60477e1989ffe385b598b2a8ef1b56c0da3929ea91042c8cc63b2f0
                  • Instruction ID: cc92d4f115934ee04919ff93c6cdb27aa594b4387fff5f435f3090aa21354530
                  • Opcode Fuzzy Hash: 8aeb6211c60477e1989ffe385b598b2a8ef1b56c0da3929ea91042c8cc63b2f0
                  • Instruction Fuzzy Hash: 73911331500765DFDB26EFACC458AAEBFF6BF88618F18801DE54A57791C7329946CB00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01342430, Relevance: 6.7, Strings: 5, Instructions: 461COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                  • API String ID: 0-3393094623
                  • Opcode ID: 9898b597cec44f7a51814598ca1dda716adef5343ecddb99c18fe3148937b1fc
                  • Instruction ID: 8b09549facd806d37dcc0a95a8fcb9a11b0f11cbdee19d24e26e0fd9a763e6d3
                  • Opcode Fuzzy Hash: 9898b597cec44f7a51814598ca1dda716adef5343ecddb99c18fe3148937b1fc
                  • Instruction Fuzzy Hash: AB02BC71508352CBD725DF68D080BABBBE4BF88758F04492EF989E7251E774E844CB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01333D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                  Download Yara Rule
                  Strings
                  • Kernel-MUI-Language-Disallowed, xrefs: 01333E97
                  • Kernel-MUI-Number-Allowed, xrefs: 01333D8C
                  • Kernel-MUI-Language-SKU, xrefs: 01333F70
                  • Kernel-MUI-Language-Allowed, xrefs: 01333DC0
                  • WindowsExcludedProcs, xrefs: 01333D6F
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                  • API String ID: 0-258546922
                  • Opcode ID: beef02b58ac37854d48c4d3fa09703caae6bb7bf34312e900173f3f0bc708d20
                  • Instruction ID: e2a979c49b7ce89ea1151a3e209abe3069333699a53c7c7817d64a0d95c75cba
                  • Opcode Fuzzy Hash: beef02b58ac37854d48c4d3fa09703caae6bb7bf34312e900173f3f0bc708d20
                  • Instruction Fuzzy Hash: BAF14B76D00219EFCB12DF98C980AEEBBFDFF58658F14406AE505A7250E7749E01CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013240E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                  • API String ID: 0-188067316
                  • Opcode ID: 9dc0594929b54f19d070fcf267f21d26180a0344758b631d04e48502a8675995
                  • Instruction ID: b6da9a109dda933cefdcb54f8ad9b703f77818f70b5b7adbfb7dc326f26b69ef
                  • Opcode Fuzzy Hash: 9dc0594929b54f19d070fcf267f21d26180a0344758b631d04e48502a8675995
                  • Instruction Fuzzy Hash: B3014C721447559EE32AB76EE41EF52BBE8DB00B3CF29802DF00457795CAE4A484C720
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135701D, Relevance: 5.6, Strings: 4, Instructions: 569COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: #$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                  • API String ID: 0-3266796247
                  • Opcode ID: 507aea2de856eb7e2952fd07abef72d1509a45146463bf227611c51e10156045
                  • Instruction ID: f3a7ddf835424fa5ddde11db9c79dab9c9d0c90ec736de26320ff62af7c8c967
                  • Opcode Fuzzy Hash: 507aea2de856eb7e2952fd07abef72d1509a45146463bf227611c51e10156045
                  • Instruction Fuzzy Hash: FA32BF71A0026D8BDFA6CF18C884BEDBBB9AF45748F5440E9E849A7252D7309F81CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134A830, Relevance: 5.4, Strings: 4, Instructions: 350COMMON
                  Download Yara Rule
                  Strings
                  • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01392403
                  • HEAP: , xrefs: 013922E6, 013923F6
                  • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 013922F3
                  • HEAP[%wZ]: , xrefs: 013922D7, 013923E7
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                  • API String ID: 0-1657114761
                  • Opcode ID: 18c7aa5859fcae5b33169145fff2acfa9ae0015bc471bac199a806c3530e7207
                  • Instruction ID: d46b30e5fc1949c9057ec23f6ae81e5e5c2aa163c587ccac4070b39653880298
                  • Opcode Fuzzy Hash: 18c7aa5859fcae5b33169145fff2acfa9ae0015bc471bac199a806c3530e7207
                  • Instruction Fuzzy Hash: 50D1E074A4060A9FEB19CF6CC490BBABBF5FF48308F148569D9569B746E330B841CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134A229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                  • API String ID: 2994545307-2586055223
                  • Opcode ID: d4900a6a5dc3ba759ba2611564395d834b09daaf19917a4af2ca6a9561534fa6
                  • Instruction ID: 87fb4edb687edee8f8881e787f2335420f1bc313f85f5d9e16cc91c1d553592a
                  • Opcode Fuzzy Hash: d4900a6a5dc3ba759ba2611564395d834b09daaf19917a4af2ca6a9561534fa6
                  • Instruction Fuzzy Hash: F05117322446829FE722EB6CC844F777BE8FF84768F140464F5529B291D775E800CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E49A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                  • API String ID: 2994545307-336120773
                  • Opcode ID: 1067d973dd08a62272f8c352fe64ce622bf2524430e29c6993d5af56084b0e5b
                  • Instruction ID: 2ded640dfa7462ce14e90c0afa080800a38dddbf4093cdf1c10e3da80966ca77
                  • Opcode Fuzzy Hash: 1067d973dd08a62272f8c352fe64ce622bf2524430e29c6993d5af56084b0e5b
                  • Instruction Fuzzy Hash: 1231DF71600224AFE722EB9DC899F66B7ECEF08638F244059F505DB6D5D670E884CB58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132751A, Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                  • API String ID: 0-1391187441
                  • Opcode ID: 05858337b81ea8b3003f710e008543e1df511a673b4464e5dbceb7539b0ecfb7
                  • Instruction ID: 4c6dfce9757cb8d36b6f1d3c21a617779cebf6dd87ffdb197546763f5be83359
                  • Opcode Fuzzy Hash: 05858337b81ea8b3003f710e008543e1df511a673b4464e5dbceb7539b0ecfb7
                  • Instruction Fuzzy Hash: A331E372A10258EFDB11FB99C885FABBBB8FF04638F244065F904A7381D670E940CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E3518, Relevance: 5.1, Strings: 4, Instructions: 55COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $May not destroy the process heap at %p$RtlDestroyHeap
                  • API String ID: 0-4256168463
                  • Opcode ID: 9c2ea08ed7871c882e434445017a9b62b0f3dc52559b1c77671af102006c8ced
                  • Instruction ID: cedb7924fa82a1902c661da81b3b2222f5a098dc7ccda8767381beceef27d5b9
                  • Opcode Fuzzy Hash: 9c2ea08ed7871c882e434445017a9b62b0f3dc52559b1c77671af102006c8ced
                  • Instruction Fuzzy Hash: 9D012236210324EFCB25FB6D8448BA6B3E8FF41A28F108459E8069B3C5DA74E884CA50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013499BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                  • API String ID: 0-3178619729
                  • Opcode ID: 6dca748504e01a4af9f38f377707ac14ce0e6d326ae587d01273d45c643038dc
                  • Instruction ID: 36da1bdd0bf77aba55bcd7ef3286b720f405f95da82ff3d18c33045e866cca9f
                  • Opcode Fuzzy Hash: 6dca748504e01a4af9f38f377707ac14ce0e6d326ae587d01273d45c643038dc
                  • Instruction Fuzzy Hash: 3A221370A002469FEB25DF2DC494B7ABBF5EF4471CF288569E8469B386D770E881CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134B477, Relevance: 4.2, Strings: 3, Instructions: 405COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-4253913091
                  • Opcode ID: 48b5dac82c46900dadf4ff6dd8291a3f6775c590380dd06de0a502c62e49aaf0
                  • Instruction ID: d3de43f1f2c153b24dd07302566eef910ab3190e404c4e9fa22bb0cbb3dedc12
                  • Opcode Fuzzy Hash: 48b5dac82c46900dadf4ff6dd8291a3f6775c590380dd06de0a502c62e49aaf0
                  • Instruction Fuzzy Hash: 00E19B71600609EFEB19CF68C894B6AFBF9FF44318F1481A9E4069B795D734E941CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013362A0, Relevance: 4.0, Strings: 3, Instructions: 291COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                  • API String ID: 0-1145731471
                  • Opcode ID: e70055018123ebc1c017ec042b2c0f60a4e771c78bfe64f77ec634cce2b3f287
                  • Instruction ID: 33fb8d396a2997a8014eab94cf3428d40d16744bba82d12e1465e1b6a6542c18
                  • Opcode Fuzzy Hash: e70055018123ebc1c017ec042b2c0f60a4e771c78bfe64f77ec634cce2b3f287
                  • Instruction Fuzzy Hash: 25B1B3B1A00615EFEB16DF68C881BACBB75BF8431CF144129E911EB694D730EA50CB98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01328239, Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: FilterFullPath$UseFilter$\??\
                  • API String ID: 0-2779062949
                  • Opcode ID: 33f73d8e0c890b4f4b5b5465bef320b98d91344fc92d6546844792f303c42038
                  • Instruction ID: 2e59c9c1b446597f3959b735bd2856e62b92bfaa657d0d88a5b2fcca98753eb0
                  • Opcode Fuzzy Hash: 33f73d8e0c890b4f4b5b5465bef320b98d91344fc92d6546844792f303c42038
                  • Instruction Fuzzy Hash: 17A17F719016299FDB31EF68CC88BAAB7B8FF44718F1101E9EA09A7250D7359E85CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135AC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                  Download Yara Rule
                  Strings
                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0139A0CD
                  • HEAP: , xrefs: 0139A0BA
                  • HEAP[%wZ]: , xrefs: 0139A0AD
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                  • API String ID: 0-1340214556
                  • Opcode ID: 9fedb1f8326fd93b5007641428eec929f815944bd1c555ec5211e065e7d666ad
                  • Instruction ID: 191ff549422035f2f3853623bb3c2c9d0151f186deccc22d206be3cefd84a573
                  • Opcode Fuzzy Hash: 9fedb1f8326fd93b5007641428eec929f815944bd1c555ec5211e065e7d666ad
                  • Instruction Fuzzy Hash: C8810471204684EFEB26DBACC894FA9BBF8FF04718F0442A5E9418B792D774E940DB10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013D23E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                  Download Yara Rule
                  Strings
                  • Heap block at %p modified at %p past requested size of %Ix, xrefs: 013D256F
                  • HEAP: , xrefs: 013D255C
                  • HEAP[%wZ]: , xrefs: 013D254F
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                  • API String ID: 0-3815128232
                  • Opcode ID: a0eaeb154706821d0b8ee9a8d98b80d02585b6d2214b6827609017108d385faf
                  • Instruction ID: 2cac2d7f8eaa6c23e8c33b82fa9f19baeb9e9ab79ccaf2447c956e38f2844efb
                  • Opcode Fuzzy Hash: a0eaeb154706821d0b8ee9a8d98b80d02585b6d2214b6827609017108d385faf
                  • Instruction Fuzzy Hash: C4515532100264CAE335CE2EE854B73BBF6EF4824CF554899ECC29B685D636D847DB20
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134EB9A, Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                  Download Yara Rule
                  Strings
                  • HEAP: , xrefs: 013942AF
                  • HEAP[%wZ]: , xrefs: 013942A2
                  • RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 013942BA
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
                  • API String ID: 0-1596344177
                  • Opcode ID: 4062283dd11e11273a45abb0688ee33f7d757971d68e19455d75003e6ac2daf3
                  • Instruction ID: e841927ca2a688c9793558ad6354750c133c02b791a69942b6d2d20b3b11dabe
                  • Opcode Fuzzy Hash: 4062283dd11e11273a45abb0688ee33f7d757971d68e19455d75003e6ac2daf3
                  • Instruction Fuzzy Hash: EE51DC71A00529EFDB18DF58C584A6ABBF6FF84318F2581A9D8059B746D734BC42CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134B8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                  • API String ID: 0-2558761708
                  • Opcode ID: 814afb46fe6d7c8f88249dca89487e0b7a4f5a687c80a612e12c7d10f6cf76c2
                  • Instruction ID: 64ee01801413eedab0fe5127c2af51ee8e60a203e0423301d8420e0e0606f70f
                  • Opcode Fuzzy Hash: 814afb46fe6d7c8f88249dca89487e0b7a4f5a687c80a612e12c7d10f6cf76c2
                  • Instruction Fuzzy Hash: 7211D0353145469FEB29EB1DC494B36FBE9EF4062CF248029E44ACB399D630F881CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0133BA00, Relevance: 3.1, Strings: 2, Instructions: 614COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: $$.mui
                  • API String ID: 0-2138749814
                  • Opcode ID: 328f1488f24dcb665693c725fc4f106575cfd6eed2ffe1a0c2cbd876883923c1
                  • Instruction ID: 030ec70458b5013dcab627a86375321e89d7a837dd4c0ab142811053ff93f681
                  • Opcode Fuzzy Hash: 328f1488f24dcb665693c725fc4f106575cfd6eed2ffe1a0c2cbd876883923c1
                  • Instruction Fuzzy Hash: 2A424D729026699FEF61DF58CC40BEAB7B8BF85218F0041DAD90DA7252DB309E85CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013399C7, Relevance: 2.8, Strings: 2, Instructions: 294COMMON
                  Download Yara Rule
                  Strings
                  • LdrResFallbackLangList Exit, xrefs: 01339A04
                  • LdrResFallbackLangList Enter, xrefs: 013399F2
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                  • API String ID: 0-1720564570
                  • Opcode ID: 95aec00686963f2007b21509a633da5bf7c65045469276e37d668a0250e9c936
                  • Instruction ID: b728c0ab1837cacd810c7f98b4205f5769fa97c25cf49f148d35232e03b7ada9
                  • Opcode Fuzzy Hash: 95aec00686963f2007b21509a633da5bf7c65045469276e37d668a0250e9c936
                  • Instruction Fuzzy Hash: C9B1DE7260838ACBEB14DF18C480B6AB7E4FFC474CF04892AF9869B691D374D945C75A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013EE539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: `$`
                  • API String ID: 0-197956300
                  • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                  • Instruction ID: 9685ca47bc9927508096f457b6a6d243fb7afd90208df32f0f529c9a635947c5
                  • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                  • Instruction Fuzzy Hash: 1B9180312043529FE724CE29C949B1BBBE5AF84728F14893DF695CB2D0E774E904CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A51BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: InitializeThunk
                  • String ID: Legacy$UEFI
                  • API String ID: 2994545307-634100481
                  • Opcode ID: 973ba849edac20d8f0b08fe5c202a1961733a057c91947970def0a6a560f2472
                  • Instruction ID: 3decaf0ad76f88b866126f8fe258caf859de900193bce90374bfae869d6233e2
                  • Opcode Fuzzy Hash: 973ba849edac20d8f0b08fe5c202a1961733a057c91947970def0a6a560f2472
                  • Instruction Fuzzy Hash: 89517E71E006099FDB25DFA8C850BAEBBF8FF88708F54406DE649EB291D7719901CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01324439, Relevance: 2.6, Strings: 2, Instructions: 129COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: 0$Flst
                  • API String ID: 0-758220159
                  • Opcode ID: 8d1f8c85691bb51894ae04eb4ed1cc72558dc60c0ca6fc5593f8edce2489419e
                  • Instruction ID: 38e4e446e784ee11d80f30510ee32501726596a59b8e59e8e1cdd76ddc1f31cd
                  • Opcode Fuzzy Hash: 8d1f8c85691bb51894ae04eb4ed1cc72558dc60c0ca6fc5593f8edce2489419e
                  • Instruction Fuzzy Hash: 5D418CB1E00658CFDB25DF99D5807ADFBF9EF44318F24802ED14AAB645D7319986CB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013361A7, Relevance: 2.6, Strings: 2, Instructions: 115COMMON
                  Download Yara Rule
                  Strings
                  • RtlpResUltimateFallbackInfo Enter, xrefs: 013361CE
                  • RtlpResUltimateFallbackInfo Exit, xrefs: 013361DD
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                  • API String ID: 0-2876891731
                  • Opcode ID: 2d10ecf2ff401a8f96acd31fd152cc93673c985bd986164da961aa76495690cc
                  • Instruction ID: a7c165dd4641f4ff2c450989629d977fdebe04c9f64f51714b01d5c57dcafeb1
                  • Opcode Fuzzy Hash: 2d10ecf2ff401a8f96acd31fd152cc93673c985bd986164da961aa76495690cc
                  • Instruction Fuzzy Hash: 7D41DEB1A04209AFEB129FADC841B7A7BB4FFC130CF1540A5EA04DB291EB359A00CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0133C1C0, Relevance: 2.1, Strings: 1, Instructions: 876COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: MUI
                  • API String ID: 0-1339004836
                  • Opcode ID: 12f9e874faa7cef01729e3c2df1c2ac669bfe784b00d80243ca9534198be1bbf
                  • Instruction ID: 1038ee829bdb91ee83bdec3c2ea171b3bce44a53f9d649f34a114a850fe43c16
                  • Opcode Fuzzy Hash: 12f9e874faa7cef01729e3c2df1c2ac669bfe784b00d80243ca9534198be1bbf
                  • Instruction Fuzzy Hash: AF729D75E00219CFEB21CF68C8807ADBBB5BF88318F14916BE959BB241D734A985CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013CEB8A, Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: 6c97eebd804d718def949c0704f4ac20a8d9b76cc7933132dbc88ce7cbcd2d25
                  • Instruction ID: 4c528d541cfba7ef22f49813076d3bec912d0a34d0f8a14692c504909b3f69c4
                  • Opcode Fuzzy Hash: 6c97eebd804d718def949c0704f4ac20a8d9b76cc7933132dbc88ce7cbcd2d25
                  • Instruction Fuzzy Hash: 203205742046658BEB25CF2DC484372BFE6BF45B08F08846ED9868F686D735EC55CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0134B9A5
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID:
                  • API String ID: 885266447-0
                  • Opcode ID: e4851fe6a68cdbc2e257e16413ecfefb70e96877f5adfd07a69bc0a25be8a76b
                  • Instruction ID: b23e771175c61708b10c010f5058368263987b851b648c68e48887b385c0c98e
                  • Opcode Fuzzy Hash: e4851fe6a68cdbc2e257e16413ecfefb70e96877f5adfd07a69bc0a25be8a76b
                  • Instruction Fuzzy Hash: C2515771A08345CFD720CF2CC48092AFBF9FB88658F14896EE68987359D730E844CB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01352581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: PATH
                  • API String ID: 0-1036084923
                  • Opcode ID: 074c83890f6f91a2d53fb388a64e9d4fd5359f3e2ac8a26afb01539fab4295eb
                  • Instruction ID: 80e8275cf6ae13a29423c104f4e791e864c46f76338a7737740ebb42ea197a7b
                  • Opcode Fuzzy Hash: 074c83890f6f91a2d53fb388a64e9d4fd5359f3e2ac8a26afb01539fab4295eb
                  • Instruction Fuzzy Hash: 54C1A171D00219DBDB65DF9DD890FAEBBB5FF48B18F144029E901BB250E774A941CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                  Download Yara Rule
                  Strings
                  • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0139BE0F
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                  • API String ID: 0-865735534
                  • Opcode ID: 68db2fee7ae0667f4c6596a012d5fb73f3d8a614719c8359a0aecb1a801f84ba
                  • Instruction ID: f5cb1aaae4db9d646a53af7e0179d42eb58c25292066315f76223556ca566d2c
                  • Opcode Fuzzy Hash: 68db2fee7ae0667f4c6596a012d5fb73f3d8a614719c8359a0aecb1a801f84ba
                  • Instruction Fuzzy Hash: 7CA1E071A00646CBEF66DF6CD450F6AB7ADAF48B28F044579EE06CB694DB30D8418B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01322D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: RTL: Re-Waiting
                  • API String ID: 0-316354757
                  • Opcode ID: 8f53700c836660d106ec844062eefe730e625e86d1b7dce1e95238bf4dca5e9d
                  • Instruction ID: 9f94075f139b6e19305fb412d0d5753adbaaf0338373a0e362231a9588c20dc9
                  • Opcode Fuzzy Hash: 8f53700c836660d106ec844062eefe730e625e86d1b7dce1e95238bf4dca5e9d
                  • Instruction Fuzzy Hash: 95612331A006199FEB32EF6CC880B7EBBA9FB4572CF140669D925976D1C7389900CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013252A5, Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: x-
                  • API String ID: 0-703316267
                  • Opcode ID: 57c5478e9cfd5f24e2c475d8fb3bf395a3704a3d61d2462045d49d2c9ca5b3ae
                  • Instruction ID: 379bd93c9a462c824bb9f964022137b93b8b0ce06b0d7f9c57cc9d3ab2d995c4
                  • Opcode Fuzzy Hash: 57c5478e9cfd5f24e2c475d8fb3bf395a3704a3d61d2462045d49d2c9ca5b3ae
                  • Instruction Fuzzy Hash: 4E51CD312057429BD322EF68C840B67BBE8FF94718F14491EF599876A1E770F908C792
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                  • Instruction ID: eeeabe31d9ba1d40eff34322e2c7778cecd801648717a1d2a08a3e313747dee8
                  • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                  • Instruction Fuzzy Hash: D2516A715047119FD320DF19C840E6BBBF8FF48B58F00892AFA9597690E7B4E904CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01325050, Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: x-
                  • API String ID: 0-703316267
                  • Opcode ID: e45081b7c036f0c1722f50742807d7e3a87109cfa9de255cc332b26bc22c5f50
                  • Instruction ID: ea2023739616da5fd2845668be6944b6d45c336e98ee02d90604f19790a8ead3
                  • Opcode Fuzzy Hash: e45081b7c036f0c1722f50742807d7e3a87109cfa9de255cc332b26bc22c5f50
                  • Instruction Fuzzy Hash: EA4122362043129BD724FF2CC880B6ABBE8AF54718F104929F9968B790E730ED46C7D5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A3540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: BinaryHash
                  • API String ID: 0-2202222882
                  • Opcode ID: 91e2e18d9df190433864e007d964c32dd882d70471c11068b165ef7855450812
                  • Instruction ID: 7a58d355a7c3a7a9cbac8283161905c5eff644d9513657f442b65b35e1103056
                  • Opcode Fuzzy Hash: 91e2e18d9df190433864e007d964c32dd882d70471c11068b165ef7855450812
                  • Instruction Fuzzy Hash: 694122B1D0052D9BDB21DA54CC85FEEB77CEB54728F4085A5EA09AB250DB309E88CF94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F05AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: `
                  • API String ID: 0-2679148245
                  • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                  • Instruction ID: 1af9ac2bc74c80ccb7f91457ce458c587a89d1d5560426a220037e52887af6f9
                  • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                  • Instruction Fuzzy Hash: 1731E232200346ABE714DE2CCC84F967BDAEB84768F144229FB54AB2C1D670E904C791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01354020, Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                  Download Yara Rule
                  Strings
                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 013540E8
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                  • API String ID: 0-996340685
                  • Opcode ID: 94adf6220b40c54f19fe09b00567184ca0c183ed71206a20fff708e3953ccffa
                  • Instruction ID: ff91cc0cd27b01d8c60b034a97201b5f65d7e232ef7cd5f813e5b33607220097
                  • Opcode Fuzzy Hash: 94adf6220b40c54f19fe09b00567184ca0c183ed71206a20fff708e3953ccffa
                  • Instruction Fuzzy Hash: 1C419675A0074A9AD769DFB8C441AE7F7F8EF55708F10442EDAAAC3640F330A685CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A3884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: BinaryName
                  • API String ID: 0-215506332
                  • Opcode ID: c46c49c07daad137c400a61db00ebb7cdd00a6ba39baf8304fae5c4fb2707d29
                  • Instruction ID: 52671e8c06f31380e0984e9881fa3ac3f89472551be3c4999047d61be3c06574
                  • Opcode Fuzzy Hash: c46c49c07daad137c400a61db00ebb7cdd00a6ba39baf8304fae5c4fb2707d29
                  • Instruction Fuzzy Hash: 3531E33690061AAFEB15DA5CC945F7BFBB8FF80B28F41416DE914A7290D7309E04C7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: bda1a18852b9a6c8b27d0220345e8103b8b3ccd6aa78e933fd83af6a798c77d4
                  • Instruction ID: 5e77ae53f86dd4851523c9f4fbc92c26fd7b50e954b8beb91a10063440ebaee9
                  • Opcode Fuzzy Hash: bda1a18852b9a6c8b27d0220345e8103b8b3ccd6aa78e933fd83af6a798c77d4
                  • Instruction Fuzzy Hash: 5C31B1B1509305DFC751DF6CC880E6BBBE8EB99A58F00092EF99483211D634DD08CB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01331B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: WindowsExcludedProcs
                  • API String ID: 0-3583428290
                  • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                  • Instruction ID: f5d3ca9cf7f43e1f42ed3d4040fbe8324252f482b3263d21405f25090844f0a2
                  • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                  • Instruction Fuzzy Hash: 2321077A500229ABDF22AA5DC880F6BBBADEF80658F254425FE149B200D634DC01D7B4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013D8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                  Download Yara Rule
                  Strings
                  • Critical error detected %lx, xrefs: 013D8E21
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: Critical error detected %lx
                  • API String ID: 0-802127002
                  • Opcode ID: 988341fc883cea215584792db322a84a2137204b332a37276a05f3d67732bd0b
                  • Instruction ID: ebb1f49c4bfd4ed1a9d412c69ff7ba6c08d750cff3c039ac6f4d2bc02c018a7e
                  • Opcode Fuzzy Hash: 988341fc883cea215584792db322a84a2137204b332a37276a05f3d67732bd0b
                  • Instruction Fuzzy Hash: 52117572D00348DADB2ADFA8950579CBBB0AF04318F2042AEE128AB282C3385602CF14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F5BA5, Relevance: .6, Instructions: 592COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f4a0f66ff18322a71f56be920c3b1d8f2752eaa69fb366d7ea1607ff825f3e79
                  • Instruction ID: 8ce83d725d326fa42b8fc116709a57cc6f5d118ce0f616735bf5779ff0cdea1e
                  • Opcode Fuzzy Hash: f4a0f66ff18322a71f56be920c3b1d8f2752eaa69fb366d7ea1607ff825f3e79
                  • Instruction Fuzzy Hash: CC426CB5900229CFDB24CF68C881BA9BBB5FF45308F1581AEDA4DEB252D7349985CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E5A4F, Relevance: .6, Instructions: 581COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f8a5330b72efff1b36e522de6956a8ec3ea903f36a03b37837e7341b0edf178c
                  • Instruction ID: 802ffbe0a038b51f2361b522563aad2ca3a4ee89e4173cd8d25f397bd75d03a2
                  • Opcode Fuzzy Hash: f8a5330b72efff1b36e522de6956a8ec3ea903f36a03b37837e7341b0edf178c
                  • Instruction Fuzzy Hash: DD226039A003268FDF19CF5DC4946AEB7F2BF8831CF248569D9559B391DB30A942CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E60F5, Relevance: .6, Instructions: 558COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d1938ca48b21a5091d64053068b4afb6d6b1c3473413b414c03ee520a7ed172e
                  • Instruction ID: 5299661bfb01b8a0d3f81fbb47c575308aaad9833fc04dcf70f2e27061756407
                  • Opcode Fuzzy Hash: d1938ca48b21a5091d64053068b4afb6d6b1c3473413b414c03ee520a7ed172e
                  • Instruction Fuzzy Hash: FC22B1B16043218FDB19CF18C495A2AB7E2FFD8318F148A6DE996DB391D730E845CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01344120, Relevance: .4, Instructions: 444COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0056650e179f1e041fef4a00c83c929ea0765e18aae41d0a43cf2bc436b997dc
                  • Instruction ID: 00d21acc561ec6f591d0d09f5ca0d849fd0241ad5113354ab94c99f7163a0ade
                  • Opcode Fuzzy Hash: 0056650e179f1e041fef4a00c83c929ea0765e18aae41d0a43cf2bc436b997dc
                  • Instruction Fuzzy Hash: 63F16B706083118BD724DF29C480B7AB7E5BF88758F14892EF986CB791E734E895CB52
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013520A0, Relevance: .4, Instructions: 420COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 43475195321813543578e6b7bfb2adc87fc678feed371476ccd50c42024aaffa
                  • Instruction ID: d9e6afecdd9d3b6289694373b98218d4eb1c2e52236f6ac8c1043d3f82b605d9
                  • Opcode Fuzzy Hash: 43475195321813543578e6b7bfb2adc87fc678feed371476ccd50c42024aaffa
                  • Instruction Fuzzy Hash: 96F10235608341DFEB66CF2CC440B2B7BE5AB85B6CF04851EED999B291D734D881CB82
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01326800, Relevance: .4, Instructions: 373COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 311c890699f9eeeb57a18da12e162537532cf5defb95821f535acca54eb7ea75
                  • Instruction ID: 3e55ed614851eea2f524b6e8b7b6d2efa518abd5c0c035456d813e403a54ad0e
                  • Opcode Fuzzy Hash: 311c890699f9eeeb57a18da12e162537532cf5defb95821f535acca54eb7ea75
                  • Instruction Fuzzy Hash: 16D1D4B1A0022A9FDB15EF69C892BBA7BB4EF04718F04412DED16D7280E734D945CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013565A0, Relevance: .4, Instructions: 368COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b02b1602c964ad47150a323c6db653676eb13d87b2dc5c23d2535e8fd112e85d
                  • Instruction ID: 0caa18c8812cc6491d11675614de42349a2f0fc40553d8debc9e5766d5139f0b
                  • Opcode Fuzzy Hash: b02b1602c964ad47150a323c6db653676eb13d87b2dc5c23d2535e8fd112e85d
                  • Instruction Fuzzy Hash: 9CE1C2B5A0020ACFDB58CF58C880AADBBF1FF88314F548169E955EB395D734E941CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0133D5E0, Relevance: .4, Instructions: 353COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5cb81318eb1d3f05daffdc8ee2c3638a96706ed31e285f1f1fe916bdd35f67ba
                  • Instruction ID: 3bb8d53708ac2df084bcc3b99575bc0cbd57b6b98423b18994bafa8c588a186f
                  • Opcode Fuzzy Hash: 5cb81318eb1d3f05daffdc8ee2c3638a96706ed31e285f1f1fe916bdd35f67ba
                  • Instruction Fuzzy Hash: BAE1F230A0035ACFEB31DF5CC884BA9BBB6BF8531CF4401A9D909AB295D774A981CF55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01323ACA, Relevance: .3, Instructions: 348COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7b66b1c6da9f63b8f730034214d71036eaed75e8fcc7387045ca10547fe4e68a
                  • Instruction ID: efcd74f09f8609179c2831f78fa7e9e776ff8c896d083422013fbbfcaaec3d26
                  • Opcode Fuzzy Hash: 7b66b1c6da9f63b8f730034214d71036eaed75e8fcc7387045ca10547fe4e68a
                  • Instruction Fuzzy Hash: DEE1FF71E00628DFCB25EFA9C984AADFBF5FF48318F10452AE546A7661D738A845CF10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134B236, Relevance: .3, Instructions: 305COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
                  • Instruction ID: 31dc69724151980c849938c8973e53c77b5ca6cce365e155c36c1c7c31fe7bfe
                  • Opcode Fuzzy Hash: ea1f64df11345c03254a0bdf0ea8c13923360817a481ea98dccb31031b519ceb
                  • Instruction Fuzzy Hash: CFB1B131B04A0AAFDB15CBA9C890B7FBBF9EF48208F144569E652DB785D730E901CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135513A, Relevance: .3, Instructions: 258COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ee5d8d6038182e78ee5c7bc74bdb2b9081ebfab2ece001de9a58e6681124c5de
                  • Instruction ID: 053aaa85e94b4c77826a661e0d80e2433409c7f2da16e5709991215dc173e3f7
                  • Opcode Fuzzy Hash: ee5d8d6038182e78ee5c7bc74bdb2b9081ebfab2ece001de9a58e6681124c5de
                  • Instruction Fuzzy Hash: F9C143B55093818FD754CF28C580A5AFBF1BF88708F148A6EF9998B362D770E945CB42
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013503E2, Relevance: .3, Instructions: 254COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ca1eae64129132a3900371b8978aff58bfc5d2f5970e8d528d0862b08dbb5bc0
                  • Instruction ID: 3eaf06fcb8f28db5657997b88f622a629290a4ed3838fe7f327a892c55e54bf7
                  • Opcode Fuzzy Hash: ca1eae64129132a3900371b8978aff58bfc5d2f5970e8d528d0862b08dbb5bc0
                  • Instruction Fuzzy Hash: 46912571E04259AFEF369A6CC944FADBFA4AB01B2CF050261FE10AB2D1D7759C01CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135DA88, Relevance: .3, Instructions: 253COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b779ff60522ee38c8257caf0e58fcb112b6b80abe82db33dd9c28992d4d373ed
                  • Instruction ID: 6f48cf0e9d8dbc95001a5d804a0b3f226087bb27574942b1b9cb5f1ff70cb44c
                  • Opcode Fuzzy Hash: b779ff60522ee38c8257caf0e58fcb112b6b80abe82db33dd9c28992d4d373ed
                  • Instruction Fuzzy Hash: 6BA18C7490420ACFDFA5DF9CC480BA9BBA2FF4871CF144559DD159B2A6D3B1D882CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01325AC0, Relevance: .2, Instructions: 222COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: af154b1360828f452bcfe462c9d28a12a9d7d116c712440720ac33ced6d34620
                  • Instruction ID: 5a6bfadbdca6f70eb44b216dde808080c9b88ad51fdcf3227e916dbe319b3624
                  • Opcode Fuzzy Hash: af154b1360828f452bcfe462c9d28a12a9d7d116c712440720ac33ced6d34620
                  • Instruction Fuzzy Hash: 2D81B7B1A0022D9FDB35AB1CCD40BEA77B8EB4471CF0445A9DA15E3285E774DEC28B94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135138B, Relevance: .2, Instructions: 206COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                  • Instruction ID: 748687808a0a49e29f6196c38c1446c797e64779a32c74cd4c92d9b331b0fede
                  • Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
                  • Instruction Fuzzy Hash: 76818C71A00345DFDB25CF68C484BAABBF5EF48318F14856AE956D7751D330EA81CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A6DC9, Relevance: .2, Instructions: 199COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                  • Instruction ID: 11061b5b67b576329e80af7daff8f795311daaee9773bd4b006dc6d405b194ad
                  • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                  • Instruction Fuzzy Hash: B6716C71A0020AEFDB10DFA9C984EEEBBF9FF48718F544469E505E7250DB34AA45CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0133F370, Relevance: .2, Instructions: 194COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cd306fb1d12fa22d9cee9e581def3c3b337f734fc8de72fa41010c97d1ba2677
                  • Instruction ID: a6a210de4a62c0c61d9f073493ec784a73e850ceb1c5a1fe299f23695d985baf
                  • Opcode Fuzzy Hash: cd306fb1d12fa22d9cee9e581def3c3b337f734fc8de72fa41010c97d1ba2677
                  • Instruction Fuzzy Hash: 11612132E042168BCB25CF5CC48027EBBB9EF85318B9881A9E845EF345DB34D952C7D6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132395E, Relevance: .2, Instructions: 172COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5a427f6ebdd6a39133cd5475a5099180bfc7ae3728ab3ff72549636b6c55fcf1
                  • Instruction ID: 4f3f736367329802bade379f23556b85283b08de221cc62d158fa84c56773c9c
                  • Opcode Fuzzy Hash: 5a427f6ebdd6a39133cd5475a5099180bfc7ae3728ab3ff72549636b6c55fcf1
                  • Instruction Fuzzy Hash: BD51AE71A007569FEB24EF5DC884A6BB7F8FB5830DF00492DE54287A11DB78E849CB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132B171, Relevance: .2, Instructions: 166COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ce789250826e66849926f6970dde2c2012d02a971f9e88aac141f2d797f62097
                  • Instruction ID: 8b4723d43e6bbb18f7497eef916111846994b04ebf9c2bdb389ce666645156ad
                  • Opcode Fuzzy Hash: ce789250826e66849926f6970dde2c2012d02a971f9e88aac141f2d797f62097
                  • Instruction Fuzzy Hash: B351F471D1035A8EDF31EF68C844BAEBFB0AF04318F2041ADD859ABA86D7314941CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013595EC, Relevance: .2, Instructions: 165COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 323c243cab4fa4f214da474562e84e39bea6d45a9e13a3000cf29cda1a781119
                  • Instruction ID: 3ac5983b7b4582e50fe124e00dc0ba00ac2664cabee0e959ce5d68028b8b10ca
                  • Opcode Fuzzy Hash: 323c243cab4fa4f214da474562e84e39bea6d45a9e13a3000cf29cda1a781119
                  • Instruction Fuzzy Hash: 2C51BC30A0060AEFDF16DF68C844BAEBBB8BF1473CF004169D912976A0DB749914CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013EB581, Relevance: .2, Instructions: 163COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a0308f5a617630c625e4123b48a626255cf412af868c31cedb2489c32294162e
                  • Instruction ID: 3c08bc1572cc9053869e497f94862382e83aebee097cfd9976658181a620db68
                  • Opcode Fuzzy Hash: a0308f5a617630c625e4123b48a626255cf412af868c31cedb2489c32294162e
                  • Instruction Fuzzy Hash: F951D2316047678BE312DF2CC998B66FBE4BF50318F184469A9858B6D4EB34E805CB81
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01352AE4, Relevance: .2, Instructions: 159COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f69109565c5218d81023a97e5f5e5ca85c695cb0c2f715df07c5cb9627c7e87
                  • Instruction ID: 7411e512629c2f4ac1c9352255c4ccbff877ae57fc1500f4de845c9fcf897142
                  • Opcode Fuzzy Hash: 4f69109565c5218d81023a97e5f5e5ca85c695cb0c2f715df07c5cb9627c7e87
                  • Instruction Fuzzy Hash: F151C376B00119CFCB59CF1DC490DBEB7B6FB88B04716855AEC46AB325D730AA51CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01353C3E, Relevance: .2, Instructions: 153COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 42c91dd97b32de191dc1f68a1a322cc99f5838ca783011371e37f4665361648c
                  • Instruction ID: 85f98de0fd1d87d72cf98dbfbf022075cf493d1515ae8b10c6006c37d29b616e
                  • Opcode Fuzzy Hash: 42c91dd97b32de191dc1f68a1a322cc99f5838ca783011371e37f4665361648c
                  • Instruction Fuzzy Hash: 65515B716083429FD740DF29C884E6AB7E8FF84768F144969FC99C7291D770E905CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134DBE9, Relevance: .1, Instructions: 149COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6d1e7ce2c0a72198d177122421f0fd67b9809a525ae5d2a94f1cbfb6ca082e22
                  • Instruction ID: 01247d9c9c75de3cee990db13aa8d1856c6845dfffce47dfeb6a425768bca0c7
                  • Opcode Fuzzy Hash: 6d1e7ce2c0a72198d177122421f0fd67b9809a525ae5d2a94f1cbfb6ca082e22
                  • Instruction Fuzzy Hash: 6E518CB1A00216CFCF15CFACC490AAEBBF5BF59318F20855AD999A7344DB30AD44CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F740D, Relevance: .1, Instructions: 141COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                  • Instruction ID: 013e691ebebc8f6ba70b499fc35344915552eb96ca7d2e2696704965bccfe05b
                  • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                  • Instruction Fuzzy Hash: B451A071600646EFDB16CF58C884A56BBF9FF45308F14C0BAEA089F212E771E945CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01364D51, Relevance: .1, Instructions: 139COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
                  • Instruction ID: 32be54586effc14cc493c4358deffce347fc4dcd98ca540fd593b299629c8405
                  • Opcode Fuzzy Hash: 57c987ef142df1584dd8d639fa8fc84791a5094b44c6db83ae1c023477dd8020
                  • Instruction Fuzzy Hash: 49514A35E00619CFCB15CF98C480AA9F7B9FF89718F2485A9D855E7355D730AE81CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01352990, Relevance: .1, Instructions: 133COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1adbdf7171d791ab0b72c35748810ba18edb41228c0539e8c01d43e5b721e154
                  • Instruction ID: 69dc4ed682f0f6730b5ca6eef321e9cadbc1ce3690bc1afc188f1032af0a5860
                  • Opcode Fuzzy Hash: 1adbdf7171d791ab0b72c35748810ba18edb41228c0539e8c01d43e5b721e154
                  • Instruction Fuzzy Hash: 92515871A0020ADFEF66CF59C880EDEBBB5BF48B58F048115ED05AB260C7359992CF90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01354BAD, Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 69a083721d8af485a68f628ff08982278242e9f45135c4376586108dd5d5f042
                  • Instruction ID: 9e7cbdf0be6cbe6061b700045e0b7b2739a88426d56a2812ab2faacb5b31f03a
                  • Opcode Fuzzy Hash: 69a083721d8af485a68f628ff08982278242e9f45135c4376586108dd5d5f042
                  • Instruction Fuzzy Hash: 2841B271A01229ABDF61DF68C940FEE77F8AF45B14F4100A5E908AB241EB34DE84CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01354D3B, Relevance: .1, Instructions: 131COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1c68610709984dcbcd5045a52249a286ba1e8f524c0d18e368b6b4f93bffe091
                  • Instruction ID: 74310c65e22d5d7d44a304363083b5108361edd4785ef34ca7fec0fa2c7de930
                  • Opcode Fuzzy Hash: 1c68610709984dcbcd5045a52249a286ba1e8f524c0d18e368b6b4f93bffe091
                  • Instruction Fuzzy Hash: 7C411871A403189FEF76DF18CC80F6AB7B9EB54A18F004099ED0997281E770ED80CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134F86D, Relevance: .1, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b18cf364a3f02926cab53ceaa1a8d6224e6bedf3979261c56dfc522533c6f937
                  • Instruction ID: ae5de2336a7573731ae60c87fdb6df4b8d356413f7e0ad3a4957b140342f91f5
                  • Opcode Fuzzy Hash: b18cf364a3f02926cab53ceaa1a8d6224e6bedf3979261c56dfc522533c6f937
                  • Instruction Fuzzy Hash: BE41B575A0021AEFEF229FACC840BAEBBF9BF5471CF180519E954E7251D774E8408751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013B6365, Relevance: .1, Instructions: 123COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
                  • Instruction ID: 0132c3d51e2c3f02babce27eb2930d9ab50c007cc208decbc5f97151798f6f70
                  • Opcode Fuzzy Hash: be3b4a51cfa3edcff81842d127ee4f292402115a8f3185dbd1a32f25bb9fad36
                  • Instruction Fuzzy Hash: 4641E476600505EBDB15DF6CCC92BAF3B69EF44718F198068EA069BA52E734DD01C7A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01321AA0, Relevance: .1, Instructions: 123COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
                  • Instruction ID: cef3f8029135b11ac3f0d48d65b629b1465edc593a9948d1f13b26719d21e339
                  • Opcode Fuzzy Hash: e1a7370b56a08231ee134f13a4b803da5b209042f7814c29e042afade973f4ff
                  • Instruction Fuzzy Hash: 73416071A00719EFDB24DF99CA80AAABBF8FF08314B20456DE556D7650E330EA44CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01330100, Relevance: .1, Instructions: 122COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ec770825c6f1cbb7f6d50c09a02bfffabacf48478281b164e3c1a63684f9582e
                  • Instruction ID: 3536aafaafaec48aae6a70dab5d152d9e5d7d4aed6ff24207fbef65ef96585ee
                  • Opcode Fuzzy Hash: ec770825c6f1cbb7f6d50c09a02bfffabacf48478281b164e3c1a63684f9582e
                  • Instruction Fuzzy Hash: 0D41ED71945309CFCF69EF6CC9817AA7BB4BF9431CF450119E811AB2A6C374D981CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013EAA16, Relevance: .1, Instructions: 120COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                  • Instruction ID: 1660b4e5451406df78b417d4477c1aa156b6cdda48987ee8a6d8f9142858d9ae
                  • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                  • Instruction Fuzzy Hash: 0731D631B00326ABEF159B69C889BAFFBEBDF84618F054469E905A72D1DA749D00C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01338A0A, Relevance: .1, Instructions: 120COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3887f5d2150e27456aaba00644b7e64b7000ac5c9fd282401e0916f337708dc0
                  • Instruction ID: 91c40e316ba9d4f63e854f69f03c8f826d6a8cbdc34dde743826cfec65d0f4d0
                  • Opcode Fuzzy Hash: 3887f5d2150e27456aaba00644b7e64b7000ac5c9fd282401e0916f337708dc0
                  • Instruction Fuzzy Hash: D24184B0A0022D9BDB24DF19CC88AA9B7F8FB94308F1046E9E91997252D770DE85CF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013EFDE2, Relevance: .1, Instructions: 116COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                  • Instruction ID: 90191c5ff37f3724c50627dabccbcb670859275fa102200b015f41ce5cb8a56a
                  • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                  • Instruction Fuzzy Hash: 5431F632200755AFD7229B6CC84CF6ABBEDEBC5658F184458E9498B7C2DAB4EC42C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013EEA55, Relevance: .1, Instructions: 111COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                  • Instruction ID: f4c961df3be7a771d1bd33914261545d9cab8a3157018d89961c262de5d22d76
                  • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                  • Instruction Fuzzy Hash: B831E4326047169BD719DF28C884A6BB7E9FFC0314F044A2DF95687785DE30E809CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0133B433, Relevance: .1, Instructions: 109COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
                  • Instruction ID: 3024af57510a152d93b336f3627b5527e7832bbacdee302bc6e0472670399460
                  • Opcode Fuzzy Hash: 9ce7baec8dd61d033a2283f6c29e1c0cbcb02c42f85a1c7a17e92119e31cdb3b
                  • Instruction Fuzzy Hash: F7414A31600249AFDB12DBACCC40BDAFBF8EF50348F0481A6F455A7752C674A944CBA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A69A6, Relevance: .1, Instructions: 108COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 341346501204628cf21a4e0457ccd891d34d4cc17b1633b62775ef6b2ae23731
                  • Instruction ID: 3255514e4e40b0a9fba2a08f2efc29fa56042266f2ab09694d362a0a9af4f76e
                  • Opcode Fuzzy Hash: 341346501204628cf21a4e0457ccd891d34d4cc17b1633b62775ef6b2ae23731
                  • Instruction Fuzzy Hash: 4F4182B1D002099FDB14DFA9D945BFEFBF8EF48718F18812AE914A7250DB709905CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01325210, Relevance: .1, Instructions: 107COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 73b97859178021af6c45c62ab8ec8862f81f3f8c1d30b8ef780d949102a39dac
                  • Instruction ID: 64e48138f1d22189a70d07f8e661e3a2ff2a2894ab52a4128ad0aec5b07cc7e5
                  • Opcode Fuzzy Hash: 73b97859178021af6c45c62ab8ec8862f81f3f8c1d30b8ef780d949102a39dac
                  • Instruction Fuzzy Hash: 30311631251715EBC72ABF2CC840B7A7BA9FF50728F21862AF5150B5E0DB30F908C690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01363D43, Relevance: .1, Instructions: 106COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bff494685cd0d25cb89588f118e2f854c67d6ce3146915affbcf582c7812f569
                  • Instruction ID: b0e190b00677311eb85016736fdd55d1c284528a3eeb844f3510ea6fa4450a9d
                  • Opcode Fuzzy Hash: bff494685cd0d25cb89588f118e2f854c67d6ce3146915affbcf582c7812f569
                  • Instruction Fuzzy Hash: B031AB32601619DBDB298F2DC841A6ABBA8FF95708B05C06EE949CB754E730D840C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134C182, Relevance: .1, Instructions: 104COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                  • Instruction ID: 9f88b6ff457bdbaee2cf2a45bcfeb2c5d04b61ff329a3002901ff5b4cf58f367
                  • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                  • Instruction Fuzzy Hash: C9313771A0654BBFDB45EBB8C480BEAFB98BF5220CF04415AD41C97201DB347A09CBE1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A7016, Relevance: .1, Instructions: 104COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0102ff68aff444a3e571eaa8a79366912b1106d60c026d2108aade29102fe2b5
                  • Instruction ID: d1aa8f5ff58062a9639950edce6b105fba6002c7fb78479ebe3f9811f106757f
                  • Opcode Fuzzy Hash: 0102ff68aff444a3e571eaa8a79366912b1106d60c026d2108aade29102fe2b5
                  • Instruction Fuzzy Hash: F431C0726047919FC320DF2CC880A6AB7E9FF98704F444A2DF99587690E731E904CBA6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013553C5, Relevance: .1, Instructions: 98COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d534000c29545d0777ff5f700d4adc52ce7b176446cfccc7b2660e9e67efab2
                  • Instruction ID: f8c4ca6a559c4d2217bda384c2c9337450abe4f3255a502403b18a0e6fbb4105
                  • Opcode Fuzzy Hash: 1d534000c29545d0777ff5f700d4adc52ce7b176446cfccc7b2660e9e67efab2
                  • Instruction Fuzzy Hash: 9D41F370A04746CBDF318FB884007AEBBE2AF5170CF14052EC48AAB781DB355905CBA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013D3D40, Relevance: .1, Instructions: 98COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f240bb6b1f4afb7ba50b134b3b72abc883a7e7fe807f03b98a35c4f492062b26
                  • Instruction ID: ec756253ddd0d6bb59d446055419a62bacfd5bc9f0e6ce94d1290adc83ff1dc4
                  • Opcode Fuzzy Hash: f240bb6b1f4afb7ba50b134b3b72abc883a7e7fe807f03b98a35c4f492062b26
                  • Instruction Fuzzy Hash: 0A315AB2A09302DFC710DF18E58155ABBE5FF85618F44496EE8989B295D730ED08CBE2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01323880, Relevance: .1, Instructions: 97COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0a6e4feb5f196dee4ec86fd19da5cf037a0f0e6eb6645b22c56c12194c14ad89
                  • Instruction ID: adf052d2c8b32cff7f60f140842cbe04146904c105b75b7aa6f63b79824538c6
                  • Opcode Fuzzy Hash: 0a6e4feb5f196dee4ec86fd19da5cf037a0f0e6eb6645b22c56c12194c14ad89
                  • Instruction Fuzzy Hash: F631B432E00229AFDB21EEADC840BAEBBFDBB09714F014525E525E7650D6749E048BD0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013EA189, Relevance: .1, Instructions: 96COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 215cb7c7c61e667d35f9a15c74a46e5c85b110dbcc1a625687393a8347936493
                  • Instruction ID: 223d414fe2df11e63a5d5b818793e7eca287788e90c05671d189ad84c708bb01
                  • Opcode Fuzzy Hash: 215cb7c7c61e667d35f9a15c74a46e5c85b110dbcc1a625687393a8347936493
                  • Instruction Fuzzy Hash: 7231E571A0032AEBCB12AF9DD840BAEBBF9EF85758F110069F505EB390DA71DD018790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013561A0, Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 65d7d85c1fd2b4f61f81807f7c92989953ee52ed4071f3164bc91c5758c7380e
                  • Instruction ID: 8fa29b299a2753f1a6585ec8003c7eda7a13cbc138cba3f6b44ff142a48e2920
                  • Opcode Fuzzy Hash: 65d7d85c1fd2b4f61f81807f7c92989953ee52ed4071f3164bc91c5758c7380e
                  • Instruction Fuzzy Hash: 2F316BB16157018FE760CF1DC841B26FBE8FB88B18F45496DE9989B391E770E904CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132AA16, Relevance: .1, Instructions: 93COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bcec4a9c55d0abe656d59e5bef2093cc32ea5cd0aa0eb54afd2a9db286ba1537
                  • Instruction ID: 4ea6472b3999ac81ecea690e47a7d129bfafff6dfcdb7296494a665a4d8bd437
                  • Opcode Fuzzy Hash: bcec4a9c55d0abe656d59e5bef2093cc32ea5cd0aa0eb54afd2a9db286ba1537
                  • Instruction Fuzzy Hash: C731C571A0022AABDF11AF6CCD41A7FB7B9FF04708B014469F901E7654E774A911DBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01364A2C, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8b2b1ee364c825f81fdc529a2f1101aa7f89020ea1ee04a0f53c1771131c56c0
                  • Instruction ID: fb745a81fa4bc36fa600a3ce3db9bd483f718725b1b665b1740aac38aa5e327b
                  • Opcode Fuzzy Hash: 8b2b1ee364c825f81fdc529a2f1101aa7f89020ea1ee04a0f53c1771131c56c0
                  • Instruction Fuzzy Hash: 2D310232A05315AFE7229F18C944B2EBBACFFC0B18F548529E85647659C770E804CB96
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013278D6, Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
                  • Instruction ID: ebf36b12cabd7c0a50f6dc006d9b19ab1dcb21a96a1c78bbc446fac6e917e8a8
                  • Opcode Fuzzy Hash: e9a6e3358202fe57e4d6c011c4744451192f56deb94866768f281c596d07d196
                  • Instruction Fuzzy Hash: C431F2B2600614AFD711EF1CCC80B6ABBA9FF99658F188099E548CF351DA35ED41CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135BC2C, Relevance: .1, Instructions: 88COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4617715abc5ccefad38f3228dadeccabd2e1084d0cb78842daf909fcc9684045
                  • Instruction ID: c85d59eb8a95b6b2c4be964ae6709090b6e375b64e7b3de9df3898e533666dbf
                  • Opcode Fuzzy Hash: 4617715abc5ccefad38f3228dadeccabd2e1084d0cb78842daf909fcc9684045
                  • Instruction Fuzzy Hash: C8310472A0061A9FCB91DF58D480BA6B7B9FF18719F064079ED44DB209E7B4DA05CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01329100, Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d484ff729b744c6047985422f845af1acd07417af236db9c6225c843be17c542
                  • Instruction ID: f579fa6acf3708d33c4dd64d87fb941f32de5a18207fd5cd520c2b1f049073a3
                  • Opcode Fuzzy Hash: d484ff729b744c6047985422f845af1acd07417af236db9c6225c843be17c542
                  • Instruction Fuzzy Hash: FA31C371A01266DFEB26FB6DC488BACBBB1BB5931CF24814DD50467351C334B980CB55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135F527, Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
                  • Instruction ID: f5fdd72fe57149891099a3084aa6e4dda29d76cd35e7feeef38eda454164da86
                  • Opcode Fuzzy Hash: a1964674c32ee0b8d0769a9c26bb8bd53e50b50cf439c01f9c98bc06a8389b4f
                  • Instruction Fuzzy Hash: 22319831600648EFDB21CF68C884F6AB7FDEF84758F1049A9E9558B690EB70EE01CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01351DB5, Relevance: .1, Instructions: 87COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                  • Instruction ID: d209c104568a33e6896423679a11254254a8ca16c121606d66bb26a269a85c7b
                  • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                  • Instruction Fuzzy Hash: E921B032600119FFD721CF9DCC80FABBBBDEF85A58F154055EA0997220D634AE01DBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01348D76, Relevance: .1, Instructions: 82COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f6d3e63ded3b08a5e03093b17cd7de0f8c722721084dcdffe8833f3c1d058da2
                  • Instruction ID: 46212a715b9159367f52abea8813dff393443e15361396209ee5249f22861194
                  • Opcode Fuzzy Hash: f6d3e63ded3b08a5e03093b17cd7de0f8c722721084dcdffe8833f3c1d058da2
                  • Instruction Fuzzy Hash: 6B21B139242A91CFE72ACB6CC494B7677E8FB5270CF0844D6E9C287A51D739E881C710
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01340050, Relevance: .1, Instructions: 81COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02e50f4780b80d9e309b6a1a738d2526d221655912f3da2009aefc68b8f76dca
                  • Instruction ID: db07d6436c1621c70d31a3f21f46bd80855d9bf8ae2783b8f0d6243f6765634e
                  • Opcode Fuzzy Hash: 02e50f4780b80d9e309b6a1a738d2526d221655912f3da2009aefc68b8f76dca
                  • Instruction Fuzzy Hash: 91317A31701B04CFD726CB28C844B96B7E5FF89718F14856DE6AA87A90EB75B801CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013CCD04, Relevance: .1, Instructions: 79COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 87f0f5d5b289b667d6c2c14ca4a8dcd4e7ad1a222e52386eafd0e1ef38f46b4d
                  • Instruction ID: a880343cb58e42ad629f5512062b43938d3ae4b8e9ecc93afb9cd2dcdcc3f895
                  • Opcode Fuzzy Hash: 87f0f5d5b289b667d6c2c14ca4a8dcd4e7ad1a222e52386eafd0e1ef38f46b4d
                  • Instruction Fuzzy Hash: 7131E770E102199FCB11DFA8C848AECBBF5BF8CA44F15516AE909B7265DB749C40CF60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A6C0A, Relevance: .1, Instructions: 79COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 01be5b58f077f02979b270936edc863d631e2af62b1c1477d4f5adc523e91ef9
                  • Instruction ID: 186b6864314db6e7f6e0026e2914ae893688b652bd04d56dea94ab8a06668b49
                  • Opcode Fuzzy Hash: 01be5b58f077f02979b270936edc863d631e2af62b1c1477d4f5adc523e91ef9
                  • Instruction Fuzzy Hash: 84217AB1A00645AFDB15DF6CD880F6AB7A8FF48748F184069F904D7791D734E910CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013FF1B5, Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf5f5cda5950a0a0b795cafde4e3f750dfb258227975e494efb4a9505dc79705
                  • Instruction ID: c1c9a3e16e9f3c3691fa0f17e082b1e9ae96a0d5cce9560bbac15c41b67d13d6
                  • Opcode Fuzzy Hash: bf5f5cda5950a0a0b795cafde4e3f750dfb258227975e494efb4a9505dc79705
                  • Instruction Fuzzy Hash: 1A21CF7FA00915BBEB229F49D884F5ABBBCFF45718F014069EE049B255D734AD10CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01324A20, Relevance: .1, Instructions: 78COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 32ac6c7a1729b46e482150d829080faa71a679ae82370a4d2fcfa7c89eae810e
                  • Instruction ID: c508f60a1c5dc6471a54431b943b9278ab589c7dbb01791d506bbf879dc675d9
                  • Opcode Fuzzy Hash: 32ac6c7a1729b46e482150d829080faa71a679ae82370a4d2fcfa7c89eae810e
                  • Instruction Fuzzy Hash: 6021D631200B16DFEB36BB2CD810B2777A9FB6022CF104B19E456469F5E734E941CB99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013690AF, Relevance: .1, Instructions: 76COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                  • Instruction ID: 0ad69c8bff3271de41a09a283458ed376c2bc700af4c58b4da078c2197f2c4d1
                  • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                  • Instruction Fuzzy Hash: 7A217F71A00209EFDB21DF59C844AAAFBFCEB58718F14886AE945A7200D630E9008B90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01353B7A, Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 27476371c7af79eaf1934669d66793bc2d54aea741c9edb86bce4a8102ba683f
                  • Instruction ID: ecb835e114e317fc8c40a565a2b6fe15833b837f26c149fcbb946ad25f4c0dc9
                  • Opcode Fuzzy Hash: 27476371c7af79eaf1934669d66793bc2d54aea741c9edb86bce4a8102ba683f
                  • Instruction Fuzzy Hash: 94219F72A00109AFDB10DF98CD81F6ABBBDFB44748F150178EA08AB251D771ED11CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01324B94, Relevance: .1, Instructions: 74COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
                  • Instruction ID: 71658d1bce75af6ba5db321efd2e1c6afa7807ab54b84608895e62329fe6085d
                  • Opcode Fuzzy Hash: be039c21412206f03258b38c48bd730f8b7be0bbe1998d3b1572028778da135b
                  • Instruction Fuzzy Hash: 5531D071900A35EFDB28EF6CC480679F7F8FF44618F148669C86A97A60E770A940CB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013328AE, Relevance: .1, Instructions: 73COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: deb9c94cf051a70f7f5fe14ab3bdaeb5de73e26bf3af88ecec38fb8b2d228e69
                  • Instruction ID: 1b7d6bd03a6fb7d7747b49674997cc461be877d0c1b6b89b94dc265fd412af15
                  • Opcode Fuzzy Hash: deb9c94cf051a70f7f5fe14ab3bdaeb5de73e26bf3af88ecec38fb8b2d228e69
                  • Instruction Fuzzy Hash: 9621C6326157819BF722A76C8C44B253FD5AB8177CF290761FA219FAE2DB689840C215
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132519E, Relevance: .1, Instructions: 70COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0a48a72ba3ffa817b07e39a1e4c1ed95b9bb416231b20fecc882f6a849f46502
                  • Instruction ID: 3dcd98de19217495d525aa77c9bb7adef62a8e93bf02cffdb4058ed777e35403
                  • Opcode Fuzzy Hash: 0a48a72ba3ffa817b07e39a1e4c1ed95b9bb416231b20fecc882f6a849f46502
                  • Instruction Fuzzy Hash: 7011E135941315ABCF24BF6CC440AFABFF9EF15618F24016AF94A9B680D631EA45C690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013212D4, Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
                  • Instruction ID: 63bd087b80b8a52a20e2a81e78475e2a54a06b7a3d43c0dcc495eee591ae5438
                  • Opcode Fuzzy Hash: 37527cf3eb25ade65d622f20ccdd91ad303ae4a54bb64dfc0495212d1a2f266d
                  • Instruction Fuzzy Hash: 8C11E273600619EFE722AE58D940FAABBADEB84768F104029FB058F540D671EE45CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135FD9B, Relevance: .1, Instructions: 69COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                  • Instruction ID: d6c46332c4c174bb89eb319c9df5e4c689f53d1597167577779dbd69b9c48aba
                  • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                  • Instruction Fuzzy Hash: CC217972600A45DBD771CF0DC640E66FBE9EB94E18F24857EE95987A15D730EC00DB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013512BD, Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 16d105480c812c009b7793f2544dddb3c5819fe030a19559edd12c0f3420645e
                  • Instruction ID: 569a3c0e0526a6fac903aa6e9e1befbd12826ddaedfa430859422affdfb8bc71
                  • Opcode Fuzzy Hash: 16d105480c812c009b7793f2544dddb3c5819fe030a19559edd12c0f3420645e
                  • Instruction Fuzzy Hash: FF216A71600640EFD7B4CF2CC890F6AB7E9FB48654F10882DE99EC7612DB70A840CB60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01365A69, Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6a445b7a5934684838537f60b3183ffc4bda65387b660814d97dc13676dc3a81
                  • Instruction ID: 80c32a3bf8d2da07e6fb903c1518e0c4b13ca3a2c5d9367829c4f42f114c84f2
                  • Opcode Fuzzy Hash: 6a445b7a5934684838537f60b3183ffc4bda65387b660814d97dc13676dc3a81
                  • Instruction Fuzzy Hash: 871126392517518FE7268B2CD0E477977ECEB0179CF08846AE882C7B55D369DC80C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135B390, Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3b8b369fe15aea275521ad58d0b084c8be55712c6dcedf40f1c1bf4a00321a9d
                  • Instruction ID: 13b4614c4769af8a90c9c7e62600fd6a195ed547a4826bbf4a02e2ecdea564c5
                  • Opcode Fuzzy Hash: 3b8b369fe15aea275521ad58d0b084c8be55712c6dcedf40f1c1bf4a00321a9d
                  • Instruction Fuzzy Hash: 90116B333011119FCB19CA188D81A2BB29BEBC5774B254229ED1AD7791CA31AC02C690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01329240, Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9932f7c699981fce2f086650b2da9ca7ef89647565d4c64223b23f6fd7396bf5
                  • Instruction ID: 13a17a7e68abe6f6fb0bfb0b58af20cdb9cfa9662e0594fffec5733e4c8e8570
                  • Opcode Fuzzy Hash: 9932f7c699981fce2f086650b2da9ca7ef89647565d4c64223b23f6fd7396bf5
                  • Instruction Fuzzy Hash: A8212832141612DFC722EF6CCA40F1AB7F9BF28708F14456CE249966A2DB34E941CB48
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01323138, Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
                  • Instruction ID: 3060ed9aac066dcc2eae366135382145e9d1eaa938af7d93d5d8d64421edaa38
                  • Opcode Fuzzy Hash: d4aeeff4ef93e10868052b9739ddbb58bbde280f33870a99f1aaca30df05f52d
                  • Instruction Fuzzy Hash: 70119331A00304EFDB25DF68C844F66B7F9FB85318F248599D4159B641EB75A802DB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013EE962, Relevance: .1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
                  • Instruction ID: c653cb3be5e19a7106704a5cab352e675017702237dd9fda319f6d245edb14a8
                  • Opcode Fuzzy Hash: f7107f8a9a6e1912d5495caaf0dffdb465e6b2ac924055a9a8be1b481ae2b641
                  • Instruction Fuzzy Hash: 3B11B232A00629EFDB19CB58C805AADFBF5EF84214F058269EC4597390DA35AD51CB80
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013B4257, Relevance: .1, Instructions: 60COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 13e4a5ac19cc119ac40f9821d3a3f248ce25d6f55444f1ba240b64765b7ea70e
                  • Instruction ID: 0ed191ba95aa88619206438ed8cb4415f0ad7e32373c0d1ef713a75b5cc8e660
                  • Opcode Fuzzy Hash: 13e4a5ac19cc119ac40f9821d3a3f248ce25d6f55444f1ba240b64765b7ea70e
                  • Instruction Fuzzy Hash: 7D216070A01702CFC726DF68D480694BBF1FF95358B14826EC26A8FBAAE735D451DB44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013328FD, Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 55125ecc58e375df1578021640188c58d5127bd89ce0911b3e95baaee3552c66
                  • Instruction ID: dfb87d071fcce7f42384952f8e96f55dbba643960402e95fdc0e2521bd8a15dc
                  • Opcode Fuzzy Hash: 55125ecc58e375df1578021640188c58d5127bd89ce0911b3e95baaee3552c66
                  • Instruction Fuzzy Hash: ED110436344784AFF326A32DCD44F237B9DDFD1B98F240066BA418B691DAA4E800C165
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01352397, Relevance: .1, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5d5bcd040500575ebee280cbb413b3d5c8d98488aa78905bebe4079c551fa721
                  • Instruction ID: f61406c8c7878d33cad6ac27b59c6e759da9bdfedec807ee21d038856359751c
                  • Opcode Fuzzy Hash: 5d5bcd040500575ebee280cbb413b3d5c8d98488aa78905bebe4079c551fa721
                  • Instruction Fuzzy Hash: 5B114E31740306EBE771DA2DAC80F17B6DDFBA0A1CF18442AFE06A7191DAB0E8448B54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132C962, Relevance: .1, Instructions: 57COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c2ed7fa85c40d99f0b965ef80dd473925eb2cd32e4ebde6742abbfea3630271
                  • Instruction ID: 0434fb37f897b10d00a37ee63eb1b661f608a97ef5ea9a28dc37fce90cfc72ea
                  • Opcode Fuzzy Hash: 9c2ed7fa85c40d99f0b965ef80dd473925eb2cd32e4ebde6742abbfea3630271
                  • Instruction Fuzzy Hash: 6411CE317207469BCF21AE2CDC85A2ABBE9FF84619B100539E945936A5DB20EC11CFD1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135002D, Relevance: .1, Instructions: 55COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                  • Instruction ID: e2aafe312b740398a7024619ac0ca06d581ca5450f00f758f64af9044bc7a359
                  • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                  • Instruction Fuzzy Hash: 4811DB326156818FEB679B6CC654F357BD8EF41B9CF0900A0ED8487A93D729D842C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01329080, Relevance: .1, Instructions: 53COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 517a4083f57ee2af0b65400e85a29f8b990731ed7678dc3af29fb8facacf29a9
                  • Instruction ID: d1e5eba1ef0a50c5bed925d3a768ba879ef72d36cc605b104e184a26e6bc0eb5
                  • Opcode Fuzzy Hash: 517a4083f57ee2af0b65400e85a29f8b990731ed7678dc3af29fb8facacf29a9
                  • Instruction Fuzzy Hash: D901A4726016298FD325AF18D840B12BBA9EF8672CF258166E6059F6A5C378DC41CBE0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01353B5A, Relevance: .1, Instructions: 51COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dac2bd43ca2384c232a5d086455a61896d5d978de5892593eb337a70f7cb4581
                  • Instruction ID: a56fd7029e6694a1dbc130e9eb06d9880b020f50873bda2dab3ae9cd80a8f043
                  • Opcode Fuzzy Hash: dac2bd43ca2384c232a5d086455a61896d5d978de5892593eb337a70f7cb4581
                  • Instruction Fuzzy Hash: EB1125766425559FCF29DB4CCA81F6A7BB9FB18A08F0501ACE905A7762C728FC01CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E1A5F, Relevance: .0, Instructions: 50COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad3fd62fa3174d30755942a068c4569c8bb6bc46771ce7d89a59c6f001cc2052
                  • Instruction ID: 9a1f36a73d27ace124d75d7ec527dad2398ff498e77d55f9ab41d61f8ce6b7d5
                  • Opcode Fuzzy Hash: ad3fd62fa3174d30755942a068c4569c8bb6bc46771ce7d89a59c6f001cc2052
                  • Instruction Fuzzy Hash: 2C115E71A01219AFDB10DFA8D845EAEBBF8EF54714F004066B904EB380D6749A00CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013231E0, Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
                  • Instruction ID: 19eecf5d4c6bd5f6fcf23a0ffdf043e60aa2ea5e2e2a80af513bf4338967c8cf
                  • Opcode Fuzzy Hash: cd41840913fde36b44aca51169ed52aaca1c3c379bf37e85e3a76e03a02823ec
                  • Instruction Fuzzy Hash: AB01DD32100B15DFDB32EA6ED500E6777EDFFD5A58F044819EA9687951DA38E401C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F4015, Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 777d8f1e40527baaf4724c1f7857f18234c65962d62171db2c8b495d2db18830
                  • Instruction ID: 2b8586d8673d898c4613874cb3e36797fd39ea23ba5ff010ffd3b34dca3c3287
                  • Opcode Fuzzy Hash: 777d8f1e40527baaf4724c1f7857f18234c65962d62171db2c8b495d2db18830
                  • Instruction Fuzzy Hash: E501A2726019467FD251AB7DCD80E13FBECFF95668B000629FA0883A21CB34EC11C6E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E1951, Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2cdbd68510b88000160080847812e98c2775a39bcd6253d29e952859280ffd0f
                  • Instruction ID: df479db457a10d5d163e61ce4d0f0ac19e2accb44bb74de4eadba4810a521a7d
                  • Opcode Fuzzy Hash: 2cdbd68510b88000160080847812e98c2775a39bcd6253d29e952859280ffd0f
                  • Instruction Fuzzy Hash: AC014C71A11219AFDB14DFA9D845EAFBBF8EF54714F008066B940AB380DA74AA00CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E19D8, Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b17326f0a2200bd9d32c91418a102f4e99e2c11fa03eeae45b98696ac5f6cc7b
                  • Instruction ID: 27b53b1beee789d16a0ba3edb52d1717648667589eb3dca83698da2f5b690009
                  • Opcode Fuzzy Hash: b17326f0a2200bd9d32c91418a102f4e99e2c11fa03eeae45b98696ac5f6cc7b
                  • Instruction Fuzzy Hash: 0B015271A0125DAFDB14DFA9D845EAEBBFCEF54714F404056B901EB380DA74AA01CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E1843, Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 510294af900b41c21831d398fb3c42dbe44c6cacf63362a43a7941dada35d917
                  • Instruction ID: c474eea07d67775569eb0be6a8671082a25f83176c0793ee98a1146ed497c194
                  • Opcode Fuzzy Hash: 510294af900b41c21831d398fb3c42dbe44c6cacf63362a43a7941dada35d917
                  • Instruction Fuzzy Hash: 99014C71E01259AFDB14EFA9D845AAEBBB8EF54714F048066B904AB380DA749A00CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013270C0, Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
                  • Instruction ID: b040bede37a4c89b75da46d4299fa17acde3ed53787f0950b2a46094576eec11
                  • Opcode Fuzzy Hash: 06d75836c9573aa0e55f1f59fba811012c8e74f5e68e5d7ca759bd447d74ee88
                  • Instruction Fuzzy Hash: 8311AD32410B12DFD732AF19C880B22BBE5FF2072AF15C869D5994A562C778E885CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E18CA, Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c979be70443066d9f4a632f19c53c909118f3b369308e8cd12cccf1eda4d74bc
                  • Instruction ID: 13e49ad25ed821b610179fa31c12d687ca7a53bf4c1b2580c0ea4683d2f05b24
                  • Opcode Fuzzy Hash: c979be70443066d9f4a632f19c53c909118f3b369308e8cd12cccf1eda4d74bc
                  • Instruction Fuzzy Hash: 32015271A0121DAFDB14DFA9D845EAEBBFCEF54714F004056F945EB380DA749A01CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E138A, Relevance: .0, Instructions: 48COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fb8c642bc27ab00fb70bf9c8a385e386ddea22f9fb95ef5cef30a4ca18a5a4f2
                  • Instruction ID: 19785aaf590c27ba9b4a3f24ad535993f9440c33a0a546f7ee43781cb95aa088
                  • Opcode Fuzzy Hash: fb8c642bc27ab00fb70bf9c8a385e386ddea22f9fb95ef5cef30a4ca18a5a4f2
                  • Instruction Fuzzy Hash: 61014C71A00319AFDB14DFA9D845AAEBBB8EF54714F008066B904EB280DA749A01CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013258EC, Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 645455ad475b3b8f8a9d7208a33626ff74c8d3908ff293f662a96c710c3880bd
                  • Instruction ID: 81afcf0a4f3913e6eda9ba0d8cc43c5e915d77936838ac749bea4931354a7557
                  • Opcode Fuzzy Hash: 645455ad475b3b8f8a9d7208a33626ff74c8d3908ff293f662a96c710c3880bd
                  • Instruction Fuzzy Hash: D801F271B00119ABC714FB6CDC009EEB7ACEF92138F944069DA05DB288DE31DE06C790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013295F0, Relevance: .0, Instructions: 47COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
                  • Instruction ID: ab82293998ce6661e05871ef270ae8f74b881f623a99b80e0fe37a227185140b
                  • Opcode Fuzzy Hash: d6948c75bfbf2bc5c778d5157e0ae55309ade48056c3ff4605d40d8be4a702b4
                  • Instruction Fuzzy Hash: 6801F272A01264EBEB31AB9CC800F2977E9AF95A3CF144159EE158B690DB38ED00C795
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8966, Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3b69566c7125c96369a7c8e28df8ad884e0e4417657a26761510775742242728
                  • Instruction ID: fa79a7fc0d24b968e7fbcee7eacb3af32178a28f8e6fc28b2acdb2ff1d638116
                  • Opcode Fuzzy Hash: 3b69566c7125c96369a7c8e28df8ad884e0e4417657a26761510775742242728
                  • Instruction Fuzzy Hash: 5F0129B1E0021DAFDB04DFA9D8419AEB7F8FF59304F10445AE901E7340D774AA00CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0133B02A, Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                  • Instruction ID: 5b626bfdd66aa600727497acc344d12edc16bab7c6adbb48e8cdb540a5fc5c1e
                  • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                  • Instruction Fuzzy Hash: B6018F72204A849FE322D71DC988F66BBDCEBC576CF0900A2FA19CBA55D728DC40C624
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F1074, Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: accc54ba2e34472105beb0ee5c3056d48b2f321dc2923b6f7d9fb182a2abd4a1
                  • Instruction ID: 106b72300b83c38425561f7fe1dd133954bad05bf77430a48f59ddac95e45459
                  • Opcode Fuzzy Hash: accc54ba2e34472105beb0ee5c3056d48b2f321dc2923b6f7d9fb182a2abd4a1
                  • Instruction Fuzzy Hash: CF014C72604743DFC710DF2CD944B1A7BE9BB84318F04852DFA8583690DE34D441CB92
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E129A, Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1aa9cefa13863f140a705a2a0b730231dff7f9cc3e0459f709809650446d94e7
                  • Instruction ID: 88dc5dad82b3c63d94f9447ceaacb93f2083c6a73ddff3c6a4427805ec8c519a
                  • Opcode Fuzzy Hash: 1aa9cefa13863f140a705a2a0b730231dff7f9cc3e0459f709809650446d94e7
                  • Instruction Fuzzy Hash: 8C018471A00268AFDB10DFA9D805FAFBBBCEF54704F004066F905EB280DA74DA00CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F89E7, Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c8733206527677899db056d3817a53abf4730cdef9360ce66923c8e801d04524
                  • Instruction ID: 189fd8d7600c26148b13d748e654ca4d2576f6cc895b497cb794310b26cc477a
                  • Opcode Fuzzy Hash: c8733206527677899db056d3817a53abf4730cdef9360ce66923c8e801d04524
                  • Instruction Fuzzy Hash: 980121B1A0021D9FDB04DFA9D9419AEBBF8EF58354F10405AF905E7350D634AA01CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8A62, Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1b72bbc964389f8ce93e39b4918d8dcbe37d09a793f13da023261f3f3f3272c5
                  • Instruction ID: fb80d336204f706bbd0d13b4e03f09b774c4a2eb5a4c4cff5472391e8cdfac89
                  • Opcode Fuzzy Hash: 1b72bbc964389f8ce93e39b4918d8dcbe37d09a793f13da023261f3f3f3272c5
                  • Instruction Fuzzy Hash: 1F012CB1A1021DAFDB04DFADD9419AEBBF8EF58314F10405AFA04E7351DA34AA00CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8ADD, Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 58fc6700b88cefe35dbe7209695f36dacaf8d5c08ced46ead55b320daf2d7cf4
                  • Instruction ID: 2dddb26bd5b323db1e9f84da4cb374940e579fcc80f392133fdf856a54e4bb5f
                  • Opcode Fuzzy Hash: 58fc6700b88cefe35dbe7209695f36dacaf8d5c08ced46ead55b320daf2d7cf4
                  • Instruction Fuzzy Hash: E1012CB1A0021DAFDB04DFA9D9459EEBBF8FF58314F10405AFA04E7350D634AA01CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132DB60, Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                  • Instruction ID: f530288d53bf57fd78d8b920633972f60920529876a282b2c431649418aca7a3
                  • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                  • Instruction Fuzzy Hash: CFF09C332456339BD7327ADD48A4F67BE999FD2A68F150435F2059B744CA608C0296D1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132B1E1, Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                  • Instruction ID: 565ee2f2c7f8075da1a9bdaf1eb36ed3e2ccfb82ebc2bb55d448d1d452e462af
                  • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                  • Instruction Fuzzy Hash: A201A432240795DBE322A76DC844F69FBD9EF5275CF0944A1FA148BAB2D779D800C315
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01327057, Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 55086ec09124899a7c47ff863652b3e947347da79465a875eaffcc65aeb380d7
                  • Instruction ID: d0de93343dcc045acfa14d57f4d59a1186d5bd6f1d05e0a4688945f35f232432
                  • Opcode Fuzzy Hash: 55086ec09124899a7c47ff863652b3e947347da79465a875eaffcc65aeb380d7
                  • Instruction Fuzzy Hash: 1001AD31200608ABD731EF58DC05FABBBF9FF54614F10456DE90583190CBA1AA04CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F9BBE, Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f6b4b5f1560ea66f7a422dd24701be4898135acb99750323850697afe39ba431
                  • Instruction ID: 84a9e89653802955fa56da9186ac34aacdd36b579e97f334e3b318dbde884853
                  • Opcode Fuzzy Hash: f6b4b5f1560ea66f7a422dd24701be4898135acb99750323850697afe39ba431
                  • Instruction Fuzzy Hash: 30012C71A0061D9FDB00DFA9D845BAEBBF8AF58314F14405AF905AB290DB34AA01CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E1229, Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8c3ef7034201e7fad8dc3a945b40a7c621cb7e2f664133300072393ac067a332
                  • Instruction ID: e89518a7d252cbc2e70c2e28835479921b7fe659e92bea8a804394171d556290
                  • Opcode Fuzzy Hash: 8c3ef7034201e7fad8dc3a945b40a7c621cb7e2f664133300072393ac067a332
                  • Instruction Fuzzy Hash: C201A472E00318AFDB14DFFDC805AAFB7B8EF54714F00809AE911EB290EA749A008790
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01355AA0, Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
                  • Instruction ID: 7a9f6669566a4c31f6f2b7a089a579e7990d092f2de43c9f833ccdb5d3e44a4f
                  • Opcode Fuzzy Hash: 2029a114c36bb4c92c887f33788b343d8ca89f1f3266e36f8717b5269d555587
                  • Instruction Fuzzy Hash: 7B01D17255064AAFEB629B1CC884F2A7798AF00B28F008141FD149B291D7B4E980CB91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01323591, Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
                  • Instruction ID: eaa680109fa2cc51d3b6a4d34684192a8b7a8163373184c36e70046a692c102e
                  • Opcode Fuzzy Hash: d03d260d01ce357f0602aa94a8546785f0ff55cdf9f4f89ff7566860e2396e50
                  • Instruction Fuzzy Hash: C4F0FC71A02229DFEB14EB6D8850FAA7BACFF98714F148155EE09D7100DA39E94087D4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013DFDD3, Relevance: .0, Instructions: 39COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0ac6afecef27a57ac5296f9aaae4e8b112106ba0efffeed68219a7aa9c2b6140
                  • Instruction ID: b5adf493ff01639164fd33ef88092ca1a44f7149c673b2ed9cc580f8aab7ba63
                  • Opcode Fuzzy Hash: 0ac6afecef27a57ac5296f9aaae4e8b112106ba0efffeed68219a7aa9c2b6140
                  • Instruction Fuzzy Hash: 0BF0CD72B00258ABDB04EBA9E805E7EF3B8EF55A04F004069B901EB690EE30ED05C751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01321BE9, Relevance: .0, Instructions: 38COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
                  • Instruction ID: 02a9ec0dbed3ee0e040b9e498a19e9fe5f3e0b9e30ea64b5cd2f65e6b8991880
                  • Opcode Fuzzy Hash: 41b619a71a48c2b8fc4bd3b9482bbcb6548e364b6e99d490dbd24e33bd0f4c0c
                  • Instruction Fuzzy Hash: 1DF02431714218ABEB18EB29CD00B56B7EDEF98318F108078D94AD7260FAB2ED01E354
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E131B, Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a77761e804d7e9d1f4abb5b8e27e91d20ecceff2abc103c12f0a7d7bf99d1b24
                  • Instruction ID: a7143896509128334877aa896352452feb8fa9be79886b29ea5aea8018b8de53
                  • Opcode Fuzzy Hash: a77761e804d7e9d1f4abb5b8e27e91d20ecceff2abc103c12f0a7d7bf99d1b24
                  • Instruction Fuzzy Hash: 98013171E0121DAFCB44DFA9D545AAEB7F4FF18704F108059B945EB391E6349A00CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0134C577, Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 70701aa616de71f768c1e90162bf90f78d3e6820ff81ab9721307fe0deab09ae
                  • Instruction ID: cc591bce12d46c5de64dc90567f9c057ba6b2a74c496bf2ed549defd08fcae33
                  • Opcode Fuzzy Hash: 70701aa616de71f768c1e90162bf90f78d3e6820ff81ab9721307fe0deab09ae
                  • Instruction Fuzzy Hash: 5CF0B4B2917694DFE736C71EC004B297FD89B0567CF44A4E7D50587542D6A4FC84C2D0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E2073, Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ccd422ecf1a981d034898773febf0a9e596a1e0210cb544910a10995d807450e
                  • Instruction ID: eacf9a37856b8cbdbb03078766c04048e8ae688ae8a2046e8d3b6df12747769c
                  • Opcode Fuzzy Hash: ccd422ecf1a981d034898773febf0a9e596a1e0210cb544910a10995d807450e
                  • Instruction Fuzzy Hash: 90F0A7774152A68BDE325B2C79593D22FDAD795118B090485D860572D9C9348D93CB14
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0136927A, Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                  • Instruction ID: f821d583aceb5155a948a25fca34c66bfabc742041e741859c1187e2104a5252
                  • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                  • Instruction Fuzzy Hash: 5BE02B323405016BE7119E0DDCC0F17379DEF92728F008078B5001E242C6F6DC0887A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8D34, Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 938a1322dde9b42239be23bc1c901cacd23d417b8672ebaac9e5af61c09d4ec2
                  • Instruction ID: 52f779ce009cc48cac39f4b0825d5391e0a783b3eb0771a541f11c9a0d425095
                  • Opcode Fuzzy Hash: 938a1322dde9b42239be23bc1c901cacd23d417b8672ebaac9e5af61c09d4ec2
                  • Instruction Fuzzy Hash: 07F05470E0460D9FDB14EFB8D545B6EB7B8EF14704F508499F905EB295DA34D900CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8C14, Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6279200a23bc8b0d70af8e873ec7be91e40ea52a07f5f6d5ecdcf3c5a81d6d44
                  • Instruction ID: 980cc9e2a1c44bc1fc59425043793b221868dde5db1577d883f608335206e411
                  • Opcode Fuzzy Hash: 6279200a23bc8b0d70af8e873ec7be91e40ea52a07f5f6d5ecdcf3c5a81d6d44
                  • Instruction Fuzzy Hash: 9CF09A70A15219AFDB18EFA8D905A6EB7B8AB14204F008499A905EB280EA34A900CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8C75, Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 679b98560a8d2df7a4933775e90c7900e19beb382b62c5d50267ca28ebfa01a7
                  • Instruction ID: 048f8650a9a940998cd2a6603beb127f7a93c93338d917ab8f180ed2f32d6f83
                  • Opcode Fuzzy Hash: 679b98560a8d2df7a4933775e90c7900e19beb382b62c5d50267ca28ebfa01a7
                  • Instruction Fuzzy Hash: 5CF0BE70E1425DAFDB04EFB8D905E6EB7B8EF14308F008499A905EB380EA34E900CB90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8B58, Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b6039217b8c72123633f42a100f65401bb2a33aeb80fe48ff18173b4546ab4c0
                  • Instruction ID: 2542816b75537dd7c14ef33fa980996e6cfe5b94dd9fed4b33bb04c4c42d7f1a
                  • Opcode Fuzzy Hash: b6039217b8c72123633f42a100f65401bb2a33aeb80fe48ff18173b4546ab4c0
                  • Instruction Fuzzy Hash: 8EF082B0A1425DAFDB14EBA8D906E6EB7B8EF14308F044499BA05DB390EB34DD00C794
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013F8BB6, Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80f2b7ac8a76fb82acb2305fd17970ae8241a89315d42403aac453172a4bd3c0
                  • Instruction ID: 2fee1f368027ae3f88b4b1dbae65656e4b618dd94bdcf9547868bf091b05e77c
                  • Opcode Fuzzy Hash: 80f2b7ac8a76fb82acb2305fd17970ae8241a89315d42403aac453172a4bd3c0
                  • Instruction Fuzzy Hash: 29F082B0A1425DAFDB14EFACD905E6EB7B8EF14308F044499BA05DB291EA34DD00C758
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013E1BA8, Relevance: .0, Instructions: 31COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b9d33ec92099fc51b167f0b12bed558818c6ac57a0f6fcfb65914d4b7de49a79
                  • Instruction ID: 86fded52d5cfe1f6d54993b43a84f4808e1e1241c4fd9706dd33ec9485ce135d
                  • Opcode Fuzzy Hash: b9d33ec92099fc51b167f0b12bed558818c6ac57a0f6fcfb65914d4b7de49a79
                  • Instruction Fuzzy Hash: 8AF08271A0525DAFDF14DBE9D84AAAEB7F8EF18308F004099E505EB2C4EA74DD00C754
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132354C, Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 18ca2bea1a8b8b5e3599fa1fdfd0bd098b6c0db12031ee3c7f786a8bdffb5401
                  • Instruction ID: 4fb81547f6872376d99a8d90defb3e3655f2a106c76c3a3cad21c054c729314e
                  • Opcode Fuzzy Hash: 18ca2bea1a8b8b5e3599fa1fdfd0bd098b6c0db12031ee3c7f786a8bdffb5401
                  • Instruction Fuzzy Hash: 54F08C32A12699DFD772D72CC144B26BBDCBB05BB8F258865E91987D43C72CD884C690
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132F358, Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                  • Instruction ID: 493da242cf87f6ce30abca2800a04a8b721d8c1a48fa248efd34a8566c35d993
                  • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                  • Instruction Fuzzy Hash: 14E0D832A40128FBDB21A6DD9D05F5ABFFCDB54A64F010155FA04D7150D5649D00C2D0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013215C1, Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
                  • Instruction ID: 332a8fdad214131231906b4e6293eb8115e52e53eeddb81b613b29f3c47e2c65
                  • Opcode Fuzzy Hash: abd4c1e868dd77add1da121991445beedef88028e086df1525fa9b969b472fc7
                  • Instruction Fuzzy Hash: B5E02B3120015AD3CF31BA48C600BB7B7A9AF5170CF2880B1E4028B541D774EC41C3D0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01365C70, Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 315252d8d3e5e1fdd0d3f6bd8f50884039f61c830c14d95a10b54c942d48fd22
                  • Instruction ID: d706748a89f93828f003d5f93ede95db3355d88abfdafd99c597d818338946e0
                  • Opcode Fuzzy Hash: 315252d8d3e5e1fdd0d3f6bd8f50884039f61c830c14d95a10b54c942d48fd22
                  • Instruction Fuzzy Hash: BBE04F71100248AFFF15DB49C944F253FADAB44768F04C169E6198B569C7B4D984CB45
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013B41E8, Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 76485862ebd9a20d28bd754cfd5b58a28349bdbe9ce9e9c8c44d0441ee7956a6
                  • Instruction ID: b2f204c16ff625cf91c06ef4bd4cc093f5776363626e1d51d7372e244202e70a
                  • Opcode Fuzzy Hash: 76485862ebd9a20d28bd754cfd5b58a28349bdbe9ce9e9c8c44d0441ee7956a6
                  • Instruction Fuzzy Hash: D6F0A934A10302CFCBB2EFADED40304B2B0FB80318F00412A82208B6AEE33401A0DF05
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013DD380, Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                  • Instruction ID: 7247a474a929759a22fcf697f8e0eca0d8acd418672e217234e9160b33ce01ab
                  • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                  • Instruction Fuzzy Hash: 8BE0CD32240215B7DB225E48DC00F757B55DB50794F104031FE045A6D0CA719C51D6C4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0135A185, Relevance: .0, Instructions: 20COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 40a166581645e9495097e3eac6cf07c6c46846a73a05e372ce82aa4b7ce9b11d
                  • Instruction ID: 1767b4bea69324593feb2e57f65e3e791b6bd5361e662463576edb5c5d18d67c
                  • Opcode Fuzzy Hash: 40a166581645e9495097e3eac6cf07c6c46846a73a05e372ce82aa4b7ce9b11d
                  • Instruction Fuzzy Hash: F2D02E712320001BC72E63248814F2136A2F780B68F36090EF7030F9B8EBF0D8D1E208
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013A53CA, Relevance: .0, Instructions: 16COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                  • Instruction ID: c91fe3921ae1544539df675a0010fd02582173121dccbd5709c3451b35a05241
                  • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                  • Instruction Fuzzy Hash: 5BE08C319446809FCF12DB4CC650F5EBBF5FB84B04F140414A5085F660C624EC00CB00
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0133AAB0, Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                  • Instruction ID: 006a86b373db647a942983fb5530a77274eb11440652d0e38bb5f517c94deaf2
                  • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                  • Instruction Fuzzy Hash: 9CD0E935352A80CFE617DB1DC554B1577A4FB44B44FC50490E541CB762E66DD945CA04
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013535A1, Relevance: .0, Instructions: 12COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                  • Instruction ID: 556ed3072a6ad4fe6f8109fa58e24cbeb2cd65be0bf82ef4a80cae3150a5c500
                  • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                  • Instruction Fuzzy Hash: CED0A931401185DAEB82AB28C238F683BB2BF00B8CF583865980306952C33A8A0AD600
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132DB40, Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                  • Instruction ID: 66d196f18708e5a9904783a4cd38ca8aa6b5e2d5610918e6e0e72da8d14b95f3
                  • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                  • Instruction Fuzzy Hash: 43C08C30280A01ABEB222F24CD01B003AA0BB10B09F4400A0A300DA0F0DB7CE801E600
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013AA537, Relevance: .0, Instructions: 11COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                  • Instruction ID: a7a46a49a06b1a51ef8927032d8659a183648b2d831ac6a9415ce61c5aa3fbb5
                  • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                  • Instruction Fuzzy Hash: A8C01232080248BBCB226E85CC00F06BB6AEBA4B60F008010BA080A5608632E9B0EA84
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01343A1C, Relevance: .0, Instructions: 10COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                  • Instruction ID: 4a66d7a9850b23ffd417a9951727559ddea257ffe14cbb07f6fa37de5b87a74b
                  • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                  • Instruction Fuzzy Hash: 24C04C32180648BBC7126E45DD01F157B69E7A4B60F154021B6040A561857AED61D598
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0132AD30, Relevance: .0, Instructions: 10COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                  • Instruction ID: a9096a9c6bea02c83603a0dd919b3cad7058b6a6b9c19ab51cefd22b93f235df
                  • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                  • Instruction Fuzzy Hash: 35C08C32080248BBC712AA49CD00F117F69E7A0B60F000020F6040A6618A32E861D588
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01354190, Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
                  • Instruction ID: 4b1336b84726bd41e5d3811008176264fe4c238563f89ffa1bab92ed4316591a
                  • Opcode Fuzzy Hash: 175590c6a7dfeeadbeeb5abb91333881fb225fd9a6b890b8f217439b73e8cc0c
                  • Instruction Fuzzy Hash: 8FC04C757115418FCF15CF6EC284F1637E4B754788F150890E805DB721D724E800CA10
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013D8D47, Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                  • Instruction ID: bf0085934a052c62c1495a61e9faa51912b6bd3cec2cfb3698b7af7730961fde
                  • Opcode Fuzzy Hash: e0308ce5ee14c24fb886fb9f14b489cdec504b92c80768c2a23305a5c2b521e7
                  • Instruction Fuzzy Hash: 2DC04C1F1556C949CD279F2452127D5BF60D7429D4F1914C1D4D11F552C11455139625
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01347D50, Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                  • Instruction ID: 979cf11b32ad30e6815f62142e8af9491d2147e071127865e6f7ed6c79263396
                  • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                  • Instruction Fuzzy Hash: E3B092353119408FCE56DF28C080B1533E4BB45A84B8400D0E400CBA21D329E8008900
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01352ACB, Relevance: .0, Instructions: 5COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                  • Instruction ID: 3c0f23476354530f2b4a3cf935a1c9df6bbe3b2dbdd6346887204f5a1194fbb9
                  • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                  • Instruction Fuzzy Hash: 60B01232C10441CFCF07EF44C610B197331FF40750F0544A0A00127A30C228EC01DB40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369910, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 285e4cfbf77d0c6205fab8e94d2da89b0a91a3864439625c1b069506438806e1
                  • Instruction ID: 0c97bfd2002985b2461b1a30693d529c73b30c649bc8c25c37c2fde5ea5a8236
                  • Opcode Fuzzy Hash: 285e4cfbf77d0c6205fab8e94d2da89b0a91a3864439625c1b069506438806e1
                  • Instruction Fuzzy Hash: 319002B520100502E550719944047460005ABD0345F51C021A5055554EC69D8DD976A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369950, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c72fa822d7912676a77356aa06c52113e62cdd7bb19e51172cb48666f5127e8
                  • Instruction ID: 4152c11caa729bcc85472af5a85e1f0ab7b52c70000ad17eecd4085ebc9af7c4
                  • Opcode Fuzzy Hash: 9c72fa822d7912676a77356aa06c52113e62cdd7bb19e51172cb48666f5127e8
                  • Instruction Fuzzy Hash: 439002A520140503E550659948046070005ABD0346F51C021A2055555ECA6D8C557175
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013699A0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f5dcff43afa47119df7b0e0763861bd4f8e532e2287db02f793d5e7ce8ed7a33
                  • Instruction ID: dfe8753fde023c48adcad73959ee732070ed7c4562fd41d3a807afdc9b56ecda
                  • Opcode Fuzzy Hash: f5dcff43afa47119df7b0e0763861bd4f8e532e2287db02f793d5e7ce8ed7a33
                  • Instruction Fuzzy Hash: 419002A534100542E51061994414B060005EBE1345F51C025E1055554DC65DCC567166
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013699D0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 183e2081186b4aea5b97431156ad02f9999817bd5e2e27bf68b2d59f686dc8a1
                  • Instruction ID: 48d001f52ebd1366afdfcb91b90747deaa76d48d9b97140f004eaa79d2113af8
                  • Opcode Fuzzy Hash: 183e2081186b4aea5b97431156ad02f9999817bd5e2e27bf68b2d59f686dc8a1
                  • Instruction Fuzzy Hash: 049002A521100142E514619944047060045ABE1245F51C022A2145554CC56D8C656165
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369820, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7f95a36d364257137e6f5a3008371f23d6da26f4719b45e8e61dfc3e61e848d4
                  • Instruction ID: 196339ac838931733aff8df960404bc11ebb094e06a3dedae11d1167a27bfb61
                  • Opcode Fuzzy Hash: 7f95a36d364257137e6f5a3008371f23d6da26f4719b45e8e61dfc3e61e848d4
                  • Instruction Fuzzy Hash: 1A90027524100502E551719944046060009BBD0285F91C022A0415554EC6998A5ABAA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0136B040, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 55ef8e742a9f5149a3e8e7e161f8be2ce03cf9f2f1e4673be2691a3b2d5574ea
                  • Instruction ID: 01c40b7dcb3b720be36485439eddcb1656613c794fb99feb6ac6dc06fb9a8625
                  • Opcode Fuzzy Hash: 55ef8e742a9f5149a3e8e7e161f8be2ce03cf9f2f1e4673be2691a3b2d5574ea
                  • Instruction Fuzzy Hash: 959002A5601141439950B19948044065015BBE1345391C131A0445560CC6AC8859A2A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369840, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 52038a28dc72e3a442ec0dbeb2ef4ed377d5824afce6dc01d2aa4125f42e0f02
                  • Instruction ID: bfe34666d8149ad1d57cae7349f6690bac5c07646bbaee7f7d59ce3028ffb13d
                  • Opcode Fuzzy Hash: 52038a28dc72e3a442ec0dbeb2ef4ed377d5824afce6dc01d2aa4125f42e0f02
                  • Instruction Fuzzy Hash: 9A90026524204252A955B19944045074006BBE0285791C022A1405950CC56A985AE661
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013698A0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5fa8d7b49fc673d8de5dfca04125a59d67343830aac763888acd01769ff2d091
                  • Instruction ID: 2e18b929699066247334a6566af6582f350914b63b928a3f1a655e1b477de31e
                  • Opcode Fuzzy Hash: 5fa8d7b49fc673d8de5dfca04125a59d67343830aac763888acd01769ff2d091
                  • Instruction Fuzzy Hash: BE90026530100502E512619944146060009EBD1389F91C022E1415555DC6698957B172
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013698F0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4c2a772a48f89545f01518c76b1512b2d81c820eb56e673dcfcdf3bf3fb33cd7
                  • Instruction ID: 5e739cbde722dd3e8e4ffb6a10ce185d7c94adae980bf5c6220726de854a010c
                  • Opcode Fuzzy Hash: 4c2a772a48f89545f01518c76b1512b2d81c820eb56e673dcfcdf3bf3fb33cd7
                  • Instruction Fuzzy Hash: 4690026560100602E51171994404616000AABD0285F91C032A1015555ECA698996B171
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369B00, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4904f8051513182965dd0e8d5401b16acb63ce02351809041e13647b3db6e942
                  • Instruction ID: 966b5acb5deae58d921a64195a13907ffd8cfa4ca61b09667bec28e097cf9754
                  • Opcode Fuzzy Hash: 4904f8051513182965dd0e8d5401b16acb63ce02351809041e13647b3db6e942
                  • Instruction Fuzzy Hash: A090026524100902E550719984147070006EBD0645F51C021A0015554DC65A896976F1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0136A3B0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c31e9fa2615b412e27d485dc8946814b97f577e59b14aba2096e74845b1bec17
                  • Instruction ID: 64c77cefd78c904ebccdfea7620f62e4b0cfcd81229fbe6a87b8c75168d8a37b
                  • Opcode Fuzzy Hash: c31e9fa2615b412e27d485dc8946814b97f577e59b14aba2096e74845b1bec17
                  • Instruction Fuzzy Hash: 7790027520144102E5507199844460B5005BBE0345F51C421E0416554CC659885AA261
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369A20, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37c3bdf09d828c8fb847126643207feb905bb258ad6cfb96f089431d003837b9
                  • Instruction ID: 1f1cf4c347aba40f99a470506b1ebc263d45321d8a6d3299132a8415a7ccdb08
                  • Opcode Fuzzy Hash: 37c3bdf09d828c8fb847126643207feb905bb258ad6cfb96f089431d003837b9
                  • Instruction Fuzzy Hash: B190026560100142955071A988449064005BFE1255751C131A0989550DC59D886966A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369A10, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 60966536550c9b2dca388e0d7b6d171397e01542f90b35db350e774ed760c7f6
                  • Instruction ID: 780ef59765e48c532a97b403f4b1c6e92aecad64cab2f808a4feed75b3c7519d
                  • Opcode Fuzzy Hash: 60966536550c9b2dca388e0d7b6d171397e01542f90b35db350e774ed760c7f6
                  • Instruction Fuzzy Hash: FA90027520140502E510619948087470005ABD0346F51C021A5155555EC6A9C8957571
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369A00, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 400b31a5c8e214fe435204430a136079115bef19d5f5d535dd129e96020aada4
                  • Instruction ID: 996f3ada2fc0c2efb02560850655350190f81ea5fa0903100b39e87b26a03639
                  • Opcode Fuzzy Hash: 400b31a5c8e214fe435204430a136079115bef19d5f5d535dd129e96020aada4
                  • Instruction Fuzzy Hash: 6990027520140502E5106199481470B0005ABD0346F51C021A1155555DC669885575B1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369A50, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02caee07ac1d3ed12f1bf9a8f39c5a5f69788b29400dbe5a04bfde6719efb809
                  • Instruction ID: a2c2889a076b3f16d917766c0c8fe5d9543ab38b85285bf8ac0cf5d749d9641c
                  • Opcode Fuzzy Hash: 02caee07ac1d3ed12f1bf9a8f39c5a5f69788b29400dbe5a04bfde6719efb809
                  • Instruction Fuzzy Hash: B090026521180142E61065A94C14B070005ABD0347F51C125A0145554CC95988656561
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369A80, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 68e12825d43db64a8a61f20c543ec62e0a3106b1241e7fc5157bfc02eafcb3db
                  • Instruction ID: b82be2f75c070448cc351e56b9b2a241b84ee003bf1780e6dfa8bfddeea03325
                  • Opcode Fuzzy Hash: 68e12825d43db64a8a61f20c543ec62e0a3106b1241e7fc5157bfc02eafcb3db
                  • Instruction Fuzzy Hash: 4290026520144542E55062994804B0F4105ABE1246F91C029A4147554CC95988596761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0136AD30, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9942f9d8ac22998bef7f12827a9370d93fb4794870eab0c91cb30342d08e51c
                  • Instruction ID: 2785a65a07b8f9c7183971671ec3496f923e18f7b28920e0802769b59c543d2d
                  • Opcode Fuzzy Hash: d9942f9d8ac22998bef7f12827a9370d93fb4794870eab0c91cb30342d08e51c
                  • Instruction Fuzzy Hash: 76900275A0500112E550719948146464006BBE0785B55C021A0505554CC9988A5963E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369520, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 03237a3e3f8ad0cb3393a125cd0ca6fe5ee8f4f4bbfd159569f66709b2d2ab4a
                  • Instruction ID: 542ec006daabfb521a7e94ee861c11d9c60e58381a09ebf60a2084a02b51e0a1
                  • Opcode Fuzzy Hash: 03237a3e3f8ad0cb3393a125cd0ca6fe5ee8f4f4bbfd159569f66709b2d2ab4a
                  • Instruction Fuzzy Hash: C19002E5201141929910A2998404B0A4505ABE0245B51C026E1045560CC5698855A175
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369560, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 947f506415bfc0c79b0f9bcdc83740e338a225772b73768580d0bf75df87e1de
                  • Instruction ID: 62612357cfb0fc5c8c57f00326643d852fd06a988d6bec5a00581405a430f0d9
                  • Opcode Fuzzy Hash: 947f506415bfc0c79b0f9bcdc83740e338a225772b73768580d0bf75df87e1de
                  • Instruction Fuzzy Hash: BC900269221001025555A599060450B0445BBD6395391C025F1407590CC66588696361
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369540, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b05d1af995f70d153d691bdee99423d312074b9dca9ce5d2115267aed14f15c2
                  • Instruction ID: 4c8c03f8b1e5f3e53e16b797b28e4ed0d921abe9cb4551e7c8643405f8f62864
                  • Opcode Fuzzy Hash: b05d1af995f70d153d691bdee99423d312074b9dca9ce5d2115267aed14f15c2
                  • Instruction Fuzzy Hash: 2C900269211001035515A59907045070046ABD5395351C031F1006550CD66588656161
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013695F0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e68ccb14ca9116c92c48c2db6f537fcc617c99c970a23caa28eaae1e5041498e
                  • Instruction ID: d49dca328374eaa3a6159833d3f232e07888a8bd466395c7f6c5f5345796ad19
                  • Opcode Fuzzy Hash: e68ccb14ca9116c92c48c2db6f537fcc617c99c970a23caa28eaae1e5041498e
                  • Instruction Fuzzy Hash: 5190027520100902E514619948046860005ABD0345F51C021A6015655ED6A988957171
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013695D0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d5432995dd4b32c4474cc6c3421b92a056430b0ec993b0c1e5c5af04c4af5f7
                  • Instruction ID: a5318fcc24f87cc1876ac8ace1b5984f44a6ccb27a4ed066c5b788d0eb0b9841
                  • Opcode Fuzzy Hash: 1d5432995dd4b32c4474cc6c3421b92a056430b0ec993b0c1e5c5af04c4af5f7
                  • Instruction Fuzzy Hash: FB9002A520200103951571994414616400AABE0245B51C031E1005590DC56988957165
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369730, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 90c2df9e3e09c4017dc72984b363e28916c393486eeec5c43143dc23a2cb4712
                  • Instruction ID: c3e1066505d1e61603e54da65d9539ed5274b3f9e00b929ca818598be0710593
                  • Opcode Fuzzy Hash: 90c2df9e3e09c4017dc72984b363e28916c393486eeec5c43143dc23a2cb4712
                  • Instruction Fuzzy Hash: 7A90026560500502E550719954187060015ABD0245F51D021A0015554DC69D8A5976E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369710, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4b843e221c0c79b0dd79c068b8f4d36d745f82dbe3a5a3dcb6af09ad211a046f
                  • Instruction ID: 12d557ba676d12a3ce52ae5eb43d1100cb2a375c4e0f3adeb85952d4c46bbadf
                  • Opcode Fuzzy Hash: 4b843e221c0c79b0dd79c068b8f4d36d745f82dbe3a5a3dcb6af09ad211a046f
                  • Instruction Fuzzy Hash: 2E90027520100502E51065D954086460005ABE0345F51D021A5015555EC6A988957171
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0136A710, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 46e1b4226d21f10a22afa6f5e149ede03ae7f2f4fc9fc6b90f65f2fd82f15a08
                  • Instruction ID: 9ffce3d0352ab1668f5d9379e759347746cedadea8d86ad247539e177ad30383
                  • Opcode Fuzzy Hash: 46e1b4226d21f10a22afa6f5e149ede03ae7f2f4fc9fc6b90f65f2fd82f15a08
                  • Instruction Fuzzy Hash: BC90027530100152E910A6D95804A4A4105ABF0345B51D025A4005554CC59888656161
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0136A770, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b985e62ca8438b85945104cab74d35aaad5dfe4349cb63659be685557fbf5e4f
                  • Instruction ID: ded84aa2eccff93a61eff1534f4dd31c527de33268e3b20edcd5e0bba974cbbd
                  • Opcode Fuzzy Hash: b985e62ca8438b85945104cab74d35aaad5dfe4349cb63659be685557fbf5e4f
                  • Instruction Fuzzy Hash: 6790027920504542E91065995804A870005ABD0349F51D421A041559CDC6988865B161
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369770, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cfd21d754e73d8d89e10c1a34e103f42fee712877011e1c3e64427b1693cf185
                  • Instruction ID: 23ce80b45e73a531ef5a93a8f97099aa328c70a596203cf67859065377b29c4e
                  • Opcode Fuzzy Hash: cfd21d754e73d8d89e10c1a34e103f42fee712877011e1c3e64427b1693cf185
                  • Instruction Fuzzy Hash: 7290026520504542E51065995408A060005ABD0249F51D021A1055595DC6798855B171
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369760, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9cd5d243da98fcea263f7e30175f339614452a7d66bccbb03d1bc23bfc109ba6
                  • Instruction ID: 1f6e3335f724b7073fddb7c1ecc619694718b67df0b6eb2b79e8399d33516cec
                  • Opcode Fuzzy Hash: 9cd5d243da98fcea263f7e30175f339614452a7d66bccbb03d1bc23bfc109ba6
                  • Instruction Fuzzy Hash: 7B90027520100503E510619955087070005ABD0245F51D421A0415558DD69A88557161
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013697A0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8e7363928bd42f60de7a3b9da2c9ae20fe309d3236f62624876dd8c44656e5d8
                  • Instruction ID: 51e42c5f01cd623c6e64d623f35dab2967220a894d9c88f7488cb1f120115b07
                  • Opcode Fuzzy Hash: 8e7363928bd42f60de7a3b9da2c9ae20fe309d3236f62624876dd8c44656e5d8
                  • Instruction Fuzzy Hash: 1990026530100103E550719954186064005FBE1345F51D021E0405554CD959885A6262
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369780, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 92e1f1106bb50ba0a54bb37565f43394e717eaa54a1075f882030661b00ff61f
                  • Instruction ID: 3a5efd1b7e2dfaf0cf03dafec5187439f5cc6aff51bf2fb89744c85bd2c0122f
                  • Opcode Fuzzy Hash: 92e1f1106bb50ba0a54bb37565f43394e717eaa54a1075f882030661b00ff61f
                  • Instruction Fuzzy Hash: 8390026D21300102E5907199540860A0005ABD1246F91D425A0006558CC959886D6361
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369FE0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 126fbda3762410983fa22a075b57f9e076f6e149664ff44f130770427977591c
                  • Instruction ID: 254a224768906a94addf92efcf9eb664cde8f5711d895ebfce3e9714aee0706e
                  • Opcode Fuzzy Hash: 126fbda3762410983fa22a075b57f9e076f6e149664ff44f130770427977591c
                  • Instruction Fuzzy Hash: 6490027531114502E520619984047060005ABD1245F51C421A0815558DC6D988957162
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369610, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0c557c70f72f18a9955e618dd55b8522c40fea85265e508e291e79b5932bb9be
                  • Instruction ID: a7ae232a02676eba2365912fa85cbb9d8dc8bffa9ca511b4d664bd0f8e65d2b7
                  • Opcode Fuzzy Hash: 0c557c70f72f18a9955e618dd55b8522c40fea85265e508e291e79b5932bb9be
                  • Instruction Fuzzy Hash: E290027560500902E560719944147460005ABD0345F51C021A0015654DC7998A5976E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369650, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4389995b856f92e9f6c9a1a7329160349ce844ea2bf1a33710aea0d1b6fb85d0
                  • Instruction ID: 21a0635eb0ab7dec49a5e717de26a51d7b55ec91bc1e5e2d05465d52c14a64db
                  • Opcode Fuzzy Hash: 4389995b856f92e9f6c9a1a7329160349ce844ea2bf1a33710aea0d1b6fb85d0
                  • Instruction Fuzzy Hash: E690027520504942E55071994404A460015ABD0349F51C021A0055694DD6698D59B6A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01369670, Relevance: .0, Instructions: 2COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                  • Instruction ID: aad5a5d6ad080f3ef0e37e35b9eef4e185bcfe2eed58d0bec1943f94e2830fa1
                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013240FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195COMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E013240FD(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x141d360 ^ _t107;
				_v8 =  *0x141d360 ^ _t107;
				_t105 = __ecx;
				if( *0x14184d4 == 0) {
					L5:
					return E0136B640(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E0133E9C0(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v552 = _t85;
					_t49 = E013242EB(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v552 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E013241EA(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v552 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v552);
							_push(0x22);
							_push(0xffffffff);
							_t45 = L013696C0();
						}
						goto L4;
					}
					_v556 = _t85;
					_t102 =  &_v556;
					_t55 = E0132429E(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v556 - _t85;
						if(_v556 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E013B5720(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v556);
						_v560 = 0x214;
						E0136FA60( &_v548, 0, 0x214);
						_t106 =  *0x14184d4;
						_t110 = _t108 + 0x20;
						 *0x141b1e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x14184d4))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E0136B75A();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E013B5720(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E01371480( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E013B5720(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v556 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E01371150(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E013B5720(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E013A3E13(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v556;
							} while (_t106 < _v556);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E013B5720();
						goto L15;
					}
					L8:
					_t56 = E013241F7(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v552;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}
































                  0x0132410d
                  0x0132410f
                  0x0132411c
                  0x0132411e
                  0x01324158
                  0x01324168
                  0x01324168
                  0x01324126
                  0x01324130
                  0x0132413c
                  0x013804a2
                  0x01324142
                  0x0132414b
                  0x0132414b
                  0x0132414f
                  0x0132416b
                  0x01324171
                  0x01324176
                  0x01324178
                  0x013241d0
                  0x013241d2
                  0x013241d3
                  0x013241a7
                  0x013241ae
                  0x013241b0
                  0x013241db
                  0x013241b2
                  0x013241b8
                  0x013241bf
                  0x013241c1
                  0x013241c1
                  0x013241c1
                  0x013241c3
                  0x013241c5
                  0x013241df
                  0x013241e2
                  0x013241e2
                  0x013241c7
                  0x013241c9
                  0x01380628
                  0x01380628
                  0x01380630
                  0x01380631
                  0x01380633
                  0x01380635
                  0x01380635
                  0x00000000
                  0x013241c9
                  0x0132417d
                  0x01324183
                  0x01324189
                  0x0132418e
                  0x01324190
                  0x013804a9
                  0x013804af
                  0x00000000
                  0x00000000
                  0x013804b5
                  0x013804c8
                  0x013804d5
                  0x013804e5
                  0x013804ea
                  0x013804f6
                  0x01380518
                  0x0138051e
                  0x01380520
                  0x01380522
                  0x00000000
                  0x00000000
                  0x01380528
                  0x0138052e
                  0x01380530
                  0x00000000
                  0x00000000
                  0x0138053b
                  0x0138053d
                  0x00000000
                  0x00000000
                  0x01380545
                  0x0138054c
                  0x0138054e
                  0x01380623
                  0x00000000
                  0x01380623
                  0x01380556
                  0x01380557
                  0x0138056f
                  0x01380574
                  0x01380583
                  0x0138058a
                  0x0138058b
                  0x0138058d
                  0x013805b5
                  0x013805c0
                  0x013805c6
                  0x013805c8
                  0x013805cb
                  0x013805cd
                  0x013805d3
                  0x013805d5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x013805db
                  0x013805db
                  0x013805e3
                  0x013805e7
                  0x013805e9
                  0x013805eb
                  0x013805ed
                  0x013805ed
                  0x013805fa
                  0x013805ff
                  0x01380606
                  0x0138060b
                  0x0138060d
                  0x00000000
                  0x00000000
                  0x01380613
                  0x01380613
                  0x01380616
                  0x01380616
                  0x00000000
                  0x0138061e
                  0x0138058f
                  0x01380594
                  0x01380596
                  0x01380598
                  0x00000000
                  0x0138059d
                  0x01324196
                  0x01324198
                  0x0132419d
                  0x0132419f
                  0x00000000
                  0x00000000
                  0x013241a1
                  0x00000000
                  0x01324151
                  0x01324151
                  0x01324151
                  0x00000000
                  0x01324151

                  Strings
                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 013805AC
                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01380566
                  • Execute=1, xrefs: 0138057D
                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 0138058F
                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 013804BF
                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 013805F1
                  • ExecuteOptions, xrefs: 0138050A
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                  • API String ID: 0-484625025
                  • Opcode ID: d1e60ed49fa44732e770223f60c3a64e3944897fc39adba79cc425146015c86f
                  • Instruction ID: 0a204d7d59bee0b41d8348710e2d3cce306ca1441e5fbc76ef656298c02e1525
                  • Opcode Fuzzy Hash: d1e60ed49fa44732e770223f60c3a64e3944897fc39adba79cc425146015c86f
                  • Instruction Fuzzy Hash: C8612B31B0022DBAEF21BB59DC95FE977ACEF2471CF140199E605A7181EB70AE458F60
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013277A0, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01382953
                  Strings
                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 0138295B
                  • RTL: Re-Waiting, xrefs: 01382988
                  • RTL: Resource at %p, xrefs: 0138296B
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                  • API String ID: 885266447-605551621
                  • Opcode ID: 28bf869a606cf017b44c9785098b8254c7251df03e267d057227ea5e54744ea3
                  • Instruction ID: 3aea8818a34221e44c072ac911716acfa6ef3e3a4148dbffee5303073f01d665
                  • Opcode Fuzzy Hash: 28bf869a606cf017b44c9785098b8254c7251df03e267d057227ea5e54744ea3
                  • Instruction Fuzzy Hash: A5313B31A00736ABDB226B19CC81F677B68EF11B6CF100219EE556B685D721B821C7E1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 01361CC7, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 193COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID:
                  • String ID: $$@
                  • API String ID: 0-1194432280
                  • Opcode ID: 0ea0904455e9817341f21525478fa10b7930de6bc814962f8844a2e0b9dc1de3
                  • Instruction ID: 7e235da81ce8504dac15373bff0c86f8f149465aa41487944d1ae373f212ea7c
                  • Opcode Fuzzy Hash: 0ea0904455e9817341f21525478fa10b7930de6bc814962f8844a2e0b9dc1de3
                  • Instruction Fuzzy Hash: 86812E71D002699BDB31DF98CC45BEEB6B8AF49718F0041EAAA0DB7250D7705E85CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 013BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 013BFDFA
                  Strings
                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 013BFE01
                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 013BFE2B
                  Memory Dump Source
                  • Source File: 00000003.00000002.339176685.0000000001300000.00000040.00000001.sdmp, Offset: 01300000, based on PE: true
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                  • API String ID: 885266447-3903918235
                  • Opcode ID: 4ac7ec51b7d39c6b1dbf5e0b4a02cf39caa4262e9bc648cec59abf025841c7ef
                  • Instruction ID: 3bddb46262b8978283c8578ad7dd70fb3d74ee5bf9af5767888649226b9bb430
                  • Opcode Fuzzy Hash: 4ac7ec51b7d39c6b1dbf5e0b4a02cf39caa4262e9bc648cec59abf025841c7ef
                  • Instruction Fuzzy Hash: 70F0C232600201BBEA251A49DC42E63BB6EEB45B34F244214F728569D1EA62F83086A4
                  Uniqueness

                  Uniqueness Score: -1.00%